Allow independent configuration of Kubernetes Service Accounts for Auth and Proxy in Helm charts

[programmerq]

Expected Behavior

When deploying Teleport using teleport/teleport-cluster Helm chart, users should be able to independently configure Kubernetes Service Accounts for the Teleport Auth and Proxy. Specifically, users should be able to enable/disable the creation of Service Accounts and set different names for auth and proxy.

When assigning IAM credentials to a serviceaccount to be used by the Teleport auth service, it is necessary to disable service account creation in the chart. The service account is managed externally. When the proxy service's serviceaccount doesn't need an IAM identity at all, the process that is used to create/manage the auth service account may not be appropriate for the proxy service account.

Something like this in the values.yaml would do the trick:

auth:
  serviceAccount:
    create: false
    name: "auth-iam-serviceaccount"

proxy:
  serviceAccount:
    create: true
    # name: "" 

Current Behavior

Currently, the Helm chart configuration does not allow independent management of Kubernetes Service Accounts for Teleport Auth and Proxy. The Service Account name is set with a global value which is shared by Auth and Proxy, the latter appending a -proxy suffix. Disabling the Service Account creation through Helm affects both Auth and Proxy.

Bug Details

Teleport Version

The issue is not version specific but is related to the Helm chart used for deploying Teleport. Current latest is Teleport 15.3.2 at time of writing.

Debug Logs

N/A