Allow customizing the ServiceAccount for workload of PipeCD Helm chart #3535
Conversation
|
/cla sign |
|
Thank you for signing the CLA. Your signing has been successfully committed. |
mugioka
force-pushed
the
feat/be-able-to-create-dedicated-k8s-sa-for-pipecd-with-helm-chart
branch
from
6c510b6
to
61008aa
Compare
…elm chart. Hi team, PipeCD is very good software. Currently, the default service account annotation must be edited in order to use GCP Workload Identity or AWS WebIdentity. This change should improve convenience by allowing k8s service accounts dedicated to PipeCD Server to be created from the helm chart. Signed-off-by: mugioka <[email protected]>
mugioka
force-pushed
the
feat/be-able-to-create-dedicated-k8s-sa-for-pipecd-with-helm-chart
branch
from
61008aa
to
cb15699
Compare
|
/trigger presubmit |
|
/trigger presubmits |
|
@khanhtc1202: Your requested presubmits has been scheduled in response to this comment. |
|
Code coverage for golang is |
| # Specifies whether a service account should be created | ||
| create: true | ||
| # Annotations to add to the service account | ||
| annotations: {} |
There was a problem hiding this comment.
Could you add a name field to allow users to use an existing Service Account if they want?
Same as the chart for Piped Agent. https://github.com/pipe-cd/pipecd/blob/master/manifests/piped/values.yaml#L89-L93
| {{- if .Values.serviceAccount.create -}} | ||
| serviceAccountName: {{ include "pipecd.fullname" . }}-server | ||
| {{- end }} |
There was a problem hiding this comment.
|
@mugioka Hi, Thank you for your pull request. It is really nice. I just have left some nits. PTAL. |
Signed-off-by: mugioka <[email protected]>
| @@ -19,9 +19,7 @@ spec: | |||
| sidecar.istio.io/inject: "false" | |||
| rollme: {{ randAlphaNum 5 | quote }} | |||
| spec: | |||
| {{- if .Values.serviceAccount.create }} | |||
There was a problem hiding this comment.
refs: #3535 (comment)
to use existing service account.
Co-authored-by: Le Van Nghia <[email protected]>
nghialv
changed the title
manifests/pipecd/values.yaml
Outdated
| # ServiceAccount | ||
| serviceAccount: | ||
| # Specifies whether a service account should be created | ||
| create: true |
There was a problem hiding this comment.
@mugioka Please change the default value to false to avoid adding an unexpected service account for existing users.
|
@mugioka Sorry, I have just found a thing. PTAL #3535 (comment) |
| @@ -84,6 +84,7 @@ spec: | |||
| {{- include "pipecd.selectorLabels" . | nindent 8 }} | |||
| app.kubernetes.io/component: server | |||
| spec: | |||
| serviceAccountName: {{ include "pipecd.serviceAccountName" . }} | |||
There was a problem hiding this comment.
@mugioka Since the default value has been changed to false, I think we need to add a check condition here.
There was a problem hiding this comment.
OK!
I added the default value to service account name.
d763a3d
There was a problem hiding this comment.
@mugioka I got your point. I think that way is good as well.
But to be honest, I want to introduce the changes to end-users as little as possible.
For existing users, their deployment resource is not containing the serviceAccountName but after getting this release, their deployment resource will be updated to add serviceAccountName: default.
In most cases, there will be no difference between them but to be safe we should not introduce that change.
So I still prefer adding a check condition over specifying the "default" name as d763a3d.
WDYT?
There was a problem hiding this comment.
In most cases, there will be no difference between them but to be safe we should not introduce that change.
I see, that makes sense.
I will add check statement.
There was a problem hiding this comment.
I added the if statement.
There was a problem hiding this comment.
Oh, sorry, an unnecessary file was committed.
I will fix it.
mugioka
force-pushed
the
feat/be-able-to-create-dedicated-k8s-sa-for-pipecd-with-helm-chart
branch
from
ca3f87a
to
1d38878
Compare
|
/trigger presubmits |
|
@nghialv: Your requested presubmits has been scheduled in response to this comment. |
|
Nice improvement. Thank you. /lgtm |
|
Code coverage for golang is |
|
Thanks for contribution 🙌 |
|
This pull request is APPROVED by Approvers can cancel the approval by writing |
mugioka
deleted the
feat/be-able-to-create-dedicated-k8s-sa-for-pipecd-with-helm-chart
branch
What this PR does / why we need it:
Hi team, PipeCD is very good software.
Currently, the default service account annotation must be edited in order to use GCP Workload Identity or AWS WebIdentity.
This change should improve convenience by allowing k8s service accounts dedicated to PipeCD Server to be created from the helm chart.
Which issue(s) this PR fixes:
none
Does this PR introduce a user-facing change?: