Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement][opensearch] - allow reusing existing serviceAccount #614

Closed
asgerjensen opened this issue Oct 30, 2024 · 2 comments
Closed

[Enhancement][opensearch] - allow reusing existing serviceAccount #614

asgerjensen opened this issue Oct 30, 2024 · 2 comments
Labels
enhancement New feature or request untriaged Issues that have not yet been triaged

Comments

@asgerjensen
Copy link

Is your feature request related to a problem? Please describe.
It should be possible to provide an existing serviceaccount to the cluster runner
Currently, its not possible to have the chart use an existing service account, as the serviceAccount is only ever set, if you ask to have it created.

helm-charts/charts/opensearch/templates/statefulset.yaml

Line 89 in b5d7058

{{- if and .Values.rbac.create (eq .Values.rbac.serviceAccountName "") }}

Meaning if you have external resources managed by someone else, you first have to get them to prepare the asset, then deploy opensearch, then back to them to patch up the service account.

Describe the solution you'd like
A clear and concise description of what you want to happen.

The rbac section should probably have an "enabled" flag, that is used instead of the "create" flag on the stateful set, such that

rbac:
   enabled: true
   create: false
   serviceAccountName: foo-bar-baz

would result in the pods running under foo-bar-baz service account rights.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

None, except for Kustomize that allow for full seperation of control between external resources and opensearch

Additional context
Add any other context or screenshots about the feature request here.
@asgerjensen asgerjensen added enhancement New feature or request untriaged Issues that have not yet been triaged labels Oct 30, 2024
@asgerjensen asgerjensen changed the title [Enhancement][Chart Name] [Enhancement][opensearch] - allow reusing existing serviceAccount Oct 30, 2024
@asgerjensen
Copy link
Author

To give context:

  • Suppose you are not the one providing the kubernetes cluster, nor the assets (s3 bucket, iam policy etc) that the opensearch needs to use.
  • If the provider of those services can set up a service-account that has all the necessary rights configured to access these things, the opensearch deployment becomes a one step process.
  • If opensearch is undeployed, and redeployed, it will pick up those existing rights again

With the current chart-logic, the stateful set becomes a pet, since any changes made to the serviceaccount will be deleted when/if opensearch is undeployed and redeployed

@asgerjensen
Copy link
Author

ah, i'm sorry. I see now i can just provide the serviceAccount annotation with the role arn. Closing.

@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in Engineering Effectiveness Board Oct 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request untriaged Issues that have not yet been triaged
Projects
Engineering Effectiveness Board
Status: ✅ Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@asgerjensen