Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] One should be able to use custom service account #245

Closed
hkumarmk opened this issue Nov 27, 2021 · 0 comments · Fixed by #246
Closed

[Feature Request] One should be able to use custom service account #245

hkumarmk opened this issue Nov 27, 2021 · 0 comments · Fixed by #246
Labels
enhancement New feature or request

Comments

@hkumarmk
Copy link
Contributor

Is your feature request related to a problem? Please describe.

User should be able to create custom service accounts for temporal pods.

Custom service accounts would be useful in below situations:

  • In cluster RBAC using Role and ClusterRole
  • Associating public cloud IAM roles with kubernetes service account so that the pods can access cloud services
    • Specifically this would be beneficial when archiving temporal data to cloud based storage systems like s3, gcloud storage as temporal service account can be associated to IAM roles so that the temporal pod[s] can authenticate to S3/gcloud storage using service account

Describe the solution you'd like

  • Support creating custom service account with a default to be "default" namespace (kubernetes default namespace)
    • Make creating custom service account OPTIONAL, with by default make it NOT to create it, for backward compatibility
  • Assign the service account to all pods which are part of deployments and jobs, so that all pods of temporal will use same service accounts
@hkumarmk hkumarmk added the enhancement New feature or request label Nov 27, 2021
hkumarmk added a commit to hkumarmk/temporal-helm-charts that referenced this issue Nov 27, 2021
@hkumarmk
Support adding custom service account
12928bf 
Fixes: issue temporalio#245

This patch:
* Add option in values.yaml that enable optionaly creating custom
  service account, with following properties:
  * values.yaml has set with serviceAccount.create to false, so by
    default they use kubernetes default service account - this will
    make this change backward compatible
  * Once serviceAccount.create is marked to true, it use default name
    which is temporal.fullname, but can be customized with serviceAccount.name
  * Users can add extraAnnotations to add any additional annotations for
    service acccounts
    * Usually associating k8s service account with public cloud IAM role
      is done by adding custom annotation to serviceAccount, so this
      will enable users to pass such annotations to temporal
      serviceAccount
* Created a custom serviceAccount with pre-install helm hook with low
  hook-weight as temporal server job is running with pre-install
  helm hook in some cases and serviceAccount should be created before
  job execution for the jobs run with custom serviceAccount
This was referenced Nov 27, 2021
Merged
Open
hkumarmk added a commit to hkumarmk/temporal-helm-charts that referenced this issue Dec 7, 2021
@hkumarmk
Support adding custom service account
abfc372 
Fixes: issue temporalio#245

This patch:
* Add option in values.yaml that enable optionaly creating custom
  service account, with following properties:
  * values.yaml has set with serviceAccount.create to false, so by
    default they use kubernetes default service account - this will
    make this change backward compatible
  * Once serviceAccount.create is marked to true, it use default name
    which is temporal.fullname, but can be customized with serviceAccount.name
  * Users can add extraAnnotations to add any additional annotations for
    service acccounts
    * Usually associating k8s service account with public cloud IAM role
      is done by adding custom annotation to serviceAccount, so this
      will enable users to pass such annotations to temporal
      serviceAccount
* Created a custom serviceAccount with pre-install helm hook with low
  hook-weight as temporal server job is running with pre-install
  helm hook in some cases and serviceAccount should be created before
  job execution for the jobs run with custom serviceAccount
underrun pushed a commit that referenced this issue Jan 19, 2022
@hkumarmk
Support adding custom service account (#246)
e7af117 
Fixes: issue #245

This patch:
* Add option in values.yaml that enable optionaly creating custom
  service account, with following properties:
  * values.yaml has set with serviceAccount.create to false, so by
    default they use kubernetes default service account - this will
    make this change backward compatible
  * Once serviceAccount.create is marked to true, it use default name
    which is temporal.fullname, but can be customized with serviceAccount.name
  * Users can add extraAnnotations to add any additional annotations for
    service acccounts
    * Usually associating k8s service account with public cloud IAM role
      is done by adding custom annotation to serviceAccount, so this
      will enable users to pass such annotations to temporal
      serviceAccount
* Created a custom serviceAccount with pre-install helm hook with low
  hook-weight as temporal server job is running with pre-install
  helm hook in some cases and serviceAccount should be created before
  job execution for the jobs run with custom serviceAccount
tylercunnion added a commit to LiveRamp/temporal-helm-charts that referenced this issue Jan 30, 2022
@tylercunnion @alexshtin
@feedmeapples @krousey @alfred-landrum @dnr @macneib @Ardagan @bergundy @tsurdilo @wenerme @hkumarmk @swyxio @srikanthchelluri @perplexa @underrun
Fetch from upstream (#1)
13deca0 
* Release v1.12.2 (temporalio#230)

