Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to set custom ServiceAccount name at helm chart #162

Open
greatehop opened this issue Apr 19, 2024 · 5 comments
Open

Allow to set custom ServiceAccount name at helm chart #162

greatehop opened this issue Apr 19, 2024 · 5 comments
Labels
enhancement New feature or request

Comments

@greatehop
Copy link
Contributor

Hi

helm chart version 0.7.1 does not allow to set custom ServiceAccount name:

% grep rbac -A7 ./aws-global-accelerator-controller/values.yaml
rbac:
  create: true
  # Annotations to add to the service account
  serviceAccount:
    annotations: {}
    # The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    name: "aws-ga-controller"

% helm template test1 ./aws-global-accelerator-controller -f ./aws-global-accelerator-controller/values.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-global-accelerator-controller-manager
  namespace: default

I expect "aws-ga-controller" instead of "aws-global-accelerator-controller-manager", as it's hardcoded at _helper.tpl

{{- define "aws-global-accelerator-controller.serviceAccountName" -}}
{{- if .Values.rbac.create }}
    {{- printf "%s-%s" (include "aws-global-accelerator-controller.name" .) "manager" }}
{{- else -}}
    {{ default "default" .Values.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}
@h3poteto
Copy link
Owner

Please set rbac.create to false.

rbac:
  create: false
  serviceAccount:
    name: "aws-ga-controller"

@greatehop
Copy link
Contributor Author

If rbac.create is set to false, the service account will not be created. However, I need to create a service account, but with my own name.

@h3poteto
Copy link
Owner

Hmm, you mean you want helm to create a ServiceAccount, but do you want to specify the name? Why?

@greatehop
Copy link
Contributor Author

yes
I use IRSA to map AWS IAM role to k8s service account. This IAM role is created by Terraform first (before helm deployment) and its trust policy consists of namespace and service account name. Something like:


module "globalaccelerator-controller" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"

  role_name = "${local.basename}-globalaccelerator-controller"

  role_policy_arns = {
    globalaccelerator = aws_iam_policy.globalaccelerator-controller.arn
  }

  oidc_providers = {
    dev = {
      provider_arn               = module.eks.openid_provider_arn
      namespace_service_accounts = ["aws-ga-controller:aws-global-accelerator-controller-manager"] # namespace:sa
    }
  }
}

Currently helm chart 0.7.1 supports only one name for SA - "aws-global-accelerator-controller-manager".
I'd like to be able to set any custom SA name.

@h3poteto
Copy link
Owner

OK, I see.

@h3poteto h3poteto reopened this May 29, 2024
@h3poteto h3poteto added the enhancement New feature or request label Jun 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greatehop @h3poteto