Please allow annotations for the ServiceAccount resources in your charts #627
Description
Describe the feature:
Please add the ability to add annotations to the Service Accounts in some of your charts.
For my use case I need support for them on the logstash and elasticsearch charts.
I don't use your other charts, so I don't know if the others would benefit from this or not, but it would do no harm.
For example, logstash/templates/serviceaccount.yaml file would change from:
{{- if .Values.rbac.create -}}
{{- $fullName := include "logstash.fullname" . -}}
apiVersion: v1
kind: ServiceAccount
metadata:
{{- if eq .Values.rbac.serviceAccountName "" }}
name: {{ $fullName | quote }}
{{- else }}
name: {{ .Values.rbac.serviceAccountName | quote }}
{{- end }}
labels:
app: "{{ template "logstash.fullname" . }}"
chart: "{{ .Chart.Name }}"
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
{{- end -}}
to something like:
{{- if .Values.rbac.create -}}
{{- $fullName := include "logstash.fullname" . -}}
apiVersion: v1
kind: ServiceAccount
metadata:
{{- if eq .Values.rbac.serviceAccountName "" }}
name: {{ $fullName | quote }}
{{- else }}
name: {{ .Values.rbac.serviceAccountName | quote }}
{{- end }}
annotations:
{{- with .Values.rbac.serviceAccountAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app: "{{ template "logstash.fullname" . }}"
chart: "{{ .Chart.Name }}"
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
{{- end -}}
Describe a specific use case for the feature:
I need access to AWS S3 buckets from these pods, and they require AWS IAM permissions to do so.
I'm using AWS's IAM roles for service accounts to assign IAM roles to pods based on the service account that they run with.
For this to work, an annotation needs to be put on the service account specifying the role to use as per the following document.
https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html