Allow to configure service account for clickhouse instance

PostHog / charts-clickhouse

Helm chart for deploying PostHog with ClickHouse on your K8s infrastructure

MIT License

58 stars 74 forks source link

Allow to configure service account for clickhouse instance #463

Open Legion2 opened 2 years ago

Legion2 commented 2 years ago

Proposed change

Allow to configure service account for clickhouse instance, to be able to add eks.amazonaws.com/role-arn annotation and use IAM roles for service accounts, which is useful for creating backups in S3.

Alternative options

IAM roles for service accounts can not be used and aws access key credentials must be used instead.

guidoiaquinti commented 2 years ago

👋 Hey @Legion2, the service account is coming from the upstream clickhouse-operator and we render it via https://github.com/PostHog/charts-clickhouse/blob/f627a50360e62aad3be17358626fa42ede3fce72/scripts/clickhouse_operator_sync.sh#L1-L76 as they currently do not offer a Helm chart.

My suggestion is to open a PR upstream to either:

change the operator to allow custom annotations for the service account
support a proper Helm chart we can then import in this one

Feedback are welcome. Thank you!

Legion2 commented 2 years ago

Looks like it is already supported in the ClickHouseInstallation CRD you can specific podTemplates which include serviceAccountName. So the Service Account itself must be created separately and only the name must be set in the ClickHouseInstallation CR, which should be possible via this helm chart. I will try this and report back.

Legion2 commented 2 years ago

Here an option to configure the serviceAccountName must be added: https://github.com/PostHog/charts-clickhouse/blob/90797e6b164fecf2ec38f6d20d675ae8bd31d2f1/charts/posthog/templates/clickhouse_instance.yaml#L62-L93