Add serviceAccountTokenCreationRoles helm chart array value

The array allows users to supply KEDA with the names and namespaces of service accounts that they would like the keda-operator to request tokens from. These service account tokens are then used in turn for the boundServiceAccountToken trigger source.

Signed-off-by: Max Cao <[email protected]>

Author: maxcao13

keda/templates/manager/clusterrole.yaml

@@ -210,4 +210,51 @@ rules:
   - list
   - watch
 {{- end -}}
+{{- if .Values.serviceAccountTokenCreationRoles }}
+{{- range $r := .Values.serviceAccountTokenCreationRoles }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  {{- with $.Values.additionalAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ $.Values.operator.name }}
+    {{- include "keda.labels" $ | indent 4 }}
+  name: {{ $.Values.operator.name }}-token-creator-{{ $r.namespace }}-{{ $r.name }}
+  namespace: {{ $r.namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+  resourceNames:
+  - {{ $r.name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  {{- with $.Values.additionalAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ $.Values.operator.name }}
+    {{- include "keda.labels" $ | indent 4 }}
+  name: {{ $.Values.operator.name }}-token-creator-{{ $r.namespace }}-{{ $r.name }}
+  namespace: {{ $r.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $.Values.operator.name }}-token-creator-{{ $r.namespace }}-{{ $r.name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ $.Values.operator.name }}
+  namespace: {{ $.Release.Namespace }}
+{{- end }}
+{{- end }}
 {{- end -}}

keda/values.yaml

@@ -867,3 +867,10 @@ customManagedBy: ""
 # -- Enable service links in pods. Although enabled, mirroring k8s default, it is highly recommended to disable,
 # due to its legacy status [Legacy container links](https://docs.docker.com/engine/network/links/)
 enableServiceLinks: true
+
+# -- Creates roles and rolebindings which allow the KEDA operator to request service account tokens from 
+# namespaced service accounts in the array for use with the boundServiceAccountToken trigger source
+# If the namespace does not exist, this will cause the helm chart installation to fail.
+serviceAccountTokenCreationRoles: []
+# - name: myServiceAccount
+#   namespace: myServiceAccountNamespace