{cmd,}/k8s-operator: support IRSA for Recorder resources (#15913)

Adds Recorder fields to configure the name and annotations of the ServiceAccount created for and used by its associated StatefulSet. This allows the created Pod to authenticate with AWS without requiring a Secret with static credentials, using AWS' IAM Roles for Service Accounts feature, documented here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html Fixes #15875 Change-Id: Ib0e15c0dbc357efa4be260e9ae5077bacdcb264f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-08-25 12:47:31 +00:00 · 2025-05-19 11:35:05 +01:00
parent 6b97e615d6
commit d89aa29081
9 changed files with 359 additions and 25 deletions
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@@ -4552,6 +4552,36 @@ spec:
                                                                type: string
                                                        type: object
                                                type: object
+                                            serviceAccount:
+                                                description: |-
+                                                    Config for the ServiceAccount to create for the Recorder's StatefulSet.
+                                                    By default, the operator will create a ServiceAccount with the same
+                                                    name as the Recorder resource.
+                                                    https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#service-account
+                                                properties:
+                                                    annotations:
+                                                        additionalProperties:
+                                                            type: string
+                                                        description: |-
+                                                            Annotations to add to the ServiceAccount.
+                                                            https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
+
+                                                            You can use this to add IAM roles to the ServiceAccount (IRSA) instead of
+                                                            providing static S3 credentials in a Secret.
+                                                            https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
+
+                                                            For example:
+                                                            eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<role-name>
+                                                        type: object
+                                                    name:
+                                                        description: |-
+                                                            Name of the ServiceAccount to create. Defaults to the name of the
+                                                            Recorder resource.
+                                                            https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#service-account
+                                                        maxLength: 253
+                                                        pattern: ^[a-z0-9]([a-z0-9-.]{0,61}[a-z0-9])?$
+                                                        type: string
+                                                type: object
                                            tolerations:
                                                description: |-
                                                    Tolerations for Recorder Pods. By default, the operator does not apply