kubegres
kubegres copied to clipboard
reactive-tech
Add serviceAccountName to Kubegres CRD
We are working with Vault and CSI provider, so in order to make it possible for Vault to mount the secrets, it is needed to specify the ServiceAccountName in podSpec. I've tried several ways but it is not possible as it always uses the default serviceAccountName.
Example of what is working:
apiVersion: kubegres.reactive-tech.io/v1
kind: Kubegres
metadata:
name: mypostgres-csi
namespace: default
spec:
replicas: 1
image: postgres:14.1
database:
size: 200Mi
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-auth
key: postgres-password
- name: POSTGRES_REPLICATION_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-auth
key: postgres-password
volume:
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "postgres-auth"
What is needed:
apiVersion: kubegres.reactive-tech.io/v1
kind: Kubegres
metadata:
name: mypostgres-csi
namespace: default
spec:
serviceAccountName: kubegres-sa
replicas: 1
image: postgres:14.1
database:
size: 200Mi
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-auth
key: postgres-password
- name: POSTGRES_REPLICATION_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-auth
key: postgres-password
volume:
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "postgres-auth"
So is there a way to achieve this? if not, could it be added to the CRD ?
