From 23768f694697be1b29ec00b8deeed5777d2538e8 Mon Sep 17 00:00:00 2001 From: Jacob Ferriero Date: Tue, 15 Sep 2020 03:39:39 -0700 Subject: [PATCH] Proposal: remove -serviceaccount suffix from KSA names in helm chart (#10892) * [WIP] remove -serviceaccount suffix in helm chart It's quite annoying to have `-serviceaccount` in each service account name as this is a useless 15 characters that provides no additional information. "why is this so frustrating to you Jake?" GCP service accounts have 30 char name limit https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating For manageability / clarity I'd like to keep KSA and GSA names exactly the same when using workload identity which maps KSA<>GSA 1:1 https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. --- chart/files/pod-template-file.yaml | 2 +- chart/templates/cleanup/cleanup-cronjob.yaml | 2 +- chart/templates/cleanup/cleanup-serviceaccount.yaml | 2 +- chart/templates/rbac/pod-cleanup-rolebinding.yaml | 2 +- chart/templates/rbac/pod-launcher-rolebinding.yaml | 4 ++-- chart/templates/scheduler/scheduler-deployment.yaml | 2 +- chart/templates/scheduler/scheduler-serviceaccount.yaml | 2 +- chart/templates/workers/worker-deployment.yaml | 2 +- chart/templates/workers/worker-serviceaccount.yaml | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/chart/files/pod-template-file.yaml b/chart/files/pod-template-file.yaml index 1a2b8a7e042c7d..b49bdb0b9c2e9a 100644 --- a/chart/files/pod-template-file.yaml +++ b/chart/files/pod-template-file.yaml @@ -71,7 +71,7 @@ spec: {{ toYaml .Values.affinity | indent 8 }} tolerations: {{ toYaml .Values.tolerations | indent 8 }} - serviceAccountName: '{{ .Release.Name }}-worker-serviceaccount' + serviceAccountName: '{{ .Release.Name }}-worker' volumes: {{- if .Values.dags.persistence.enabled }} - name: dags diff --git a/chart/templates/cleanup/cleanup-cronjob.yaml b/chart/templates/cleanup/cleanup-cronjob.yaml index 3f44976566ee2a..d1268aeac9def5 100644 --- a/chart/templates/cleanup/cleanup-cronjob.yaml +++ b/chart/templates/cleanup/cleanup-cronjob.yaml @@ -51,7 +51,7 @@ spec: {{ toYaml .Values.affinity | indent 12 }} tolerations: {{ toYaml .Values.tolerations | indent 12 }} - serviceAccountName: {{ .Release.Name }}-cleanup-serviceaccount + serviceAccountName: {{ .Release.Name }}-cleanup {{- if or .Values.registry.secretName .Values.registry.connection }} imagePullSecrets: - name: {{ template "registry_secret" . }} diff --git a/chart/templates/cleanup/cleanup-serviceaccount.yaml b/chart/templates/cleanup/cleanup-serviceaccount.yaml index 769cbdcfa0d4bf..6ef3aec0725a26 100644 --- a/chart/templates/cleanup/cleanup-serviceaccount.yaml +++ b/chart/templates/cleanup/cleanup-serviceaccount.yaml @@ -22,7 +22,7 @@ kind: ServiceAccount apiVersion: v1 metadata: - name: {{ .Release.Name }}-cleanup-serviceaccount + name: {{ .Release.Name }}-cleanup labels: tier: airflow release: {{ .Release.Name }} diff --git a/chart/templates/rbac/pod-cleanup-rolebinding.yaml b/chart/templates/rbac/pod-cleanup-rolebinding.yaml index 4c2dd259b25b39..0d09b87bb44852 100644 --- a/chart/templates/rbac/pod-cleanup-rolebinding.yaml +++ b/chart/templates/rbac/pod-cleanup-rolebinding.yaml @@ -37,6 +37,6 @@ roleRef: name: {{ .Release.Name }}-cleanup-role subjects: - kind: ServiceAccount - name: {{ .Release.Name }}-cleanup-serviceaccount + name: {{ .Release.Name }}-cleanup namespace: {{ .Release.Namespace }} {{- end }} diff --git a/chart/templates/rbac/pod-launcher-rolebinding.yaml b/chart/templates/rbac/pod-launcher-rolebinding.yaml index 4dba494eed522b..6582209adb6aa0 100644 --- a/chart/templates/rbac/pod-launcher-rolebinding.yaml +++ b/chart/templates/rbac/pod-launcher-rolebinding.yaml @@ -40,12 +40,12 @@ roleRef: subjects: {{- if $grantScheduler }} - kind: ServiceAccount - name: {{ .Release.Name }}-scheduler-serviceaccount + name: {{ .Release.Name }}-scheduler namespace: {{ .Release.Namespace }} {{- end }} {{- if $grantWorker }} - kind: ServiceAccount - name: {{ .Release.Name }}-worker-serviceaccount + name: {{ .Release.Name }}-worker namespace: {{ .Release.Namespace }} {{- end }} {{- end }} diff --git a/chart/templates/scheduler/scheduler-deployment.yaml b/chart/templates/scheduler/scheduler-deployment.yaml index b8eb4e96c7f674..e84fa053d914a6 100644 --- a/chart/templates/scheduler/scheduler-deployment.yaml +++ b/chart/templates/scheduler/scheduler-deployment.yaml @@ -83,7 +83,7 @@ spec: {{ toYaml .Values.tolerations | indent 8 }} restartPolicy: Always terminationGracePeriodSeconds: 10 - serviceAccountName: {{ .Release.Name }}-scheduler-serviceaccount + serviceAccountName: {{ .Release.Name }}-scheduler securityContext: runAsUser: {{ .Values.uid }} fsGroup: {{ .Values.gid }} diff --git a/chart/templates/scheduler/scheduler-serviceaccount.yaml b/chart/templates/scheduler/scheduler-serviceaccount.yaml index bfd9d3badb763e..0e97bbd665096d 100644 --- a/chart/templates/scheduler/scheduler-serviceaccount.yaml +++ b/chart/templates/scheduler/scheduler-serviceaccount.yaml @@ -22,7 +22,7 @@ kind: ServiceAccount apiVersion: v1 metadata: - name: {{ .Release.Name }}-scheduler-serviceaccount + name: {{ .Release.Name }}-scheduler labels: tier: airflow release: {{ .Release.Name }} diff --git a/chart/templates/workers/worker-deployment.yaml b/chart/templates/workers/worker-deployment.yaml index 439843dac92e8f..3b441123d30076 100644 --- a/chart/templates/workers/worker-deployment.yaml +++ b/chart/templates/workers/worker-deployment.yaml @@ -72,7 +72,7 @@ spec: {{ toYaml .Values.tolerations | indent 8 }} terminationGracePeriodSeconds: {{ .Values.workers.terminationGracePeriodSeconds }} restartPolicy: Always - serviceAccountName: {{ .Release.Name }}-worker-serviceaccount + serviceAccountName: {{ .Release.Name }}-worker securityContext: runAsUser: {{ .Values.uid }} fsGroup: {{ .Values.gid }} diff --git a/chart/templates/workers/worker-serviceaccount.yaml b/chart/templates/workers/worker-serviceaccount.yaml index 87350975bd141f..5bfb6a60b330ec 100644 --- a/chart/templates/workers/worker-serviceaccount.yaml +++ b/chart/templates/workers/worker-serviceaccount.yaml @@ -22,7 +22,7 @@ kind: ServiceAccount apiVersion: v1 metadata: - name: {{ .Release.Name }}-worker-serviceaccount + name: {{ .Release.Name }}-worker labels: tier: airflow release: {{ .Release.Name }}