NVIDIA · agreaves-ms · Nov 19, 2025 · Dec 11, 2025 · Dec 11, 2025 · Dec 11, 2025
@@ -73,6 +73,8 @@ Create a common service account name based on component
 {{- $name := or .root.Values.global.name .root.Release.Name -}}
 {{- if .serviceConfig.serviceAccount -}}
 {{- printf "%s-%s" $name .serviceConfig.serviceAccount | trunc 63 | trimSuffix "-" -}}
+{{- else if .root.Values.serviceAccount.name -}}
+{{- .root.Values.serviceAccount.name | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- printf "%s-%s" $name .component | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

@@ -18,12 +18,18 @@
 {{$name := or .Values.global.name .Release.Name }}
 
 # Backend Listener Service Account
+{{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   namespace: {{ .Values.global.agentNamespace }}
   name: {{ include "backend-operator.listener.serviceAccountName" . }}
+  {{- if .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
+  {{- end }}
 ---
+{{- end }}
 # Role for Backend Listener (Namespace-scoped events)
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1

@@ -19,14 +19,20 @@
 
 # Backend Test Runner Service Account
 {{- if .Values.global.backendTestNamespace }}
+{{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "backend-operator.testRunner.serviceAccountName" . }}
   namespace: {{ .Values.global.backendTestNamespace }}
   labels:
     app: {{ $name }}-test-runner
+  {{- if .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
+  {{- end }}
 ---
+{{- end }}
 # Role for Backend Test Runner
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1

@@ -18,12 +18,18 @@
 {{$name := or .Values.global.name .Release.Name }}
 
 # Backend Worker Service Account
+{{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   namespace: {{ .Values.global.agentNamespace }}
   name: {{ include "backend-operator.worker.serviceAccountName" . }}
+  {{- if .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
+  {{- end }}
 ---
+{{- end }}
 # ClusterRole for Backend Worker (Cluster-scoped resources)
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

@@ -219,6 +219,24 @@ global:
         value: 50
         description: "Schedule last. Preemptible."
 
+## Service account configuration shared by backend listener and worker pods
+##
+serviceAccount:
+  ## Create the ServiceAccounts defined by this chart. Set to false to bind
+  ## pre-provisioned workload identity ServiceAccounts
+  ##
+  create: true
+
+  ## ServiceAccount name to use when creating or for an already provisioned
+  ## ServiceAccount
+  ##
+  name: ""
+
+  ## Extra annotations applied to ServiceAccounts (e.g.
+  ## `azure.workload.identity/client-id`)
+  ##
+  annotations: {}
+
 ## Configuration for individual backend operators
 ##
 services:
@@ -246,9 +264,10 @@ services:
     ##
     initContainers: []
 
-    ## Kubernetes service account name for the backend listener
+    ## Kubernetes service account name for the backend listener. Leave empty to
+    ## use the chart default (`backend-listener`).
     ##
-    serviceAccount: backend-listener
+    serviceAccount: ""
 
     ## Maximum number of unacknowledged websocket messages
     ##
@@ -356,9 +375,10 @@ services:
     ##
     initContainers: []
 
-    ## Kubernetes service account name for the backend worker
+    ## Kubernetes service account name for the backend worker. Leave empty to
+    ## use the chart default (`backend-worker`).
     ##
-    serviceAccount: backend-worker
+    serviceAccount: ""
 
     ## How often to write progress during task processing loops
     ##
@@ -612,9 +632,10 @@ backendTestRunner:
       ##
       readOnlyRootFilesystem: true
 
-    ## Kubernetes service account name for test runner pods
+    ## Kubernetes service account name for test runner pods. Leave empty to use
+    ## the chart default (`test-runner`).
     ##
-    serviceAccount: test-runner
+    serviceAccount: ""
 
     ## Whether to automount service account token
     ##

@@ -70,9 +70,10 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "router.serviceAccountName" -}}
+{{- $defaultName := "router" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "router.fullname" .) .Values.serviceAccount.name }}
+{{- default $defaultName .Values.serviceAccount.name }}
 {{- else }}
-{{- default "default" .Values.serviceAccount.name }}
+{{- required "serviceAccount.name must be provided when serviceAccount.create is false" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
@@ -14,6 +14,8 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
+{{- $routerServiceAccount := default (include "router.serviceAccountName" .) .Values.services.service.serviceAccountName }}
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -63,9 +65,11 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.global.imagePullSecret }}
       imagePullSecrets:
       - name: {{ .Values.global.imagePullSecret }}
-      serviceAccountName: {{ .Values.services.service.serviceAccountName | default "default" }}
+      {{- end }}
+      serviceAccountName: {{ $routerServiceAccount }}
       {{- with .Values.services.service.initContainers }}
       initContainers:
       {{- toYaml . | nindent 6 }}

