feat(chart): add serviceAccountName support at per-agent and global level

charts/openab/README.md

@@ -12,6 +12,7 @@ This page highlights commonly used values and deployment patterns. For the compl
 |-------|-------------|---------|
 | `nameOverride` | Override the chart name portion used in generated resource names. For per-agent resource names, use `agents.<name>.nameOverride`. | `""` |
 | `fullnameOverride` | Override the full generated release name for chart resources. Useful when deploying multiple instances with predictable names. | `""` |
+| `serviceAccountName` | Chart-global ServiceAccount name attached to every agent pod that doesn't define its own. Empty = cluster `default` SA. Per-agent `agents.<name>.serviceAccountName` fully overrides this. Chart references an existing SA only — does not create one. Required for workload identity and pod-level RBAC. | `""` |
 
 ### Agent values
 
@@ -50,6 +51,7 @@ Each agent lives under `agents.<name>`.
 | `persistence.enabled` | Enable persistent storage for auth and settings. | `true` |
 | `persistence.existingClaim` | Reuse an existing PVC instead of creating one. | `""` |
 | `agentsMd` | Contents of `AGENTS.md` mounted into the working directory. | `""` |
+| `serviceAccountName` | Per-agent ServiceAccount name. When set (non-empty), fully overrides chart-global `serviceAccountName`. Useful when only some agents need a dedicated SA. | `""` |
 | `extraInitContainers` | Additional init containers for the agent pod. | `[]` |
 | `extraContainers` | Additional sidecar containers for the agent pod. | `[]` |
 | `extraVolumeMounts` | Additional volume mounts for the main agent container. | `[]` |

charts/openab/templates/deployment.yaml

@@ -29,6 +29,10 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- $svcAcct := default $.Values.serviceAccountName $cfg.serviceAccountName }}
+      {{- if $svcAcct }}
+      serviceAccountName: {{ $svcAcct }}
+      {{- end }}
       {{- with $cfg.extraInitContainers }}
       initContainers:
         {{- toYaml . | nindent 8 }}

charts/openab/tests/serviceaccount_test.yaml

@@ -0,0 +1,51 @@
+suite: serviceAccountName support (chart-global + per-agent override)
+templates:
+  - templates/deployment.yaml
+
+tests:
+  - it: does not render serviceAccountName when neither global nor per-agent is set
+    asserts:
+      - notExists:
+          path: spec.template.spec.serviceAccountName
+
+  - it: renders chart-global serviceAccountName when only the global value is set
+    set:
+      serviceAccountName: "openab"
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: openab
+
+  - it: renders per-agent serviceAccountName when only the per-agent value is set
+    set:
+      agents.kiro.serviceAccountName: "kiro-sa"
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: kiro-sa
+
+  - it: per-agent serviceAccountName fully overrides chart-global
+    set:
+      serviceAccountName: "openab"
+      agents.kiro.serviceAccountName: "kiro-sa"
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: kiro-sa
+
+  - it: empty per-agent serviceAccountName falls back to chart-global
+    set:
+      serviceAccountName: "openab"
+      agents.kiro.serviceAccountName: ""
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: openab
+
+  - it: explicit empty global + empty per-agent renders no serviceAccountName field
+    set:
+      serviceAccountName: ""
+      agents.kiro.serviceAccountName: ""
+    asserts:
+      - notExists:
+          path: spec.template.spec.serviceAccountName

charts/openab/values.yaml

@@ -11,6 +11,15 @@ nameOverride: ""
 # Override the full release name used in generated resource names.
 fullnameOverride: ""
 
+# Chart-global ServiceAccount name for agent pods, used when an agent doesn't
+# set its own `serviceAccountName`. Empty string = use cluster default SA.
+# Per-agent values (agents.<name>.serviceAccountName) take precedence — when
+# set, they fully override this. The chart only references an existing SA; it
+# does NOT create one or manage annotations (provision out-of-band).
+# Example:
+# serviceAccountName: "openab"
+serviceAccountName: ""
+
 podSecurityContext:
   runAsNonRoot: true
   runAsUser: 1000
@@ -349,6 +358,11 @@ agents:
     nodeSelector: {}
     tolerations: []
     affinity: {}
+    # Per-agent ServiceAccount name. When set (non-empty), overrides the
+    # chart-global `serviceAccountName` for this agent only. Useful in
+    # multi-agent deployments where only some agents need a dedicated SA.
+    # serviceAccountName: "openab"
+    serviceAccountName: ""
     # extraInitContainers adds init containers to the pod (runs before the main container)
     extraInitContainers: []
     # extraContainers adds sidecar containers to the pod