-
Notifications
You must be signed in to change notification settings - Fork 792
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ...serviceAccount.annotations config for our k8s ServiceAccounts #2236
Add ...serviceAccount.annotations config for our k8s ServiceAccounts #2236
Conversation
Thanks for submitting your first pull request! You are awesome! 🤗 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feel free to come with suggestions, but I need more time to think myself still
jupyterhub/templates/hub/rbac.yaml
Outdated
annotations: | ||
{{- with .Values.rbac.serviceAccount.annotations }} | ||
{{- . | toYaml | nindent 4 }} | ||
{{- end }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would render to...
annotations:
labels:
# ...
If rbac.serviceAccount.annotations is falsy, and that would be invalid k8s YAML specification. This on the other hand would be okay.
annotations: | |
{{- with .Values.rbac.serviceAccount.annotations }} | |
{{- . | toYaml | nindent 4 }} | |
{{- end }} | |
{{- with .Values.rbac.serviceAccount.annotations }} | |
annotations: | |
{{- . | toYaml | nindent 4 }} | |
{{- end }} |
jupyterhub/values.yaml
Outdated
serviceAccount: | ||
annotations: {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are more service accounts because we have more pods that all need som permissions against the k8s-apiserver, and I think we would need annotations specific to the service accounts.
So, something related to hub must be part of the config of this annotation, so its not applied to all serviceaccounts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will follow your suggestion. I added it to the rbac
section because it was it changes files in the rbac
yml file but I have nothing against moving it to the hub
section
I think I'd like our configuration to follow the configuration locations suggested here: https://helm.sh/docs/chart_best_practices/rbac/ So, |
348d8d0
to
0deaa98
Compare
@consideRatio Thank you for the feedback. I implemented the changes you requested. Can you have a second look please? |
@consideRatio sorry for pinging again, I would love to see this in v1.0.0 :) let me know if there is something else missing |
@AndreaGiardini thanks for your work, I'll help get it merged! This is what remain in my mind and I figure I'll push a commit for this later today if you haven't already:
|
d28dff8
to
7109528
Compare
Many thanks @consideRatio ! |
Thank you @AndreaGiardini! |
jupyterhub/zero-to-jupyterhub-k8s#2236 Merge pull request #2236 from AndreaGiardini/rbac_sa_annotations
I am using this helm chart on GKE. The preferred method to authorize GKE workloads is using Google workload identity ( https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity )
In order to use workload identity it's necessary to add a specific annotation(
iam.gke.io/gcp-service-account
) to the k8s serviceaccount. In this way we can link the k8s serviceaccount with google's service account.Adding annotations to the hub's serviceAccount was not possible with the current helm chart so I implemented it in this PR.
Let me know if you have any question