pegasystems · rbogendoerfer · Jan 9, 2026 · Jan 9, 2026 · Jan 12, 2026 · Jan 12, 2026
@@ -39,6 +39,7 @@ Complete information on the design of the service including architecture, scalab
 | `ingress.tls.secretName`                        | Specify the Kubernetes secret you created in which you store your SSL certificate for your deployment.                                                                                                                                                                                                                                               |
 | `ingress.annotations`                        | Specify additional annotations to add to the ingress.                                                                                                                                                                                                           |
 | `ingress.domain`                        | Specify your custom domain.                                                                                                                                                                                                                                                                                         |
+| `serviceAccount`                            | Specify the serviceAccount for the deployment. Using `serviceAccount.name` a service account can be specified. Setting `serviceAccount.create` to `true` will also provision the named service account. |
 
 ```yaml
 enabled: true

@@ -23,6 +23,9 @@ spec:
         {{ toYaml .Values.podLabels | nindent 8 }}
         {{- end }}
     spec:
+{{- if (.Values.serviceAccount).name }}
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+{{- end }}
       imagePullSecrets:
       - name: {{ include "backingservicesRegistrySecret" ( dict "root" .Values "defaultname" "constellation-messaging" ) }}
       {{ if .Values.docker.imagePullSecretNames }}

@@ -0,0 +1,8 @@
+{{- if and (.Values.serviceAccount).create (.Values.serviceAccount).name -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name | quote }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- end -}}
@@ -67,6 +67,7 @@ The values.yaml file provides configuration options to define the values for the
 | `docker.constellation.image`                        | Specify the image version.                                                                                                                                                                                                                                                                                          |
 | `docker.messaging.imagePullPolicy`                        | Specify the image pull policy configurations for the image.                                                                                                                                                                                                                                                                                          |
 | `serviceAccountName`                        | Specify a custom [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) for the pods of your deployment.                                                                                                                                                                                                                                                                                          |
+| `serviceAccount`                            | Alternative way to specify the serviceAccount for the deployment. Using `serviceAccount.name` a service account can be specified. Setting `serviceAccount.create` to `true` will also provision the named service account. |
 | `affinity`                        | Specify the pod affinity so that pods are restricted to run on particular node(s), or to prefer to run on particular nodes.    
                                                                                                                                                                                                                                                                                           |
 | `tolerations`                        | Specify pod tolerations so that it is allowed to run on node(s) with particular taints.    

@@ -26,7 +26,9 @@ spec:
         {{ toYaml .Values.podAnnotations | nindent 8 }}
       {{- end }}
     spec:
-      {{- if .Values.serviceAccountName }}
+      {{- if (.Values.serviceAccount).name }}
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      {{- else if .Values.serviceAccountName }}
       serviceAccountName: {{ .Values.serviceAccountName }}
       {{- end }}
       {{- if .Values.customerAssetVolumeClaimName }}

@@ -0,0 +1,12 @@
+{{- if and (.Values.serviceAccount).create (or (.Values.serviceAccount).name .Values.serviceAccountName) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+{{- if (.Values.serviceAccount).name }}
+  name: {{ .Values.serviceAccount.name | quote }}
+{{- else }}
+  name: {{ .Values.serviceAccountName | quote }}
+{{- end }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- end -}}
@@ -115,6 +115,8 @@ To deploy Pega Platform with the SRS backing service, the SRS helm chart require
 | `k8sProvider`                           | Specify your Kubernetes provider name. Supported values are [`eks`, `aks`, `minikube`, `gke`, `openshift`, `pks`].
 | `enableSecureCryptoMode`                | Set to true if you require a highly secured connection that complies with NIST SP 800-53 and NIST SP 800-131. Otherwise, set to false.
 | `javaOpts`                              | Use this parameter to configure values for Java options.
+| `serviceAccount`                            | Specify the serviceAccount for the deployment. Using `serviceAccount.name` a service account can be specified. Setting `serviceAccount.create` to `true` will also provision the named service account. |
+
 
 ### Enabling security between SRS and Elasticsearch
 Enabling a secure connection between SRS and your Elasticsearch service depends on the method you chose to deploy the Elasticsearch cluster.

@@ -23,6 +23,9 @@ spec:
         - name: {{ . }}
         {{- end -}}
         {{ end }}
+{{- if (.Values.serviceAccount).name }}
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+{{- end }}
 {{- if .Values.srsRuntime.securityContext }}
       securityContext:
 {{ toYaml .Values.srsRuntime.securityContext | indent 8 }}

@@ -0,0 +1,8 @@
+{{- if and (.Values.serviceAccount).create (.Values.serviceAccount).name -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name | quote }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- end -}}
@@ -671,7 +671,20 @@ tier:
 
 ### Service Account
 
-If the pod needs to be run with a specific [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/), you can specify a custom `serviceAccountName` for your deployment tier.
+If the pod needs to be run with a specific [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/), and the service account also needs to be provisioned, you can specify a custom `serviceAccount` section for your deployment tier.
+
+Example:
+
+```yaml
+tier:
+  - name: my-tier
+    custom:
+      serviceAccount:
+        create: true
+        name: MY_SERVICE_ACCOUNT_NAME
+```
+
+If the pod only needs to be run with a specific service account, you can just specify a custom `serviceAccountName` for your deployment tier.
 
 Example:
 
@@ -682,6 +695,8 @@ tier:
       serviceAccountName: MY_SERVICE_ACCOUNT_NAME
 ```
 
