service account annotation

[dvirguttman]

Type of question

General operator-related help

Question

What did you do?

I've implemented my own operator in golang using operator-sdk

What did you expect to see?

My operator service account need to assume an IAM role as described in : https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
to include eks.amazonaws.com/role-arn annotation in my service account manifest.
However, no matter what, seems like it is impossible to customize the serviceAccountName

I also followed the https://sdk.operatorframework.io/docs/advanced-topics/multi-sa/ and when serviceAccountName is equals the service-account name - operator-sdk just ignore it and not creating the service account manifest.

What did you see instead? Under which circumstances?

The only way I was able to make it work is to let the deployment start and add the annotation manually

I would like to know if there is an option to add this annotation as part of the manifests and make it work without manual steps

Environment

Operator type:

/language go

Kubernetes cluster type:

eks

$ operator-sdk version operator-sdk version: "v1.29.0", commit: "78c564319585c0c348d1d7d9bbfeed1098fab006", kubernetes version: "v1.26.0", go version: "go1.20.4", GOOS: "darwin", GOARCH: "arm64"

$ go version go version go1.20.5 darwin/arm64

kubectl version: 1.27

Additional context

[acornett21]

/assign

[acornett21]

Hi @dvirguttman If I understand correctly, you are trying to use the multi-sa approach, but you want the extra ServiceAccount to be the default name, and have it be used by the controller. If that's a correct assumption on my part, did you also comment out SA line in the kustomize file in ~/config/rbac? If possible, please check in your project somewhere and we can take a look further.

[dvirguttman]

Unfortunately, the project is not opernsource (yet) - I will try to check in sample configuration in my own repo.

Anyways, I don't really care about multi-sa - for me it is ok to use also the default sa but I would like to set it up with the annotation in place.
Currently, I am not able to do that ..

[matt-simons]

I have a similar issue building operators internally. All customisation for service accounts in the CSV is discarded. I would like to add imagePullSecrets to the service account in config/rbac/service_account.yaml but it is ignored. This does not happen for extra service accounts and instead they are placed in the bundle folder with customisation intact.

I think this happens here: https://github.com/operator-framework/operator-sdk/blob/master/internal/generate/collector/clusterserviceversion.go#L126

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[matt-simons]

@acornett21 is customization of the default service account not supported or could this be fixed? The current workaround is to customize an extra service account and use that instead

[varshaprasad96]

@awgreene @oceanc80 Do you have inputs on why OLM v0 does not allow users to add SA in their bundle, and instead creates one?

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci]

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.