✨ feat: (helm/v1alpha1): Allow ServiceAccount annotations to be configurable #4380
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
needs-ok-to-test
|
Hi @monteiro-renato. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| {{- range $key, $value := .Values.controllerManager.serviceAccount.annotations }} | ||
| {{ $key }}: {{ $value }} | ||
| {{- end }} | ||
| {{- end }}`, 1) |
There was a problem hiding this comment.
I fear we give too many options to custom things that do not exist in the project itself. The chart is only a way to package the staff. It should work the same way.
So, I will need to think about it a little
There was a problem hiding this comment.
This, I guess?
I don't think I fully understand what is meant by "The proposed solution may not be capable of generating a fully valid and deployable Helm Chart for all use cases supported by Kubebuilder.". Is there a good resource for me to read on the supported Kubebuilder use cases?
For my team's use case we need to simplify Azure resources management and therefore need to talk to Azure APIs. To talk to the Azure APIs we need valid credentials. The best practice right now is to use Workload Identity. Configuring a k8s workload to use Workload Identity requires a few annotations and labels in some resources (such as a label in the pod spec and an annotation in the k8s service account).
I was able to do these configurations by using Kustomize patches, however, with our current setup, it's easier to deploy via Helm than it is to deploy k8s manifests so I wanted to test how I could achieve a similar goal with Helm.
There was a problem hiding this comment.
I checked this again, and I think it looks fine. We are getting the annotations from Kustomize and applying them here, which aligns with the intended design.
What I am concerned about is the potential risk of introducing customizations that are only valid for the Helm Chart.
"The proposed solution may not be capable of generating a fully valid and deployable Helm Chart for all use cases supported by Kubebuilder."
In this case, we will take a best-effort approach. This is an initial version, so it's expected that we may encounter scenarios that are challenging to support.
We must avoid, however, allowing customizations that deviate from the chart's intended purpose. The Helm Chart is meant to package and deploy the solution, not to create a new variant of it.
I hope that makes sense.
Please feel free to speak with us on the Slack channel as well.
There was a problem hiding this comment.
@monteiro-renato
Could we add annotations for ALL manifests instead of only these?
Would not that make more sense?
I mean, should it not be a generic option?
Why the case scenario is valid only for service account
There was a problem hiding this comment.
@camilamacedo86, I don't think that's ideal.
From the docs: "You can use Kubernetes annotations to attach arbitrary non-identifying metadata to objects. Clients such as tools and libraries can retrieve this metadata."
In the example use case I mentioned above, Azure uses the annotations in the Service Account to: "... configure the behavior when exchanging the service account token for an AAD access token:" The annotations would therefore only make sense in the context of a Service Account.
Just like particular labels only make sense in the context of particular objects: ref my other PR > #4373
There was a problem hiding this comment.
Yes, we can add annotations in the resources, but it is not ONLY valid for ServiceAccount.
Did you check if it has other places that we need to do something ?
That is my point.
There was a problem hiding this comment.
I see, I thought you were talking about applying the same annotation to all resources.
I believe it's best to add those features if/when they are needed (i.e. if someone has the need for it, they can open a PR to add that feature just like I'm doing here).
P.S: I plan to join the Slack channel eventually, which will make discussing these things a bit easier.
k8s-ci-robot
added
the
approved
monteiro-renato
force-pushed
the
patch-1
branch
from
ddb80ff to
6e638c4
Compare
|
Removed the extra spaces in the file to fix the golint error now. |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: camilamacedo86, monteiro-renato The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
The use case I have in mind is for example Azure WI configuration.
Sooner or later I think this way of massaging the yaml files is going to become burdensome.