Add handling for upgrade of serviceaccounts

aws · Oct 10, 2023 · 933e6f8 · 933e6f8
1 parent 76bcd79
commit 933e6f8
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/.github/actions/e2e/create-cluster/action.yaml b/.github/actions/e2e/create-cluster/action.yaml
@@ -146,6 +146,27 @@ runs:
         wellKnownPolicies:
           ebsCSIController: true
       EOF
+      
+      # We need to call these create iamserviceaccount commands again since the "eksctl upgrade cluster" action
+      # doesn't handle updates to IAM serviceaccounts correctly when the roles assigned to them change
+      eksctl create iamserviceaccount \
+        --cluster ${{ inputs.cluster_name }} \
+        --name karpenter \
+        --namespace karpenter \
+        --role-name karpenter-irsa-${{ inputs.cluster_name }} \
+        --attach-policy-arn "arn:aws:iam::${{ inputs.account_id }}:policy/KarpenterControllerPolicy-${{ inputs.cluster_name }}" \
+        --attach-policy-arn "arn:aws:iam::${{ inputs.account_id }}:policy/KarpenterControllerPolicy-Alpha-${{ inputs.cluster_name }}" \
+        --role-only \
+        --approve
+      eksctl create iamserviceaccount \
+        --cluster ${{ inputs.cluster_name }} \
+        --name prometheus-kube-prometheus-prometheus \
+        --namespace prometheus \
+        --role-name prometheus-irsa-${{ inputs.cluster_name }} \
+        --attach-policy-arn "arn:aws:iam::${{ inputs.account_id }}:policy/PrometheusWorkspaceIngestionPolicy" \
+        --role-only \
+        --approve
+
   - name: tag oidc provider of the cluster
     if: always()
     shell: bash