Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: allow disabling builtin service account #361

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

aslafy-z
Copy link
Collaborator

@aslafy-z aslafy-z commented Nov 13, 2024

This PR fixes inconsistencies in handling custom service accounts by ensuring serviceAccountName is only set when both rbac.enabled and rbac.serviceAccount.enabled are true across CronJob, Job, and Deployment templates.

Motivation

Previously, templates could reference a service account even when it wasn’t created due to rbac.serviceAccount.enabled being false, causing unpredictable behavior. This change provides consistent, configurable handling.

Potential Impact

  • Users relying on referencing non-existent service accounts may need to update configurations. (A future change will allow the use of a pre-existing service account)

References

@aslafy-z aslafy-z changed the title fix: allow disabling custom service accounts fix: allow disabling custom service account Nov 13, 2024
@aslafy-z aslafy-z changed the title fix: allow disabling custom service account fix!: allow disabling custom service account #major Nov 13, 2024
@aslafy-z aslafy-z marked this pull request as ready for review November 13, 2024 17:50
@aslafy-z aslafy-z requested a review from d3adb5 November 13, 2024 17:50
Copy link
Collaborator

@d3adb5 d3adb5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have strong feelings about which direction we take regarding default behavior. However, I do believe we should avoid major bumps when they are unnecessary. I seem to be missing the reasoning behind this.

# @section -- RBAC Parameters
enabled: false
enabled: true
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand the changes in the templates that fixes service accounts being set without .Values.rbac.serviceAccount.enabled being true, but I don't understand why we're now defaulting to true for that value.

I believe setting this to true is what introduces a breaking change, no? What is the reasoning behind this? Can we simply introduce a patch bump by removing this?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The primary issue is that the previous checks around rbac.serviceAccount.enabled were inconsistent, leading to unexpected behavior. Here’s a breakdown of how the behavior shifts based on the value of rbac.serviceAccount.enabled:

  1. When rbac.serviceAccount.enabled defaults to false:

    • CronJobs and Jobs:
      • Previous behavior: If rbac.enabled was true and rbac.serviceAccount.enabled was false, a custom service account was still used, which was inconsistent.
      • Current behavior: No service account is created, aligning more logically with the intended purpose of the flag.
    • Deployments: There is no change in behavior; they remain unaffected.
  2. When rbac.serviceAccount.enabled defaults to true:

    • CronJobs and Jobs: No impact as the custom service account would already have been created.
    • Deployments: Deployments will now automatically have a custom service account, which may seem like a breaking change but aligns more consistently with our intended functionality.

I don’t have a strong preference between these two values. We'll see a breaking change anyway.
Open to further discussion and suggestions on how to best balance these changes!

cc @MuneebAijaz @AsfaMumtaz @karl-johan-grahn

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm with you on not having a strong preference, but I'll leave my 2 cents here:

We'll see a breaking change anyway.

I don't agree with this 100%. Let me explain:

  1. When rbac.serviceAccount.enabled defaults to false:
    • CronJobs and Jobs:
      • Previous behavior: If rbac.enabled was true and rbac.serviceAccount.enabled was false, a custom service account was still used, which was inconsistent.

The service account that would be associated with these is not created by this chart, because templates/serviceaccount.yaml yields an empty document if rbac.serviceAccount.enabled is false. As a result, what is wrong is that we're referencing a service account that does not in theory exist.

To me, this is a bug in how we render our CronJob and Job templates, NOT intended behavior, and consequently I see this as NOT something we maintain or guarantee as part of version 5.x.

I understand that fixing this could break some chart users' setups, but they will have been leveraging the consequences of a bug, not a feature offered by the chart maintainers. XKCD 1172 comes to mind.

Meanwhile, by changing the default value to true, we are changing functionality that was previously offered: that of not creating a service account by default, because perhaps users don't have those permissions or don't want any token that could authenticate against the API server.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the thoughtful feedback, you make a great point.

This is indeed a bug, not intended behavior. Fixing this will break setups that relied on this inconsistency, but as you said, it's not a feature we guaranteed.
I updated the default value to false.

Copy link
Collaborator Author

@aslafy-z aslafy-z Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@d3adb5

Following our discussion and your feedback, I opened a new PR: #363. This PR not only addresses the inconsistency with service accounts but also properly implements the feature for using an existing service account when specified.

Please have a look and let me know

@aslafy-z aslafy-z changed the title fix!: allow disabling custom service account #major fix: allow disabling custom service account Nov 15, 2024
@aslafy-z aslafy-z changed the title fix: allow disabling custom service account fix: allow disabling builtin service account Nov 15, 2024
Signed-off-by: GitHub <noreply@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants