charts-clickhouse icon indicating copy to clipboard operation
charts-clickhouse copied to clipboard

Published 20 hours ago verified publisher icon PostHog

Allow to configure service account for clickhouse instance

Open Legion2 opened this issue 1 year ago • 3 comments

Proposed change

Allow to configure service account for clickhouse instance, to be able to add eks.amazonaws.com/role-arn annotation and use IAM roles for service accounts, which is useful for creating backups in S3.

Alternative options

IAM roles for service accounts can not be used and aws access key credentials must be used instead.

Legion2 avatar Jun 30 '22 14:06 Legion2

👋 Hey @Legion2, the service account is coming from the upstream clickhouse-operator and we render it via https://github.com/PostHog/charts-clickhouse/blob/f627a50360e62aad3be17358626fa42ede3fce72/scripts/clickhouse_operator_sync.sh#L1-L76 as they currently do not offer a Helm chart.

My suggestion is to open a PR upstream to either:

  • change the operator to allow custom annotations for the service account
  • support a proper Helm chart we can then import in this one

Feedback are welcome. Thank you!

guidoiaquinti avatar Jun 30 '22 15:06 guidoiaquinti

Looks like it is already supported in the ClickHouseInstallation CRD you can specific podTemplates which include serviceAccountName. So the Service Account itself must be created separately and only the name must be set in the ClickHouseInstallation CR, which should be possible via this helm chart. I will try this and report back.

Legion2 avatar Jun 30 '22 15:06 Legion2

Here an option to configure the serviceAccountName must be added: https://github.com/PostHog/charts-clickhouse/blob/90797e6b164fecf2ec38f6d20d675ae8bd31d2f1/charts/posthog/templates/clickhouse_instance.yaml#L62-L93

Legion2 avatar Jul 01 '22 16:07 Legion2