@@ -13,7 +13,14 @@
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
+{{- $routerServiceAccount := default (include "router.serviceAccountName" .) .Values.services.service.serviceAccountName }}
+{{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: router
+  name: {{ $routerServiceAccount }}
+  {{- if .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
+  {{- end }}
+{{- end }}
@@ -51,6 +51,24 @@ global:
     ##
     k8sLogLevel: WARNING
 
+## Service account configuration for router pods
+##
+serviceAccount:
+  ## Create the ServiceAccounts defined by this chart. Set to false to bind
+  ## pre-provisioned workload identity ServiceAccounts
+  ##
+  create: true
+
+  ## ServiceAccount name to use when creating or for an already provisioned
+  ## ServiceAccount
+  ##
+  name: ""
+
+  ## Additional ServiceAccount annotations (e.g.
+  ## `azure.workload.identity/client-id`).
+  ##
+  annotations: {}
+
 ## Configuration for individual Osmo services
 ##
 services:
@@ -115,9 +133,11 @@ services:
     # - "--debug"
     # - "--config=/path/to/config"
 
-    ## Kubernetes service account name for the router service
+    ## Kubernetes service account name for the router service. Leave empty to
+    ## reuse `serviceAccount.name` (when provided); if both are empty the chart
+    ## falls back to the built-in `router` ServiceAccount name.
     ##
-    serviceAccountName: router
+    serviceAccountName: ""
 
     ## Host aliases for custom DNS resolution within the router pods
     ##

@@ -70,10 +70,11 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "osmo.serviceAccountName" -}}
+{{- $defaultName := include "osmo.fullname" . }}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "osmo.fullname" .) .Values.serviceAccount.name }}
+{{- default $defaultName .Values.serviceAccount.name }}
 {{- else }}
-{{- default "default" .Values.serviceAccount.name }}
+{{- required "serviceAccount.name must be provided when serviceAccount.create is false" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
 
@@ -95,7 +96,7 @@ Service account name helper
 {{- if .serviceAccountName }}
 {{- .serviceAccountName }}
 {{- else }}
-{{- .Values.global.serviceAccountName }}
+{{- include "osmo.serviceAccountName" .root }}
 {{- end }}
 {{- end }}
 
@@ -108,6 +109,15 @@ Extra annotations helper
 {{- end }}
 {{- end }}
 
+{{/*
+Extra labels helper
+*/}}
+{{- define "osmo.extra-labels" -}}
+{{- if .extraPodLabels }}
+{{- toYaml .extraPodLabels }}
+{{- end }}
+{{- end }}
+
 {{/*
 Extra environment variables helper
 */}}

@@ -31,6 +31,7 @@ spec:
     metadata:
       labels:
         app: {{ .Values.services.agent.serviceName }}
+        {{- include "osmo.extra-labels" .Values.services.agent | nindent 8 }}
       annotations:
         {{- include "osmo.extra-annotations" .Values.services.agent | nindent 8 }}
         {{- if .Values.sidecars.otel.enabled }}
@@ -62,9 +63,11 @@ spec:
         {{- end}}
       tolerations:
       {{ toYaml .Values.services.agent.tolerations | nindent 8 }}
+      {{- if .Values.global.imagePullSecret }}
       imagePullSecrets:
       - name: {{ .Values.global.imagePullSecret }}
-      serviceAccountName: {{ include "osmo.service-account-name" (dict "serviceAccountName" .Values.services.agent.serviceAccountName "Values" .Values) }}
+      {{- end }}
+      serviceAccountName: {{ include "osmo.service-account-name" (dict "serviceAccountName" .Values.services.agent.serviceAccountName "root" .) }}
       {{- with .Values.services.agent.initContainers }}
       initContainers:
       {{- toYaml . | nindent 6 }}

@@ -30,6 +30,7 @@ spec:
     metadata:
       labels:
         app: {{ .Values.services.service.serviceName }}
+        {{- include "osmo.extra-labels" .Values.services.service | nindent 8 }}
       annotations:
         {{- include "osmo.extra-annotations" .Values.services.service | nindent 8 }}
         {{- if .Values.sidecars.otel.enabled }}
@@ -61,9 +62,11 @@ spec:
         {{- end}}
       tolerations:
       {{ toYaml .Values.services.service.tolerations | nindent 8 }}
+      {{- if .Values.global.imagePullSecret }}
       imagePullSecrets:
       - name: {{ .Values.global.imagePullSecret }}
-      serviceAccountName: {{ include "osmo.service-account-name" (dict "serviceAccountName" .Values.services.service.serviceAccountName "Values" .Values) }}
+      {{- end }}
+      serviceAccountName: {{ include "osmo.service-account-name" (dict "serviceAccountName" .Values.services.service.serviceAccountName "root" .) }}
       {{- with .Values.services.service.initContainers }}
       initContainers:
       {{- toYaml . | nindent 6 }}

