kubernetes-ingress
kubernetes-ingress copied to clipboard
nginxinc
Nginx Plus ingress controller - Service Account configuration with eksctl
Hello I am currently trying to install the Nginx ingress controller with the Nginx plus image, purchased from AWS marketplace. I associated the Iam policy "AWSMarketplaceMeteringRegisterUsage" to a serviceAccount "nginx-ingress-controller".
But when I want to deploy the controller with Helm, I get the following error.
Error: rendered manifests contain a resource that already exists. Unable to continue with install: ServiceAccount "nginx-ingress-controller" in namespace "ingress" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: key "app.kubernetes.io/managed-by" must equal "Helm": current value is "eksctl"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "nginx-ingress"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "ingress"
Architecture details: cluster: eks v1.22 Helm chart: nginx-stable/nginx-ingress
Following the helm chart documentation of Nginx-ingress, I notice that the option to associate an existing serviceAccount is not found.
Will it be possible to add it with some update to be able to configure it through the values.yaml in the future?
For example my idea would be to be able to perform these steps without installing the whole manifest and configure it step by step.
eksctl create iamserviceaccount \ --name nginx-ingress-controller \ --namespace ingress \ --cluster cluster-test \ --region us-east-2 \ --attach-policy-arn arn:aws:iam::aws:policy/AWSMarketplaceMeteringRegisterUsage \ --approve
helm upgrade nginx-ingress nginx-stable/nginx-ingress \ --namespace ingress \ --install --wait \ --set controller.replicaCount=1 \ --set controller.extraArgs.enable-ssl-passthrough=true \ --set defaultBackend.nodeSelector."beta.kubernetes.io/os"=linux \ --set controller.admissionWebhooks.patch.nodeSelector."beta.kubernetes.io/os"=linux \ --set controller.serviceAccount.create=false \ --set controller.serviceAccount.name=nginx-ingress-controller \ --set controller.serviceAccount.imagePullSecretName=nginx-dockerconfig \ --set controller.nginxplus=true \ --set controller.image.tag=2.3.0-mktpl-1 \ --set controller.image.repository=xxx.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress
Hi @leonelvargas thanks for reporting!
Be sure to check out the docs while you wait for a human to take a look at this :slightly_smiling_face:
Cheers!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@leonelvargas Hello there.
Do you have an existing deployment already? I see you are using helm upgrade instead of a a new install.
Either way, the serviceAccount needs to be properly setup in eks and associated with NGINX Ingress controller.
We have a guide on how to setup your AWS IAM account with the service account required for NGINX Ingress. It uses manifests, but is still doable with helm
You can view it here:
https://docs.nginx.com/nginx-ingress-controller/installation/using-aws-marketplace-image/
Hello, thank you very much for your answer. I am using the "upgrade" command but in addition I add the "--install" flag. I have followed that documentation but it is only related to installation with manifests. With helm it is much simpler but helm-chart does not allow to associate an already created serviceAccount. It must be created by the Nginx helm-chart itself. This makes it not possible to automate the association of the serviceAccount created by "eksctl" and the helm-chart of the nginx-stable/nginx-ingress repo.