[serviceaccount] Annotations as Values Support #109
Conversation
Signed-off-by: hfuss <[email protected]>
Signed-off-by: hfuss <[email protected]>
There was a problem hiding this comment.
Can you please add sample annotations to one of service accounts in ./test_data and regenerate chart examples with cat test_data/sample-app.yaml | go run ./cmd/helmify examples/app and cat test_data/k8s-operator-kustomize.output | go run ./cmd/helmify examples/operator and push changes to your branch
Signed-off-by: hfuss <[email protected]>
Signed-off-by: hfuss <[email protected]>
|
Thanks for the steer @arttor, this PR should be good to go now in that it has the test_data and examples update you asked for. |
|
@hfuss, I apologize for not bringing up this question earlier, but could you please explain the use case for the I've tried to do some research but there is not much information:
There may be other annotation use cases beyond Unfortunately, Helm does not offer a way to add custom annotations to chart objects, and the chart maintainer may not be aware of which operators the chart users will use and which chart objects they will need to annotate. As a result, it is common to add annotations manually after running |
|
Hey @arttor no worries, thanks for doing the initial research. Specifically, my use case is I've written an operator which requires cloud access to either AWS or Azure. As you pointed out, being able to add IAM ServiceAccount annotations for those clouds simplifies how an operator / app needs to authenticate and assume roles. Another use case for an app or an operator with a UI, might be wanting to create an OAuth client from a ServiceAccount within OpenShift: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.3/html/authentication/using-service-accounts-as-oauth-client In my use of open-source Helm charts such as External DNS, cert-manager, and External Secrets, it was very common for the chart maintainers to expose their ServiceAccount annotations for the same reason - allowing simpler cloud IAM authentication. Users of helmify writing cloud-aware operators might often want to offer the same IAM authentication methods for their charts Your workaround to manually patch ServiceAccount annotations ourselves outside of Helm could introduce a lot of complexity if folks are trying to use Helm in a purely declarative / GitOps driven way such as ArgoCD or Flux. |
|
Understood. What do you think about the following approach?
|
|
@arttor great feedback, took a stab at the functional option implementation as you described and ready for review. |
Signed-off-by: hfuss <[email protected]>
| options := &options{ | ||
| values: nil, | ||
| annotations: false, | ||
| } |
There was a problem hiding this comment.
| options := &options{ | |
| values: nil, | |
| annotations: false, | |
| } | |
| options := &options{} |
| labels: | ||
| {{- include "operator.labels" . | nindent 4 }} | ||
| annotations: | ||
| k8s.acme.org/some-meta-data: ACME Inc. |
There was a problem hiding this comment.
should k8s.acme.org/some-meta-data: ACME Inc. be moved to values.yaml?
There was a problem hiding this comment.
@arttor does helmify do that with labels?
|
Waiting for this 🙏🏻 This is need in order for service account to be able to link with Google Cloud Workload Identity. |
| @@ -44,6 +44,8 @@ controllerManager: | |||
| region: east | |||
| type: user-node | |||
| replicas: 1 | |||
| serviceaccount: | |||
There was a problem hiding this comment.
@hfuss where does this come from? The generated serviceaccount.yaml says {{ toYaml .Values.controllerManager.annotations | nindent 4 }} and I don't see any changes to my values.yaml file.
There was a problem hiding this comment.
@arttor @hfuss I believe this this is the correct template nais@e7f1529 and nais@60c03d1
There was a problem hiding this comment.
@Starefossen i think that this PR is stale. Can you please create PR from your fork? Please don't forget to regenerate examples (see #109 (review) )
There was a problem hiding this comment.
I'll do that @arttor 😄
There was a problem hiding this comment.
Thanks @Starefossen for picking up my slack and seeing this through! 🚀
|
Superseded by #115 |
|
closed with #115 |
I'd like to be able to include annotations on my operator's ServiceAccount as this is a fairly common need for a lot of apps using ServiceAccounts.
Felt like because ServiceAccounts might be special in this regard, I copied
processer.ProcessObjMetaand modified it to include an annotations template and value.Feels a bit hacky and open to feedback as to what the right approach should be.