Global serviceAccount.annotations not overridden by subchart values
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Report: Global serviceAccount.annotations not overridden by subchart values
Summary
When a global serviceAccount with annotations is defined in the GitLab Helm chart, and a different serviceAccount is defined at the subchart level, the subchart-level annotations do not override the global ones. This appears to be due to incorrect argument ordering in the default function within the serviceAccount template.
Environment
- GitLab Helm Chart 9.3.2 (18.3.2)
- Kubernetes deployment
Steps to Reproduce
-
Define a global serviceAccount with annotations in your values.yaml:
gitlab: migrations: serviceAccount: &serviceAccount annotations: eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/objects_role -
Reference this serviceAccount in multiple components:
webservice: serviceAccount: *serviceAccount sidekiq: serviceAccount: *serviceAccount -
Try to override the serviceAccount annotations for a specific component:
toolbox: serviceAccount: annotations: eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/backup_role -
Deploy the chart and check the resulting ServiceAccount resources.
Expected Behavior
The toolbox component should use its specific IAM role (backup_role), while other components use the global default role (objects_role).
Actual Behavior
All components, including toolbox, use the global IAM role (objects_role). The subchart-level annotation is ignored.
Technical Analysis
The issue appears to be in the ServiceAccount template, where the default function has its arguments in the wrong order. According to [Helm documentation](https://helm.sh/docs/chart_template_guide/functions_and_pipelines/#using-the-default-function), the first argument should be the fallback (lower priority), and the second argument should have higher priority.
In the current implementation, the global values are given higher priority than the subchart-specific values, which contradicts the expected behavior of Helm charts where more specific configurations should override global ones.
Impact
This issue makes it impossible to assign different IAM roles to specific components (e.g., toolbox for backups) while maintaining a global default for others. This is particularly problematic in environments where different components require different permissions, such as when the backup component needs specific S3 access permissions that differ from the general application permissions.
Current Workaround
The current workaround is to apply annotations individually to each chart-owned ServiceAccount, which requires duplicating service account definitions across multiple charts. This is cumbersome and error-prone.
Suggested Fix
- Correct the argument order in the
defaultfunction in the ServiceAccount template to ensure subchart values take precedence over global values. - Consider implementing a merge capability for annotations, allowing subchart annotations to be merged with global annotations rather than completely replacing them. This would provide more flexibility in configuration.
Example Configuration
Here's a simplified exampledemonstrating the issue:
migrations:
serviceAccount: &serviceAccount
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/objects_us-east-2
webservice:
serviceAccount: *serviceAccount
sidekiq:
serviceAccount: *serviceAccount
toolbox:
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/backup_us-east-2In this configuration, the toolbox component should use the backup_us-east-2 role, but it's still getting the objects_us-east-2 role from the global configuration.