[platform] Service Account missing from workload-launcher spawned pods #48888
Comments
joeybenamy
added
area/platform
|
It worked in 1.2.0, I suspect a regression with the 1.3.0 upgrade. Our bigquery destination does not work anymore with default credentials : "Access Denied: Dataset get-actionable-dev:airbyte_europe_west1: Permission bigquery.datasets.get denied on dataset" Before it has the right service account associated. |
|
In 1.3.0, the pod has: But in 1.2.0: |
marcosmarxm
added
team/deployments
and removed
needs-triage
team/compose
team/platform-move
autoteam
labels
|
@airbytehq/platform-deployments can someone take a look into this issue? |
|
The 1.3.1 release has been pushed. This should fix this regression. Can you test that the 1.3.1 release fixes this issue? |
The service account on the spawned pods is correct now. I am still having issues with writing logs and state to S3, but maybe unrelated. #48407 |
|
Seems ok on 1.3.1, thanks. |
Helm Chart Version
1.3.0
What step the error happened?
During the Sync
Relevant information
The pods that the workload launcher spawns have the service account set to
defaultinstead of the service account set in Helm values and used by the workload-launcher itself. We need the same service account mapped to the spawned pods so that we can write logs to AWS S3 using the IAM role mapped to the Kubernetes service account. I believe the issue is that the pod factory for the workload launcher does not specify a service account.Perhaps in:
https://github.com/airbytehq/airbyte-platform/blob/2c4dffdd701ee1977c0a56d78fe2b0c3aee7624f/airbyte-workload-launcher/src/main/kotlin/pods/factories/InitContainerFactory.kt#L44C25-L44C26
The container builder should be modified to:
The service account should probably be added to the other container and pod factories as well, if set in Helm values.
Relevant log output
The text was updated successfully, but these errors were encountered: