From 358f1ccaf58389ba951df7f4c7741873361b15a8 Mon Sep 17 00:00:00 2001
From: Chris Dueck <chris.dueck@wattpad.com>
Date: Wed, 1 Nov 2023 14:34:03 -0400
Subject: [PATCH] Add template for ServiceAccount annotations

Signed-off-by: Chris Dueck <chris.dueck@wattpad.com>
---
 .../templates/serviceaccount.yaml             |  4 ++++
 charts/opa-kube-mgmt/values.schema.json       |  8 ++++++++
 charts/opa-kube-mgmt/values.yaml              |  2 ++
 test/lint/sa.yaml                             | 15 +++++++++++++++
 test/unit/sa_test.yaml                        | 19 +++++++++++++++++++
 5 files changed, 48 insertions(+)
 create mode 100644 test/lint/sa.yaml
 create mode 100644 test/unit/sa_test.yaml

diff --git a/charts/opa-kube-mgmt/templates/serviceaccount.yaml b/charts/opa-kube-mgmt/templates/serviceaccount.yaml
index e02637c04..ef2fff1f1 100644
--- a/charts/opa-kube-mgmt/templates/serviceaccount.yaml
+++ b/charts/opa-kube-mgmt/templates/serviceaccount.yaml
@@ -3,6 +3,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "opa.serviceAccountName" .}}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{ toYaml . }}
+  {{- end }}
   labels:
     app: {{ template "opa.fullname" . }}
     chart: {{ template "opa.chart" . }}
diff --git a/charts/opa-kube-mgmt/values.schema.json b/charts/opa-kube-mgmt/values.schema.json
index 3e5a28162..74c451224 100644
--- a/charts/opa-kube-mgmt/values.schema.json
+++ b/charts/opa-kube-mgmt/values.schema.json
@@ -23,6 +23,14 @@
         "enabled": {"type": "boolean", "default": true},
         "image": {"$ref": "#/definitions/image"}
       }
+    },
+    "serviceAccount": {
+      "type": "object",
+      "properties": {
+        "create": {"type": "boolean", "default": true},
+        "annotations": {"type": "object", "additionalProperties": {"type": "string"}, "default": {}},
+        "name": {"type": ["string", "null"], "default": null}
+      }
     }
   }
 }
diff --git a/charts/opa-kube-mgmt/values.yaml b/charts/opa-kube-mgmt/values.yaml
index 5ef434257..47a5b4904 100644
--- a/charts/opa-kube-mgmt/values.yaml
+++ b/charts/opa-kube-mgmt/values.yaml
@@ -223,6 +223,8 @@ rbac:
 serviceAccount:
   # Specifies whether a ServiceAccount should be created
   create: true
+  # Annotations for the ServiceAccount
+  annotations: {}
   # The name of the ServiceAccount to use.
   # If not set and create is true, a name is generated using the fullname template
   name:
diff --git a/test/lint/sa.yaml b/test/lint/sa.yaml
new file mode 100644
index 000000000..6d41cdc43
--- /dev/null
+++ b/test/lint/sa.yaml
@@ -0,0 +1,15 @@
+suite: lint serviceaccount
+templates:
+  - fake.yaml
+tests:
+  - it: annotations not string
+    set:
+      serviceAccount:
+        annotations:
+          foo: 1
+    asserts:
+      - failedTemplate:
+          errorMessage: |
+            values don't meet the specifications of the schema(s) in the following chart(s):
+            opa-kube-mgmt:
+            - serviceAccount.annotations.foo: Invalid type. Expected: string, given: integer
diff --git a/test/unit/sa_test.yaml b/test/unit/sa_test.yaml
new file mode 100644
index 000000000..a2f0be718
--- /dev/null
+++ b/test/unit/sa_test.yaml
@@ -0,0 +1,19 @@
+suite: test serviceaccount annotations
+templates:
+  - serviceaccount.yaml
+tests:
+  - it: should omit serviceaccount annotations by default
+    asserts:
+      - notExists:
+          path: metadata.annotations
+  - it: should render serviceaccount annotations when provided
+    set:
+      serviceAccount:
+        annotations:
+          foo: bar
+    asserts:
+      - exists:
+          path: metadata.annotations
+      - equal:
+          path: metadata.annotations.foo
+          value: bar