From ee6520d885a027dccd09126b2ff2e37098635009 Mon Sep 17 00:00:00 2001
From: Greg Weber <greg@gregweber.info>
Date: Tue, 9 Oct 2018 16:14:41 -0700
Subject: [PATCH 1/4] configure the operator ServiceAccount

---
 .../templates/controller-manager-deployment.yaml     |  4 ++--
 charts/tidb-operator/values.yaml                     | 12 +++++++++---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/charts/tidb-operator/templates/controller-manager-deployment.yaml b/charts/tidb-operator/templates/controller-manager-deployment.yaml
index eaa777ed21e..fb5add1a0e5 100644
--- a/charts/tidb-operator/templates/controller-manager-deployment.yaml
+++ b/charts/tidb-operator/templates/controller-manager-deployment.yaml
@@ -22,8 +22,8 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         app.kubernetes.io/component: controller-manager
     spec:
-    {{- if .Values.rbac.create }}
-      serviceAccount: tidb-controller-manager
+    {{- if .Values.controllerManager.serviceAccount }}
+      serviceAccount: {{ .Values.controllerManager.serviceAccount }}
     {{- end }}
       containers:
       - name: tidb-operator
diff --git a/charts/tidb-operator/values.yaml b/charts/tidb-operator/values.yaml
index 0a3abe18abe..2952494ab2a 100644
--- a/charts/tidb-operator/values.yaml
+++ b/charts/tidb-operator/values.yaml
@@ -1,4 +1,10 @@
 # Default values for tidb-operator
+
+# clusterScoped is whether tidb-operator should manage kubernetes cluster wide tidb clusters
+# Also see rbac.create and controllerManager.serviceAccount
+clusterScoped: true
+
+# Also see clusterScoped and controllerManager.serviceAccount
 rbac:
   create: true
 
@@ -8,10 +14,10 @@ imagePullPolicy: IfNotPresent
 
 defaultStorageClassName: local-storage
 
-# clusterScoped is whether tidb-operator should manage kubernetes cluster wide tidb clusters
-clusterScoped: true
-
 controllerManager:
+  # If you turn on rbac.create, you likely also want to turn this on
+  # Also see rbac.create and clusterScoped
+  serviceAccount: tidb-controller-manager
   logLevel: 2
   replicas: 1
   resources:

From 9b6e6b4f3d0f27ec494e11a621ee117c535ce3d8 Mon Sep 17 00:00:00 2001
From: Greg Weber <greg@gregweber.info>
Date: Tue, 9 Oct 2018 21:05:18 -0700
Subject: [PATCH 2/4] make SeriveAccount resource creation optional

---
 charts/tidb-operator/templates/controller-manager-rbac.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/charts/tidb-operator/templates/controller-manager-rbac.yaml b/charts/tidb-operator/templates/controller-manager-rbac.yaml
index 1703daf3e64..38c27c805fe 100644
--- a/charts/tidb-operator/templates/controller-manager-rbac.yaml
+++ b/charts/tidb-operator/templates/controller-manager-rbac.yaml
@@ -107,11 +107,12 @@ roleRef:
   name: tidb-controller-manager
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
+{{- if .Values.controllerManager.ServiceAccount }}
 ---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
-  name: tidb-controller-manager
+  name: {{ .Values.controllerManager.ServiceAccount }}
   labels:
     app.kubernetes.io/name: {{ template "tidb-operator.name" . }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
@@ -119,3 +120,4 @@ metadata:
     app.kubernetes.io/component: controller-manager
     helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
 {{- end }}
+{{- end }}

From 3317e9ffd9639f2495c8a3f828dcdf2d0c5ed316 Mon Sep 17 00:00:00 2001
From: Greg Weber <greg@gregweber.info>
Date: Thu, 11 Oct 2018 22:41:32 -0700
Subject: [PATCH 3/4] e2e: create the serviceAccount

---
 images/tidb-operator-e2e/tidb-operator-values.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/images/tidb-operator-e2e/tidb-operator-values.yaml b/images/tidb-operator-e2e/tidb-operator-values.yaml
index e6c55d56147..8027798a26b 100644
--- a/images/tidb-operator-e2e/tidb-operator-values.yaml
+++ b/images/tidb-operator-e2e/tidb-operator-values.yaml
@@ -12,6 +12,7 @@ defaultStorageClassName: local-storage
 clusterScoped: true
 
 controllerManager:
+  serviceAccount: tidb-controller-manager
   logLevel: 2
   replicas: 1
   resources:

From b8f095d7994ea31bbb5186985b5ef8383ecc1646 Mon Sep 17 00:00:00 2001
From: Greg Weber <greg@gregweber.info>
Date: Fri, 12 Oct 2018 02:25:50 -0700
Subject: [PATCH 4/4] fix lower-case serviceAccount

---
 charts/tidb-operator/templates/controller-manager-rbac.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/tidb-operator/templates/controller-manager-rbac.yaml b/charts/tidb-operator/templates/controller-manager-rbac.yaml
index 38c27c805fe..a22b99e7233 100644
--- a/charts/tidb-operator/templates/controller-manager-rbac.yaml
+++ b/charts/tidb-operator/templates/controller-manager-rbac.yaml
@@ -107,12 +107,12 @@ roleRef:
   name: tidb-controller-manager
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
-{{- if .Values.controllerManager.ServiceAccount }}
+{{- if .Values.controllerManager.serviceAccount }}
 ---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
-  name: {{ .Values.controllerManager.ServiceAccount }}
+  name: {{ .Values.controllerManager.serviceAccount }}
   labels:
     app.kubernetes.io/name: {{ template "tidb-operator.name" . }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}