Skip to content

Allow specifying rbac.serviceAccountName and rbac.create: true in the official Helm Chart (AWS EKS related)

Currently, the official GitLab Runner Helm Chart allows setting the Service Account name used by Pods in two ways:

1 - Using

rbac:
  create: true

will create a new Service Account and name it automatically or use .Values.fullnameOverride if set.

2 - Setting

rbac:
  create: false
  serviceAccountName: foo

will use an existing Service account named foo.

I'd like the chart to create a Service Account, but name it explicitly with serviceAccountName, like so:

rbac:
  create: true
  serviceAccountName: foo

That's useful for AWS EKS users, as the association between IAM roles and Service Accounts is done via service account names. Example from the docs (note line 13):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${OIDC_PROVIDER}:aud": "sts.amazonaws.com",
          "${OIDC_PROVIDER}:sub": "system:serviceaccount:my-namespace:my-service-account"
        }
      }
    }
  ]
}

Nowadays I use .Values.fullnameOverride, but there's no explicit guarantee it will keep being used for service account names.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information