@@ -28,6 +28,7 @@ spec:
     metadata:
       labels:
         app: {{ .Values.services.delayedJobMonitor.serviceName }}
+        {{- include "osmo.extra-labels" .Values.services.delayedJobMonitor | nindent 8 }}
       annotations:
       {{- include "osmo.extra-annotations" .Values.services.delayedJobMonitor | nindent 8 }}
       {{- if .Values.sidecars.otel.enabled }}
@@ -43,9 +44,11 @@ spec:
         {{- end}}
       tolerations:
       {{ toYaml .Values.services.delayedJobMonitor.tolerations | nindent 8 }}
+      {{- if .Values.global.imagePullSecret }}
       imagePullSecrets:
       - name: {{ .Values.global.imagePullSecret }}
-      serviceAccountName: {{ include "osmo.service-account-name" (dict "serviceAccountName" .Values.services.delayedJobMonitor.serviceAccountName "Values" .Values) }}
+      {{- end }}
+      serviceAccountName: {{ include "osmo.service-account-name" (dict "serviceAccountName" .Values.services.delayedJobMonitor.serviceAccountName "root" .) }}
       {{- with .Values.services.delayedJobMonitor.initContainers }}
       initContainers:
       {{- toYaml . | nindent 6 }}

@@ -31,6 +31,7 @@ spec:
     metadata:
       labels:
         app: {{ .Values.services.logger.serviceName }}
+        {{- include "osmo.extra-labels" .Values.services.logger | nindent 8 }}
       annotations:
         {{- include "osmo.extra-annotations" .Values.services.logger | nindent 8 }}
         {{- if .Values.sidecars.otel.enabled }}
@@ -62,9 +63,11 @@ spec:
         {{- end}}
       tolerations:
       {{ toYaml .Values.services.logger.tolerations | nindent 8 }}
+      {{- if .Values.global.imagePullSecret }}
       imagePullSecrets:
       - name: {{ .Values.global.imagePullSecret }}
-      serviceAccountName: {{ include "osmo.service-account-name" (dict "serviceAccountName" .Values.services.logger.serviceAccountName "Values" .Values) }}
+      {{- end }}
+      serviceAccountName: {{ include "osmo.service-account-name" (dict "serviceAccountName" .Values.services.logger.serviceAccountName "root" .) }}
       {{- with .Values.services.logger.initContainers }}
       initContainers:
       {{- toYaml . | nindent 6 }}

@@ -13,11 +13,19 @@
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
+{{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.global.serviceAccountName }}
-  {{- if and .Values.sidecars.logAgent.cloudwatch .Values.sidecars.logAgent.cloudwatch.enabled }}
+  name: {{ include "osmo.serviceAccountName" . }}
+  {{- $hasAnnotations := or .Values.serviceAccount.annotations (and .Values.sidecars.logAgent.cloudwatch .Values.sidecars.logAgent.cloudwatch.enabled) }}
+  {{- if $hasAnnotations }}
   annotations:
+    {{- with .Values.serviceAccount.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if and .Values.sidecars.logAgent.cloudwatch .Values.sidecars.logAgent.cloudwatch.enabled }}
     eks.amazonaws.com/role-arn: {{ .Values.sidecars.logAgent.cloudwatch.role }}
+    {{- end }}
   {{- end }}
+{{- end }}
@@ -27,6 +27,7 @@ spec:
     metadata:
       labels:
         app: {{ .Values.services.worker.serviceName }}
+        {{- include "osmo.extra-labels" .Values.services.worker | nindent 8 }}
       annotations:
         {{- include "osmo.extra-annotations" .Values.services.worker | nindent 8 }}
         {{- if .Values.sidecars.otel.enabled }}
@@ -54,9 +55,11 @@ spec:
         {{- end}}
       tolerations:
       {{ toYaml .Values.services.worker.tolerations | nindent 8 }}
+      {{- if .Values.global.imagePullSecret }}
       imagePullSecrets:
       - name: {{ .Values.global.imagePullSecret }}
-      serviceAccountName: {{ include "osmo.service-account-name" (dict "serviceAccountName" .Values.services.worker.serviceAccountName "Values" .Values) }}
+      {{- end }}
+      serviceAccountName: {{ include "osmo.service-account-name" (dict "serviceAccountName" .Values.services.worker.serviceAccountName "root" .) }}
       {{- with .Values.services.worker.initContainers }}
       initContainers:
       {{- toYaml . | nindent 6 }}