[stable/prometheus-cloudwatch-exporter] - Add annotations to serviceAccounts for EKS IAM

[bouge]

Add service account annotation and add service account to deployment.

Signed-off-by: Louis Bougeard lbougeard@and.digital

What this PR does / why we need it:

This PR allows for annotations to serviceAccounts to allow for IAM roles for service accounts in EKS rather than having to pass in tokens, instead using a web identity token file.

This relates to: https://groups.google.com/forum/#!topic/prometheus-users/mhn1Z3yG-XA

Special notes for your reviewer:

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

• DCO signed
• Chart Version bumped
• Variables are documented in the README.md
• Title of the PR starts with chart name (e.g. [stable/mychartname])

[k8s-ci-robot]

Hi @bouge. Thanks for your PR.

I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bouge]

/assign @asherf

[asherf]

/ok-to-test

[bouge]

@asherf the test seems to be failing (https://prow.k8s.io/view/gcs/kubernetes-jenkins/pr-logs/pull/helm_charts/20162/pull-charts-e2e/1217470903982493697/), but I don't believe it's related to the changes that the PR makes, do you have any ideas?

[asherf]

/retest

[bouge]

@asherf not ideal, is this because I've bumped the chart version? Happy to spend some time investigating but not really sure what the tests are doing...

[torstenwalter]

If you show the hidden lines then it reveals the error:

Error creating: pods "prometheus-cloudwatch-exporter-gtjlvmcooy-5797678ccc-" is forbidden: error looking up service account udwatch-exporter-presubmit-20162-1217499848031342594-gtjlvmcooy/prometheus-cloudwatch-exporter: serviceaccount "prometheus-cloudwatch-exporter" not found 10m

You added this condition[{{- if .Values.serviceAccount.create }}which might be the cause.

[bouge]

/retest

[bouge]

@torstenwalter I've moved the logic for that... still failing.

How can I see the logic for the test or run it locally to try and get it to pass?

[torstenwalter]

The logs show which commands are executed.

[bouge]

/retest

[bouge]

@torstenwalter all the tests are now passing, would you be able to review this PR please?

[bouge]

@gianrubio @torstenwalter - Any update on this, please?

[asherf]

/approve

[asherf]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: asherf, bouge

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• stable/prometheus-cloudwatch-exporter/OWNERS [asherf]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment