From b34386016e89be616651f09730023a6138254e1d Mon Sep 17 00:00:00 2001
From: Christopher Desiniotis <cdesiniotis@nvidia.com>
Date: Mon, 18 Aug 2025 15:16:35 -0700
Subject: [PATCH] Always use dedicated service account in device-plugin helm
 chart

Signed-off-by: Christopher Desiniotis <cdesiniotis@nvidia.com>
(cherry picked from commit 81a0e5e8f00e62d5b7462874e6099be647cb22d6)
---
 .../templates/daemonset-device-plugin.yml                    | 3 ---
 .../helm/nvidia-device-plugin/templates/daemonset-gfd.yml    | 5 +++--
 .../templates/daemonset-mps-control-daemon.yml               | 2 --
 .../helm/nvidia-device-plugin/templates/role-binding.yml     | 4 +++-
 deployments/helm/nvidia-device-plugin/templates/role.yml     | 4 +++-
 .../helm/nvidia-device-plugin/templates/service-account.yml  | 4 +++-
 6 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/deployments/helm/nvidia-device-plugin/templates/daemonset-device-plugin.yml b/deployments/helm/nvidia-device-plugin/templates/daemonset-device-plugin.yml
index 6cfa5042b..fcd3355a2 100644
--- a/deployments/helm/nvidia-device-plugin/templates/daemonset-device-plugin.yml
+++ b/deployments/helm/nvidia-device-plugin/templates/daemonset-device-plugin.yml
@@ -15,7 +15,6 @@
 {{- if .Values.devicePlugin.enabled }}
 ---
 {{- $options := (include "nvidia-device-plugin.options" . | fromJson) }}
-{{- $useServiceAccount := $options.hasConfigMap }}
 {{- $configMapName := (include "nvidia-device-plugin.configMapName" .) | trim }}
 {{- $daemonsetName := printf "%s" (include "nvidia-device-plugin.fullname" .) | trunc 63 | trimSuffix "-" }}
 apiVersion: apps/v1
@@ -52,9 +51,7 @@ spec:
       {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      {{- if $useServiceAccount }}
       serviceAccountName: {{ include "nvidia-device-plugin.fullname" . }}-service-account
-      {{- end }}
       {{- if $options.hasConfigMap }}
       shareProcessNamespace: true
       initContainers:
diff --git a/deployments/helm/nvidia-device-plugin/templates/daemonset-gfd.yml b/deployments/helm/nvidia-device-plugin/templates/daemonset-gfd.yml
index 09f9dfe39..cb5b95c67 100644
--- a/deployments/helm/nvidia-device-plugin/templates/daemonset-gfd.yml
+++ b/deployments/helm/nvidia-device-plugin/templates/daemonset-gfd.yml
@@ -15,7 +15,10 @@
 {{- if .Values.gfd.enabled }}
 ---
 {{- $options := (include "nvidia-device-plugin.options" . | fromJson) }}
+<<<<<<< HEAD
 {{- $useServiceAccount := or ( $options.hasConfigMap ) ( and .Values.gfd.enabled .Values.nfd.enableNodeFeatureApi ) }}
+=======
+>>>>>>> 81a0e5e8f (Always use dedicated service account in device-plugin helm chart)
 {{- $configMapName := (include "nvidia-device-plugin.configMapName" .) | trim }}
 {{- $daemonsetName := printf "%s-gpu-feature-discovery" (include "nvidia-device-plugin.fullname" .) | trunc 63 | trimSuffix "-" }}
 apiVersion: apps/v1
@@ -52,9 +55,7 @@ spec:
       {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      {{- if $useServiceAccount }}
       serviceAccountName: {{ include "nvidia-device-plugin.fullname" . }}-service-account
-      {{- end }}
       {{- if $options.hasConfigMap }}
       shareProcessNamespace: true
       {{- end }}
diff --git a/deployments/helm/nvidia-device-plugin/templates/daemonset-mps-control-daemon.yml b/deployments/helm/nvidia-device-plugin/templates/daemonset-mps-control-daemon.yml
index da37aba6d..f7174e188 100644
--- a/deployments/helm/nvidia-device-plugin/templates/daemonset-mps-control-daemon.yml
+++ b/deployments/helm/nvidia-device-plugin/templates/daemonset-mps-control-daemon.yml
@@ -50,12 +50,10 @@ spec:
       {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      {{- if $options.hasConfigMap }}
       serviceAccountName: {{ include "nvidia-device-plugin.fullname" . }}-service-account
       {{- if not .Values.mps.enableHostPID }}
       shareProcessNamespace: true
       {{- end }}
-      {{- end }}
       {{- if .Values.mps.enableHostPID }}
       hostPID: true
       {{- end }}
diff --git a/deployments/helm/nvidia-device-plugin/templates/role-binding.yml b/deployments/helm/nvidia-device-plugin/templates/role-binding.yml
index 9232b1ed3..ab96a4f42 100644
--- a/deployments/helm/nvidia-device-plugin/templates/role-binding.yml
+++ b/deployments/helm/nvidia-device-plugin/templates/role-binding.yml
@@ -1,6 +1,9 @@
 ---
+<<<<<<< HEAD
 {{- $options := (include "nvidia-device-plugin.options" . | fromJson) }}
 {{- if or $options.hasConfigMap ( and .Values.gfd.enabled .Values.nfd.enableNodeFeatureApi ) }}
+=======
+>>>>>>> 81a0e5e8f (Always use dedicated service account in device-plugin helm chart)
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -15,4 +18,3 @@ roleRef:
   kind: ClusterRole
   name: {{ include "nvidia-device-plugin.fullname" . }}-role
   apiGroup: rbac.authorization.k8s.io
-{{- end }}
diff --git a/deployments/helm/nvidia-device-plugin/templates/role.yml b/deployments/helm/nvidia-device-plugin/templates/role.yml
index c2ecb803a..08eff01f2 100644
--- a/deployments/helm/nvidia-device-plugin/templates/role.yml
+++ b/deployments/helm/nvidia-device-plugin/templates/role.yml
@@ -1,6 +1,9 @@
 ---
+<<<<<<< HEAD
 {{- $options := (include "nvidia-device-plugin.options" . | fromJson) }}
 {{- if or $options.hasConfigMap ( and .Values.gfd.enabled .Values.nfd.enableNodeFeatureApi ) }}
+=======
+>>>>>>> 81a0e5e8f (Always use dedicated service account in device-plugin helm chart)
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -16,4 +19,3 @@ rules:
     resources: ["nodefeatures"]
     verbs: ["get", "list", "watch", "create", "update"]
   {{- end }}
-{{- end }}
diff --git a/deployments/helm/nvidia-device-plugin/templates/service-account.yml b/deployments/helm/nvidia-device-plugin/templates/service-account.yml
index 7ab9ba336..74219f177 100644
--- a/deployments/helm/nvidia-device-plugin/templates/service-account.yml
+++ b/deployments/helm/nvidia-device-plugin/templates/service-account.yml
@@ -1,6 +1,9 @@
 ---
+<<<<<<< HEAD
 {{- $options := (include "nvidia-device-plugin.options" . | fromJson) }}
 {{- if or $options.hasConfigMap ( and .Values.gfd.enabled .Values.nfd.enableNodeFeatureApi ) }}
+=======
+>>>>>>> 81a0e5e8f (Always use dedicated service account in device-plugin helm chart)
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -8,4 +11,3 @@ metadata:
   namespace: {{ include "nvidia-device-plugin.namespace" . }}
   labels:
     {{- include "nvidia-device-plugin.labels" . | nindent 4 }}
-{{- end }}