• I have searched for similar problems (yes)
• Extendshelm: add sa annotations #4640

Problem

Currently, there is no way to configure this viavalues.yaml:

ServiceAccount-specific labels — Labels that should only be applied to the ServiceAccount resource, not the Deployment

Workaround

Patch Helm chart with these changes manually.

ServiceAccount Labels

** Location:**helm/libcoder/templates/_coder.yaml (around line ~100)

Current behaviour:
Only supportscoder.serviceAccount.annotations and inherits deployment labels via
{{- include "coder.labels" . | nindent 4 }}

** Requested addition:**
Add support forcoder.serviceAccount.labels invalues.yaml:

coder:serviceAccount:labels:{}# custom-label: value

Update the template to include these labels:

apiVersion:v1kind:ServiceAccountmetadata:name:{{ .Values.coder.serviceAccount.name | quote }}namespace:{{ .Release.Namespace }}annotations:{{ toYaml .Values.coder.serviceAccount.annotations | nindent 4 }}labels:{{- include "coder.labels" . | nindent 4 }}{{- if .Values.coder.serviceAccount.labels }}{{ toYaml .Values.coder.serviceAccount.labels | nindent 4 }}{{- end }}

Use case:

Allows the user to apply specific labels to the ServiceAccount for compliance/governance tooling that should not be present on other resources.

This should apply to:

• coder Helm chart (helm/coder and helm/libcoder)
• provisioner Helm chart (for consistency)

Benefits

• Eliminates need for manual chart patching
• Follows existing patterns in the chart (similar to how annotations andinitialDelaySeconds work)
• Provides better production deployment flexibility
• Maintains backward compatibility (new fields are optional with sensible defaults)