-
Notifications
You must be signed in to change notification settings - Fork 360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix service account creation when no Values.serviceAccount.name is defined #562
Fix service account creation when no Values.serviceAccount.name is defined #562
Conversation
@@ -42,7 +42,7 @@ Create the name of the service account | |||
Define the service account as needed | |||
*/}} | |||
{{- define "temporal.serviceAccount" -}} | |||
{{- if .Values.serviceAccount.name -}} | |||
{{- if .Values.serviceAccount.create -}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, but we need to still use the service account if create
is false but name
is set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just pushed another commit but it will drastically changed from the original direction.
Based on your comment and how the repo has actually worked, I am now creating the serviceaccount as the default (no more create flag)
If no name is defined, then we will referred to the default naming scheme as we noted to the user
If a name is defined, then we will use that name
Let me know what you think @robholland
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This prevents users from using a pre-made service account. Helm will fail trying to create the serviceAccount that already exists.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@robholland thanks for the feedback, I did not account for premade service account because they were not referenced anyway
I just moved the conditional check in a different area to support both
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I don't understand your fix. Now we might create a serviceAccount called "default". I don't understand the reasoning there. Please see if #574 fixes the behaviour you needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem. I left a comment at #574 to further explain. @robholland
If it remains unclear, feel free to close this and move forward with your fix since it still acheives the same goal
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now we might create a serviceAccount called "default"
correction here: we dont create this serviceaccount. We just reference to it, in an explicit way.
https://github.com/temporalio/helm-charts/blob/main/charts/temporal/templates/serviceaccount.yaml is already guarded by the same check {{- if .Values.serviceAccount.create -}}
eae99ae
to
76eeea7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your explanation and patience :) This all makes sense to me now, I've tried to tweak the comment a little, but otherwise looks good!
Co-authored-by: Rob Holland <[email protected]>
What was changed
Instead of checking for
serviceAccount.name
inside a helper template, I rely onserviceAccount.create
and ensure a service account is always used instead of the service accountdefault
Why?
Given a yaml values:
Without this change, a service account is created with the default name (which is taken from release full name as documented in values yaml ) but this new service account will never be used because the helper template will never refer to it
Instead all the pods created by temporal will always use
serviceAccountName: default
and default will come with no configuration, such as annotations that people use on popular k8s platform like eksJust because of a missing serviceaccount name, any other configuration for service account will never be applied
Extra context
I figured out this issue when trying to debug why archivals did not work and using temporal operator to enable archivals is giving back 403 in the server log
After enabling debugging log for archival s3store, I found
which hints at the permission issue with the role.
Checklist
Closes [Feature Request] [Archival] [s3 provider] use IAM role + serviceAccount #464
How was this tested: Manually on my platform. New pods will be created with