ServiceAccount not getting annotations from global annotations

pingidentity / helm-charts

Apache License 2.0

23 stars 31 forks source link

ServiceAccount not getting annotations from global annotations #287

Open mk2134226 opened 1 month ago

mk2134226 commented 1 month ago

If i use this

global:
  annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::xxxx:role/xxxxxxx-pingelm-pap-irsa

It works

But if i use

global:
  annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::xxxxxxx:role/xxxxxg-pingelm-pap-irsa
  rbac:
    applyServiceAccountToWorkload: true
    generateGlobalServiceAccount: true
    generateGlobalRoleAndRoleBinding: true

Then i get this error

**Error: UPGRADE FAILED: error validating "": error validating data: [apiVersion not set, kind not set] make: * [pingdevops] Error 1

Look like there is some issue with service account templates which are not able to parse annottaions

henryrecker-pingidentity commented 1 month ago

Thanks for opening this issue @mk2134226 , I've opened an issue internally and I'll update this issue when we have a fix.

henryrecker-pingidentity commented 1 month ago

A fix for this was merged into main and will be included in the next monthly release

mk2134226 commented 3 weeks ago

@henryrecker-pingidentity Thanks , is there any simple way to add annotation only to service accounts ? rather to all resources ?

henryrecker-pingidentity commented 3 weeks ago

Currently there isn't a way built-in to the chart to do this. You can do this with a kustomize post renderer (similar to https://github.com/pingidentity/pingidentity-devops-getting-started/blob/master/30-helm/read-only-filesystem/kustomize/kustomization.yaml) to set the desired annotation.

corybolar commented 1 week ago

@henryrecker-pingidentity This limitation also affects services. For instance, I need to add a traefik servertransport annotation to the service resources created by the helm chart but can only do so by adding the annotation globally to every resource. While this doesn't immediately cause an issue, it is very confusing and causes stateful set update issues if the annotation ever changes (The annotation is added to the persistent volume templates).

Is it possible to modify the helm chart to allow annotations and labels for resources that do not currently support sourcing values from the values.yaml?

Unfortunately the kustomize workaround doesn't easily apply as I am using a gitops tool to render the tempaltes, argocd in this case.

henryrecker-pingidentity commented 1 week ago

Hi @corybolar , thank you for the feedback. I'll open an internal ticket to track this request and will update you here when it is available.