Allow specifying rbac.serviceAccountName and rbac.create: true in the official Helm Chart (AWS EKS related)
Currently, the official GitLab Runner Helm Chart allows setting the Service Account name used by Pods in two ways:
1 - Using
rbac:
create: true
will create a new Service Account and name it automatically or use .Values.fullnameOverride
if set.
2 - Setting
rbac:
create: false
serviceAccountName: foo
will use an existing Service account named foo
.
I'd like the chart to create a Service Account, but name it explicitly with serviceAccountName, like so:
rbac:
create: true
serviceAccountName: foo
That's useful for AWS EKS users, as the association between IAM roles and Service Accounts is done via service account names. Example from the docs (note line 13):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_PROVIDER}:aud": "sts.amazonaws.com",
"${OIDC_PROVIDER}:sub": "system:serviceaccount:my-namespace:my-service-account"
}
}
}
]
}
Nowadays I use .Values.fullnameOverride
, but there's no explicit guarantee it will keep being used for service account names.