Add serviceAccountTokenCreationRoles helm chart array value

The array allows users to supply KEDA with the names and namespaces of service accounts that they would like the keda-operator to request tokens from. These service account tokens are then used in turn for the boundServiceAccountToken trigger source

Signed-off-by: Max Cao <[email protected]>

Author: maxcao13

keda/templates/manager/minimal-rbac.yaml

@@ -146,4 +146,51 @@ subjects:
 - kind: ServiceAccount
   name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }}
   namespace: {{ .Release.Namespace }}
+{{- if .Values.serviceAccountTokenCreationRoles }}
+{{- range $r := .Values.serviceAccountTokenCreationRoles }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  {{- with $.Values.additionalAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ $.Values.operator.name }}-minimal
+    {{- include "keda.labels" $ | indent 4 }}
+  name: {{ $.Values.operator.name }}-token-creator-minimal
+  namespace: {{ $r.namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+  resourceNames:
+  - {{ $r.name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  {{- with $.Values.additionalAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ $.Values.operator.name }}-minimal
+    {{- include "keda.labels" $ | indent 4 }}
+  name: {{ $.Values.operator.name }}-token-creator-minimal
+  namespace: {{ $r.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $.Values.operator.name }}-token-creator-minimal
+subjects:
+- kind: ServiceAccount
+  name: {{ $.Values.operator.name }}
+  namespace: {{ $.Release.Namespace }}
+{{- end }}
+{{- end }}
 {{- end }}

keda/values.yaml

@@ -10,25 +10,25 @@ global:
 image:
   keda:
     # -- Image registry of KEDA operator
-    registry: ghcr.io
+    registry: quay.io
     # -- Image name of KEDA operator
-    repository: kedacore/keda
+    repository: macao/keda
     # -- Image tag of KEDA operator. Optional, given app version of Helm chart is used by default
-    tag: ""
+    tag: "main"
   metricsApiServer:
     # -- Image registry of KEDA Metrics API Server
-    registry: ghcr.io
+    registry: quay.io
     # -- Image name of KEDA Metrics API Server
-    repository: kedacore/keda-metrics-apiserver
+    repository: macao/keda-metrics-apiserver
     # -- Image tag of KEDA Metrics API Server. Optional, given app version of Helm chart is used by default
-    tag: ""
+    tag: "main"
   webhooks:
     # -- Image registry of KEDA admission-webhooks
-    registry: ghcr.io
+    registry: quay.io
     # -- Image name of KEDA admission-webhooks
-    repository: kedacore/keda-admission-webhooks
+    repository: macao/keda-admission-webhooks
     # -- Image tag of KEDA admission-webhooks . Optional, given app version of Helm chart is used by default
-    tag: ""
+    tag: "main"
   # -- Image pullPolicy for all KEDA components
   pullPolicy: Always
 
@@ -867,3 +867,10 @@ customManagedBy: ""
 # -- Enable service links in pods. Although enabled, mirroring k8s default, it is highly recommended to disable,
 # due to its legacy status [Legacy container links](https://docs.docker.com/engine/network/links/)
 enableServiceLinks: true
+
+# -- Creates role and rolebindings which allow the KEDA operator to request service account tokens from 
+# namespaced service accounts in the array for use with the boundServiceAccountToken trigger source
+# If the namespace does not exist, this will cause the helm chart installation to fail.
+serviceAccountTokenCreationRoles: []
+# - name: myServiceAccount
+#   namespace: myServiceAccountNamespace