+Specifying serviceAccount.name takes precedence over serviceAccountName.
+
 ### Custom volumes
 
 You can optionally specify custom `volumes` and `volumeMounts` for your deployment tier. You need to grant read and/or write permissions to the volume location to the Pega user depending on the purpose of the volume. By default, the Pega user UID is 9001.
@@ -1390,6 +1405,16 @@ Example:
 installer:
   serviceAccountName: MY_INSTALLER_SERVICE_ACCOUNT_NAME
 ```
+If you require the helm charts also to provision the service account, you can use the section `serviceAccount` for your job.
+
+Example:
+
+```yaml
+installer:
+  serviceAccount:
+    create: true
+    name: MY_INSTALLER_SERVICE_ACCOUNT_NAME
+```
 
 ### Installer Custom Volumes and Volume Mounts
 You can specify custom volume and volume mounts for the installer pod.
@@ -1488,6 +1513,8 @@ Parameter   | Description
 `hazelcast.password` | Configures the password to be used in a client-server Hazelcast model for authentication between the nodes in the Pega deployment and the nodes in the Hazelcast cluster. This parameter configures the password credential in Hazelcast cluster and your Pega nodes so authentication occurs automatically. | `""`
 `hazelcast.external_secret_name` | If you configured a secret in an external secrets operator, enter the secret name. For details, see [this section](#optional-support-for-providing-credentialscertificates-using-external-secrets-operator).                                                                                                 | `""`
 `hazelcast.affinity` | Configures policy to assign the pods to the nodes. See the official [Kubernetes Documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).                                                                                                                                    | `""`
+| `hazelcast.serviceAccount` | Specify the serviceAccount for the deployment. Using `serviceAccount.name` a service account can be specified. Setting `serviceAccount.create` to `true` will also provision the named service account. | `""`
+
 
 #### Example
 ```yaml

@@ -22,6 +22,9 @@ spec:
 {{- include "generatedClusteringServicePodAnnotations" . | indent 8 }}
     spec:
       terminationGracePeriodSeconds: {{ .Values.server.graceful_shutdown_max_wait_seconds }}
+{{- if (.Values.serviceAccount).name }}
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+{{- end }}
 {{- if .Values.securityContext }}
       securityContext:
 {{ toYaml .Values.securityContext | indent 8 }} 

@@ -0,0 +1,8 @@
+{{- if and (eq (include "isClusteringServiceEnabled" .) "true") (.Values.serviceAccount).create (.Values.serviceAccount).name -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name | quote }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- end -}}
@@ -21,6 +21,9 @@ spec:
       annotations:
 {{- include "generatedHazelcastServicePodAnnotations" . | indent 8 }}
     spec:
+{{- if (.Values.serviceAccount).name }}
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+{{- end }}
       terminationGracePeriodSeconds: {{ .Values.server.graceful_shutdown_max_wait_seconds }}
       containers:
       - name: hazelcast

@@ -0,0 +1,8 @@
+{{- if and (eq (include "isHazelcastEnabled" .) "true") (.Values.serviceAccount).create (.Values.serviceAccount).name -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name | quote }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- end -}}
@@ -41,7 +41,9 @@ spec:
 {{- end }}
     spec:
       shareProcessNamespace: {{ .root.Values.shareProcessNamespace }}
-{{- if .root.Values.serviceAccountName }}
+{{- if (.root.Values.serviceAccount).name }}
+      serviceAccountName: {{ .root.Values.serviceAccount.name }}
+{{- else if .root.Values.serviceAccountName }}
       serviceAccountName: {{ .root.Values.serviceAccountName }}
 {{- end }}
       volumes:

@@ -0,0 +1,12 @@
+{{- if and (.Values.serviceAccount).create (or (.Values.serviceAccount).name .Values.serviceAccountName) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+{{- if (.Values.serviceAccount).name }}
+  name: {{ .Values.serviceAccount.name | quote }}
+{{- else if .Values.serviceAccountName }}
+  name: {{ .Values.serviceAccountName | quote}}
+{{- end }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- end -}}
@@ -73,7 +73,9 @@ spec:
     spec:
 {{- include "generatedDNSConfigAnnotations" .root | indent 6 }}
 {{- if .custom }}
-{{- if .custom.serviceAccountName }}
+{{- if (.custom.serviceAccount).name }}
+      serviceAccountName: {{ .custom.serviceAccount.name }}
+{{- else if .custom.serviceAccountName }}
       serviceAccountName: {{ .custom.serviceAccountName }}
 {{- end }}
 {{- end }}

@@ -0,0 +1,8 @@
+{{- define "pega.serviceaccount" -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .name | quote }}
+  namespace: {{ .root.Release.Namespace }}
+---
+{{- end -}}
@@ -0,0 +1,15 @@
+{{ if (eq (include "performDeployment" $) "true") }}
+{{ $salist := list }}
+{{ range $dep := .Values.global.tier  }}
+{{ $saname := "" }}
+{{ if (($dep.custom).serviceAccount).name }}
+{{ $saname = $dep.custom.serviceAccount.name }}
+{{ else if ($dep.custom).serviceAccountName }}
+{{ $saname = $dep.custom.serviceAccountName }}
+{{ end }}
+{{ if and ((($dep.custom).serviceAccount).create) $saname (not (has $saname $salist)) }}
+{{ $salist = append $salist $saname }}
+{{ template "pega.serviceaccount" dict "root" $ "name" $saname }}
+{{ end }}
+{{ end }}
+{{ end }}