From fd3853ed65e8b017c56b1e920c5b68aeb6616583 Mon Sep 17 00:00:00 2001
From: Amanuel Engeda <74629455+engedaam@users.noreply.github.com>
Date: Mon, 11 Dec 2023 09:55:27 -0800
Subject: [PATCH] ci: Use IRSA for Prometheus in E2E environment  (#5297)

---
 .github/actions/e2e/install-prometheus/action.yaml |  1 +
 .github/actions/e2e/setup-cluster/action.yaml      | 13 ++++++++-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/actions/e2e/install-prometheus/action.yaml b/.github/actions/e2e/install-prometheus/action.yaml
index dc5ac284ed6e..b5e31525bd28 100644
--- a/.github/actions/e2e/install-prometheus/action.yaml
+++ b/.github/actions/e2e/install-prometheus/action.yaml
@@ -44,6 +44,7 @@ runs:
           -f ./.github/actions/e2e/install-prometheus/values.yaml \
           --set prometheus.prometheusSpec.remoteWrite[0].url=https://aps-workspaces.${{ inputs.region }}.amazonaws.com/workspaces/${{ inputs.workspace_id }}/api/v1/remote_write \
           --set prometheus.prometheusSpec.remoteWrite[0].sigv4.region=${{ inputs.region }} \
+          --set prometheus.serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="arn:aws:iam::${{ inputs.account_id }}:role/prometheus-irsa-${{ inputs.cluster_name }}" \
           --set "kubelet.serviceMonitor.cAdvisorRelabelings[0].targetLabel=metrics_path" \
           --set "kubelet.serviceMonitor.cAdvisorRelabelings[0].action=replace" \
           --set "kubelet.serviceMonitor.cAdvisorRelabelings[0].sourceLabels[0]=__metrics_path__" \
diff --git a/.github/actions/e2e/setup-cluster/action.yaml b/.github/actions/e2e/setup-cluster/action.yaml
index cd383354b8fe..05f362a1d8bd 100644
--- a/.github/actions/e2e/setup-cluster/action.yaml
+++ b/.github/actions/e2e/setup-cluster/action.yaml
@@ -117,12 +117,15 @@ runs:
             permissionsBoundaryARN: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
             permissionPolicyARNs: 
               - "arn:aws:iam::${{ inputs.account_id }}:policy/KarpenterControllerPolicy-${{ inputs.cluster_name }}"
-          - namespace: prometheus-kube-prometheus-prometheus
-            serviceAccountName: prometheus
-            roleName: prometheus-irsa-${{ inputs.cluster_name }}
-            permissionsBoundaryARN: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
-            permissionPolicyARNs:
+        serviceAccounts:
+          - metadata:
+              name: prometheus-kube-prometheus-prometheus
+              namespace: prometheus
+            attachPolicyARNs:
               - "arn:aws:iam::${{ inputs.account_id }}:policy/PrometheusWorkspaceIngestionPolicy"
+            permissionsBoundary: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
+            roleName: prometheus-irsa-${{ inputs.cluster_name }}
+            roleOnly: true
         withOIDC: true
       addons:
       - name: vpc-cni