Closed dounix closed 2 years ago
@dounix We've fixed this issue in the new 0.9.4 release out today. The release notes describe the fix and link to an updated RBAC example showing how to use an existing service account - https://helm.pingidentity.com/release-notes/currentRelease/
The documentation in the helm-chart values states you can use an existing account with RBAC
https://github.com/pingidentity/helm-charts/blob/master/charts/ping-devops/values.yaml#L217
"account named based on the Helm installation and the specific workload being deployed. If generateServiceAccount and generateGlobalServiceAccount are false, this value can also refer to a service account created outside of Helm."
Attempting this will result in the pod spec for the security account being "default"
Looking at the logic in the template the documentation in values.yaml doesn't seem correct.
https://github.com/pingidentity/helm-charts/blob/master/charts/ping-devops/templates/pinglib/_workload.tpl#L66
One of the generate options would need to be set, generateGlobalServiceAccount , or generateServiceAccount, precluding the use of an existing account.
Here is one potential way to fix it, adding a existingServiceAccount bool.
https://github.com/pingidentity/helm-charts/commit/d7746aebc6c9c0c5effd5a1816670e181cbb707d