search

h3poteto / aws-global-accelerator-controller

A Kubernetes controller for Global Accelerators and Route53
Apache License 2.0
26 stars 8 forks source link

Allow to set custom ServiceAccount name at helm chart #162

Open greatehop opened 6 months ago

greatehop commented 6 months ago

Hi

helm chart version 0.7.1 does not allow to set custom ServiceAccount name:

% grep rbac -A7 ./aws-global-accelerator-controller/values.yaml
rbac:
  create: true
  # Annotations to add to the service account
  serviceAccount:
    annotations: {}
    # The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    name: "aws-ga-controller"
% helm template test1 ./aws-global-accelerator-controller -f ./aws-global-accelerator-controller/values.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-global-accelerator-controller-manager
  namespace: default

I expect "aws-ga-controller" instead of "aws-global-accelerator-controller-manager", as it's hardcoded at _helper.tpl

{{- define "aws-global-accelerator-controller.serviceAccountName" -}}
{{- if .Values.rbac.create }}
    {{- printf "%s-%s" (include "aws-global-accelerator-controller.name" .) "manager" }}
{{- else -}}
    {{ default "default" .Values.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}
h3poteto commented 4 months ago

Please set rbac.create to false.

rbac:
  create: false
  serviceAccount:
    name: "aws-ga-controller"
greatehop commented 4 months ago

If rbac.create is set to false, the service account will not be created. However, I need to create a service account, but with my own name.

h3poteto commented 4 months ago

Hmm, you mean you want helm to create a ServiceAccount, but do you want to specify the name? Why?

greatehop commented 4 months ago

yes I use IRSA to map AWS IAM role to k8s service account. This IAM role is created by Terraform first (before helm deployment) and its trust policy consists of namespace and service account name. Something like:


module "globalaccelerator-controller" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"

  role_name = "${local.basename}-globalaccelerator-controller"

  role_policy_arns = {
    globalaccelerator = aws_iam_policy.globalaccelerator-controller.arn
  }

  oidc_providers = {
    dev = {
      provider_arn               = module.eks.openid_provider_arn
      namespace_service_accounts = ["aws-ga-controller:aws-global-accelerator-controller-manager"] # namespace:sa
    }
  }
}

Currently helm chart 0.7.1 supports only one name for SA - "aws-global-accelerator-controller-manager". I'd like to be able to set any custom SA name.

h3poteto commented 4 months ago

OK, I see.