Merge pull request #3950 from consideRatio/pr/basehub-stuff

basehub: support creation of admin-sa k8s ServiceAccount via `adminServiceAccount`

Author: consideRatio

helm-charts/basehub/templates/serviceaccount-admin.yaml

@@ -0,0 +1,7 @@
+{{ if .Values.adminServiceAccount.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-sa
+  annotations: {{ .Values.adminServiceAccount.annotations | toJson }}
+{{- end }}

helm-charts/basehub/templates/user-sa.yaml helm-charts/basehub/templates/serviceaccount-user.yaml

@@ -2,6 +2,6 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations: {{ .Values.userServiceAccount.annotations | toJson}}
   name: user-sa
+  annotations: {{ .Values.userServiceAccount.annotations | toJson }}
 {{- end }}

helm-charts/basehub/values.schema.yaml

@@ -16,6 +16,7 @@ required:
   - global
   - jupyterhub
   - userServiceAccount
+  - adminServiceAccount
   - dex
   - staticWebsite
   - ingressBasicAuth
@@ -149,6 +150,27 @@ properties:
         description: |
           Dictionary of annotations that can be applied to the service account.
 
+          When used with GKE and Workload Identity, you need to set
+          the annotation with key "iam.gke.io/gcp-service-account" to the
+          email address of the Google Service Account whose credentials it
+          should have.
+  adminServiceAccount:
+    type: object
+    additionalProperties: false
+    required:
+      - enabled
+    properties:
+      enabled:
+        type: boolean
+        description: |
+          Enables creation of a Service Account named admin-sa for opt-in use
+          via jupyterhub.custom.singleuserAdmin.serviceAccountName.
+      annotations:
+        type: object
+        additionalProperties: true
+        description: |
+          Dictionary of annotations that can be applied to the service account.
+
           When used with GKE and Workload Identity, you need to set
           the annotation with key "iam.gke.io/gcp-service-account" to the
           email address of the Google Service Account whose credentials it
@@ -450,6 +472,8 @@ properties:
                   additionalProperties: true
               extraEnv:
                 type: object
+              serviceAccountName:
+                type: string
           2i2c:
             type: object
             additionalProperties: false

helm-charts/basehub/values.yaml

@@ -5,6 +5,10 @@ userServiceAccount:
   enabled: true
   annotations: {}
 
+adminServiceAccount:
+  enabled: false
+  annotations: {}
+
 binderhub-service:
   enabled: false
   nodeSelector: