[clearml] Allow annotations for service account for apiserver

[aaj-synth]

Is your feature request related to a problem ?

As per storage documentation, we want to configure clearml server to write artifacts to S3 bucket on AWS, but currently that is not possible.

Describe the solution you'd like.

A solution would require apiserver pod to either have custom service account provided by the user which would allow the pod to access the S3 bucket, or allow the service account template to configure additional annotations to allow pod to access the S3 bucket. Helm chart values file would look something like this:

apiserver:
  existingServiceAccountName: ""
  serviceAccountName: ""
  serviceAccountAnnotations: {}

Describe alternatives you've considered.

Currently the way to make it work is to create a role in AWS which has the necessary permissions, and attach the annotations on the serviceAccount to allow it to access S3 bucket. This is far from ideal and creates lots of duplicated code and tech-debt

Additional context.

I am currently using helm chart version 7.11.4

[aaj-synth]

@filippo-clearml any updates on this one?

[filippo-clearml]

@aaj-synth You should already be able to edit serviceAccountName to use an existing custom service account, is this working for you? Anyway being able to add custom annotations and labels is a good idea, we'll work on that :)

[aaj-synth]

Yes, that edit part is working but takes away a lot of deployment power, as someone has to jump in and do the trick for the system to work, and ofcourse have to restart the apiserver so that the pod picks up the correct role from the serviceaccount.

Indeed that would be great to have, and another thing which would be really nice to have is to allow user to bring in their own serviceaccount.