fix(helm): support webapp serviceAccount annotations for IRSA

Author: nicktrn

hosting/k8s/helm/templates/_helpers.tpl

@@ -531,6 +531,17 @@ Create the name of the supervisor service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Create the name of the webapp service account to use
+*/}}
+{{- define "trigger-v4.webappServiceAccountName" -}}
+{{- if .Values.webapp.serviceAccount.create }}
+{{- default (printf "%s-webapp" (include "trigger-v4.fullname" .)) .Values.webapp.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.webapp.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create the name of the supervisor role to use
 */}}

hosting/k8s/helm/templates/webapp.yaml

@@ -1,10 +1,16 @@
+{{- if .Values.webapp.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "trigger-v4.fullname" . }}-webapp
+  name: {{ include "trigger-v4.webappServiceAccountName" . }}
   labels:
     {{- $component := "webapp" }}
     {{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
+  {{- with .Values.webapp.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -27,7 +33,7 @@ metadata:
     {{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
 subjects:
   - kind: ServiceAccount
-    name: {{ include "trigger-v4.fullname" . }}-webapp
+    name: {{ include "trigger-v4.webappServiceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: Role
@@ -56,7 +62,7 @@ spec:
       labels:
         {{- include "trigger-v4.componentSelectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 8 }}
     spec:
-      serviceAccountName: {{ include "trigger-v4.fullname" . }}-webapp
+      serviceAccountName: {{ include "trigger-v4.webappServiceAccountName" . }}
       {{- with .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}

hosting/k8s/helm/values.yaml

@@ -208,6 +208,13 @@ webapp:
   runReplication:
     logLevel: "info" # one of: log, error, warn, info, debug
 
+  # ServiceAccount configuration
+  serviceAccount:
+    create: true
+    name: ""
+    # Annotations to add to the ServiceAccount (e.g. eks.amazonaws.com/role-arn for IRSA)
+    annotations: {}
+
   # Observability configuration (OTel)
   observability:
     tracing: