Skip to content

Allow the Gitlab Runner Helm Chart to create the required rbac resources, but not the service account

I have a situation regarding the Gitlab Runner Helm chart.

Background

I'm using eksctl, more specifically the tools ability to create IAM service accounts which creates an IAM role with a policy you provide and associates it to a service account within a k8s namespace. For example:

iam:
  withOIDC: true
  serviceAccounts:
    - metadata:
        name: {{name}}-gl-s3-cache
        namespace: gitlab-runner
      attachPolicy:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "s3:PutObject"
              - "s3:GetObjectVersion"
              - "s3:GetObject"
              - "s3:DeleteObject"
            Resource:
              - "arn:aws:s3:::{{s3_bucket_cache}}/*"
              - "arn:aws:s3:::{{s3_bucket_cache}}"

My idea is to use the role arn and insert it into the values.yaml for the Gitlab Runner Helm chart.

Problem

The Gitlab Runner Helm chart templates create rbac resources as well as its own service account. I need to set rbac to false, since the templates want to create one for me if rbac is set to true. However, I need to be able to leave rbac set to true, since its also responsible for creating the rbac role binding and role which are required. Without those, I receive the following error in CI:

ERROR: Job failed (system failure): prepare environment: setting up credentials: secrets is forbidden: User "system:serviceaccount:gitlab-runner:default" cannot create resource "secrets" in API group "" in the namespace "gitlab-runner". Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information

Evidence

I had the exact same problem with the kubernetes cluster-autoscaler, I was able to work around it with the following settings in its values.yaml file

    rbac:
      create: true
      serviceAccount:
        create: false
        name: "cluster-autoscaler"

What the above is doing is allowing the ca helm chart to create the required rbac resources, but not the service account. This is exactly what I'd need in the Gitlab Runner helm chart. See cluster-autoscaler for example.

{{- if and .Values.rbac.create .Values.rbac.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
{{ include "cluster-autoscaler.labels" . | indent 4 }}
  name: {{ template "cluster-autoscaler.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
{{- if .Values.rbac.serviceAccount.annotations }}
  annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.rbac.serviceAccount.automountServiceAccountToken }}
{{- end }}
Edited by SeanJohn Hoyle