Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

rbac.serviceAccountName attr is being overlooked in statefulset.yaml #1190

Closed
ajrpeggio opened this issue May 14, 2021 · 3 comments · Fixed by #1581
Closed

rbac.serviceAccountName attr is being overlooked in statefulset.yaml #1190

ajrpeggio opened this issue May 14, 2021 · 3 comments · Fixed by #1581
Labels
bug Something isn't working logstash triage/stale

Comments

@ajrpeggio
Copy link

Chart version:
7.12

Kubernetes version:
1.19

Kubernetes provider: E.g. GKE (Google Kubernetes Engine)
AWS EKS

Helm Version:

➜  logstash git:(kube_rbac_iam) helm version
version.BuildInfo{Version:"v3.5.4", GitCommit:"1b5edb69df3d3a08df77c9902dc17af864ff05d1", GitTreeState:"dirty", GoVersion:"go1.16.3"}

Describe the bug:
I'm creating a Kubernetes serviceUser using this chart under the rbac namespace in values. However, when the rbac.serviceAccountName attr is set in the values.yaml file, I noticed that in the rendered statefulset.yaml portion of the chart, the rbac.serviceAccountName is overlooked due to the a conditional.

See https://github.com/elastic/helm-charts/blob/master/logstash/templates/statefulset.yaml - Line 69 - 74

{{ toYaml .Values.podSecurityContext | indent 8 }}
      {{- if .Values.rbac.create }}
      serviceAccountName: "{{ template "logstash.fullname" . }}"
      {{- else if not (eq .Values.rbac.serviceAccountName "") }}
      serviceAccountName: {{ .Values.rbac.serviceAccountName | quote }}

The else conditional will be overlooked because in order to create the service account, both rbac.create and rbac.serviceAccountName will be populated causing the action within the conditional on 72 to be passed up.

Steps to reproduce:

  1. Use latest release of helm chart
  2. Populate the rbac namespace in your values.yaml file. Example of mine:
rbac:
  create: true
  serviceAccountAnnotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::123456789:role/logstash-role"
  serviceAccountName: "service-logstash"
  1. helm install logstash elastic/logstash --values values.yaml

Expected behavior:

service-logstash user should be created instead of logstash-logstash

Provide logs and/or server output (if relevant):

create Pod logstash-logstash-0 in StatefulSet logstash-logstash failed error: pods "logstash-logstash-0" is forbidden: error looking up service account default/logstash-logstash: serviceaccount "logstash-logstash" not found
@bhiravabhatla
Copy link

I guess ideally it should be

      {{- if not (eq .Values.rbac.serviceAccountName "") }}
      serviceAccountName: {{ .Values.rbac.serviceAccountName | quote }}
      {{- else }}
      serviceAccountName: "{{ template "logstash.fullname" . }}"
      {{- end }}

Similarly,

helm-charts/logstash/templates/serviceaccount.yaml

Line 1 in 8ddb15b

{{- if .Values.rbac.create -}}
has to change too.

@jmlrt jmlrt added bug Something isn't working logstash labels Jul 6, 2021
@botelastic
Copy link

botelastic bot commented Oct 4, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic
Copy link

botelastic bot commented Nov 3, 2021

This issue has been automatically closed because it has not had recent activity since being marked as stale.

@botelastic botelastic bot closed this as completed Nov 3, 2021
@jmlrt jmlrt mentioned this issue Feb 23, 2022
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working logstash triage/stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[logstash] fix ServiceAccount inconsistencies jmlrt/helm-charts
3 participants
@jmlrt @ajrpeggio @bhiravabhatla