* Bump Web to v1.12.0 (temporalio#231)

* Guard security context based on appVersion (temporalio#232)

Older docker images have permission issues with directories and prevent the
dynamic configuration generation from working. This change only runs the
temporal server as a different user if the image can support it.

* Fail Elasticsearch schema creation job if curl has failed (temporalio#233)

* support additional stores (temporalio#234)

* Release 1.13.0 (temporalio#237)

* Bumpt Web to v1.13.0 (temporalio#238)

* Add node selector tolerations affinity to jobs (temporalio#239)

* add nodeSelector affinity and tolerations to jobs

* add admintools nodeSelector tolerations and affinity

* bump chart to 0.13.2

* fixed indentation issue

* Release 1.13.1 (temporalio#240)

* Release 1.14.0 (temporalio#250)

* Fail elasticsearch index creation if template installation fails (temporalio#252)

* Update Elasticsearch to 7.16.2 (temporalio#254)

* allowed disable admintools (temporalio#256)

* Support adding custom service account (temporalio#246)

Fixes: issue temporalio#245

This patch:
* Add option in values.yaml that enable optionaly creating custom
  service account, with following properties:
  * values.yaml has set with serviceAccount.create to false, so by
    default they use kubernetes default service account - this will
    make this change backward compatible
  * Once serviceAccount.create is marked to true, it use default name
    which is temporal.fullname, but can be customized with serviceAccount.name
  * Users can add extraAnnotations to add any additional annotations for
    service acccounts
    * Usually associating k8s service account with public cloud IAM role
      is done by adding custom annotation to serviceAccount, so this
      will enable users to pass such annotations to temporal
      serviceAccount
* Created a custom serviceAccount with pre-install helm hook with low
  hook-weight as temporal server job is running with pre-install
  helm hook in some cases and serviceAccount should be created before
  job execution for the jobs run with custom serviceAccount

* Fix wrong metricRelabeling key (temporalio#243)

* Update README.md with notes on production usage (temporalio#255)

* Add `quote` filter to Ingress TLS hosts (temporalio#241)

This is useful when your TLS hosts values have wildcard asterisks so
they aren't confused with YAML anchors. This should be an otherwise
non-functional change.

* Update metrics config to user server global config, not per-service. (temporalio#251)

* Update missing references (temporalio#258)

* Fix using existingSecret in jobs (temporalio#262)

* fix schema-setup job init-containers (temporalio#265)

* put or on one line (temporalio#266)

for reasons

Co-authored-by: Alex Shtin <[email protected]>
Co-authored-by: Ruslan <[email protected]>
Co-authored-by: Kris Rousey <[email protected]>
Co-authored-by: Alfred Landrum <[email protected]>
Co-authored-by: David Reiss <[email protected]>
Co-authored-by: Blair MacNeil <[email protected]>
Co-authored-by: David Reiss <[email protected]>
Co-authored-by: Mikhail Gryzykhin <[email protected]>
Co-authored-by: Roey Berman <[email protected]>
Co-authored-by: Tihomir Surdilovic <[email protected]>
Co-authored-by: 陈杨文 <[email protected]>
Co-authored-by: Harish Kumar <[email protected]>
Co-authored-by: Matthias Nguyen <[email protected]>
Co-authored-by: swyx <[email protected]>
Co-authored-by: Srikanth Chelluri <[email protected]>
Co-authored-by: Daniel König <[email protected]>
Co-authored-by: Derek Wilson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support adding custom service account hkumarmk/temporal-helm-charts
1 participant
@hkumarmk