Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add service account #14917

Closed
wants to merge 6 commits into from
Closed

feat: Add service account #14917

wants to merge 6 commits into from

Conversation

ofirshtrull
Copy link

SUMMARY

I am adding this chart to my gke cluster, and I don't like the concept of adding my gcp service account secrets to a k8s secret and I plan to mount my service-account to the k8s service account as a workload

@ofirshtrull ofirshtrull changed the title Add service account feat: Add service account May 30, 2021
@pull-request-size pull-request-size bot added size/M and removed size/S labels May 30, 2021
@villebro villebro requested a review from craig-rueda May 31, 2021 11:01
craig-rueda
craig-rueda requested changes Jun 1, 2021
View reviewed changes
helm/superset/templates/deployment-worker.yaml
@@ -53,6 +53,9 @@ spec:
app: {{ template "superset.name" . }}-worker
release: {{ .Release.Name }}
spec:
{{- if .Values.serviceAccount.create }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of guarding this with .Values.serviceAccount.create, we should define the name of the SA to use in values (default of empty, or null) and then use the SA name in this condition.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have done exactly this in my PR. Please review.

helm/superset/templates/deployment.yaml
@@ -56,6 +56,9 @@ spec:
app: {{ template "superset.name" . }}
release: {{ .Release.Name }}
spec:
{{- if .Values.serviceAccount.create }}
serviceAccountName: {{ template "superset.name" . }}
{{- end }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above

helm/superset/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "superset.name" . }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the SA name, we should allow the user to customize via values.yaml

@junlincc junlincc added the hold! On hold label Jun 3, 2021
mvoitko
mvoitko reviewed Jun 23, 2021
View reviewed changes
helm/superset/templates/serviceaccount.yaml
# See the License for the specific language governing permissions and
# limitations under the License.
#
apiVersion: v1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should Superset chart create Service Account? I suggest we simplify and assume that a user will create a SA with needed permissions. It may be done in several ways. For example it's more common to create IRSA in AWS with Terraform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mvoitko mvoitko mvoitko left review comments

@craig-rueda craig-rueda craig-rueda requested changes

Assignees
No one assigned
Labels
hold! On hold size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ofirshtrull @craig-rueda @mvoitko @junlincc