authentik: add option to set serviceaccount

charts/authentik/README.md

@@ -281,6 +281,7 @@ The secret `authentik-postgres-credentials` must have `username` and `password`
 | server.service.sessionAffinity | string | `""` | Used to maintain session affinity. Supports `ClientIP` and `None` |
 | server.service.sessionAffinityConfig | object | `{}` | Session affinity configuration |
 | server.service.type | string | `"ClusterIP"` | authentik server service type |
+| server.serviceAccountName | string | `nil` | serviceAccount to use for authentik server pods |
 | server.startupProbe.failureThreshold | int | `60` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
 | server.startupProbe.httpGet.path | string | `"/-/health/live/"` |  |
 | server.startupProbe.httpGet.port | string | `"http"` |  |
@@ -348,6 +349,7 @@ The secret `authentik-postgres-credentials` must have `username` and `password`
 | worker.replicas | int | `1` | The number of worker pods to run |
 | worker.resources | object | `{}` | Resource limits and requests for the authentik worker |
 | worker.securityContext | object | `{}` (See [values.yaml]) | authentik worker pod-level security context |
+| worker.serviceAccountName | string | `nil` | serviceAccount to use for authentik worker pods. If set, overrides the value used when serviceAccount.create is true |
 | worker.startupProbe.exec.command[0] | string | `"ak"` |  |
 | worker.startupProbe.exec.command[1] | string | `"healthcheck"` |  |
 | worker.startupProbe.failureThreshold | int | `60` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |

charts/authentik/templates/server/deployment.yaml

@@ -42,6 +42,9 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.server.serviceAccountName }}
+      serviceAccountName: {{ . }}
+      {{- end }}
       {{- with .Values.global.hostAliases }}
       hostAliases:
         {{- toYaml . | nindent 8 }}

charts/authentik/templates/worker/deployment.yaml

@@ -42,9 +42,13 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.worker.serviceAccountName }}
+      serviceAccountName: {{ . }}
+      {{- else }}
       {{- if .Values.serviceAccount.create }}
       serviceAccountName: {{ include "authentik-remote-cluster.fullname" .Subcharts.serviceAccount }}
       {{- end }}
+      {{- end }}
       {{- with .Values.global.hostAliases }}
       hostAliases:
         {{- toYaml . | nindent 8 }}

charts/authentik/values.yaml

@@ -370,6 +370,9 @@ server:
   # -- Alternative DNS policy for authentik server pods
   dnsPolicy: ""
 
+  # -- serviceAccount to use for authentik server pods
+  serviceAccountName: ~
+
   # -- authentik server pod-level security context
   # @default -- `{}` (See [values.yaml])
   securityContext: {}
@@ -746,6 +749,9 @@ worker:
   # -- Alternative DNS policy for authentik worker pods
   dnsPolicy: ""
 
+  # -- serviceAccount to use for authentik worker pods. If set, overrides the value used when serviceAccount.create is true
+  serviceAccountName: ~
+
   # -- authentik worker pod-level security context
   # @default -- `{}` (See [values.yaml])
   securityContext: {}