aws-global-accelerator-controller icon indicating copy to clipboard operation
aws-global-accelerator-controller copied to clipboard
verified publisher icon h3poteto

Allow to set custom ServiceAccount name at helm chart

Open greatehop opened this issue 1 year ago • 5 comments

Hi

helm chart version 0.7.1 does not allow to set custom ServiceAccount name:

% grep rbac -A7 ./aws-global-accelerator-controller/values.yaml
rbac:
  create: true
  # Annotations to add to the service account
  serviceAccount:
    annotations: {}
    # The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    name: "aws-ga-controller"

% helm template test1 ./aws-global-accelerator-controller -f ./aws-global-accelerator-controller/values.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-global-accelerator-controller-manager
  namespace: default

I expect "aws-ga-controller" instead of "aws-global-accelerator-controller-manager", as it's hardcoded at _helper.tpl

{{- define "aws-global-accelerator-controller.serviceAccountName" -}}
{{- if .Values.rbac.create }}
    {{- printf "%s-%s" (include "aws-global-accelerator-controller.name" .) "manager" }}
{{- else -}}
    {{ default "default" .Values.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}

greatehop avatar Apr 19 '24 09:04 greatehop

Please set rbac.create to false.

rbac:
  create: false
  serviceAccount:
    name: "aws-ga-controller"

h3poteto avatar May 26 '24 07:05 h3poteto

If rbac.create is set to false, the service account will not be created. However, I need to create a service account, but with my own name.

greatehop avatar May 26 '24 08:05 greatehop

Hmm, you mean you want helm to create a ServiceAccount, but do you want to specify the name? Why?

h3poteto avatar May 26 '24 16:05 h3poteto

yes I use IRSA to map AWS IAM role to k8s service account. This IAM role is created by Terraform first (before helm deployment) and its trust policy consists of namespace and service account name. Something like:


module "globalaccelerator-controller" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"

  role_name = "${local.basename}-globalaccelerator-controller"

  role_policy_arns = {
    globalaccelerator = aws_iam_policy.globalaccelerator-controller.arn
  }

  oidc_providers = {
    dev = {
      provider_arn               = module.eks.openid_provider_arn
      namespace_service_accounts = ["aws-ga-controller:aws-global-accelerator-controller-manager"] # namespace:sa
    }
  }
}

Currently helm chart 0.7.1 supports only one name for SA - "aws-global-accelerator-controller-manager". I'd like to be able to set any custom SA name.

greatehop avatar May 29 '24 22:05 greatehop

OK, I see.

h3poteto avatar May 29 '24 23:05 h3poteto