K
Q

helm patch default service account

4/3/2019

I have a helm chart that I use to add a list of users to my cluster, but I would like to modify my default service account to include an image pull secret. There doesn't seem to be any patch functionality in helm.

Is a post-install hook the best I can do?

-- Breedly
kubernetes
kubernetes-helm

Similar Questions

Kubernetes job does not recognize environment
Installing kube-state-metrics into an existing cluster on GCE
POST larger than 400 Kilobytes payload to a container in Kubernetes fails
How do I redirect a www url to a no-www url using nginx-ingress-controller?
Knative - kubernetes yaml to mount data from google cloud storage

3 Answers

4/22/2019

I had the same issue. What I did is:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: default
  namespace: YOUR_NAMESPACE
rules:
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default
  namespace: YOUR_NAMESPACE
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: default
subjects:
- kind: ServiceAccount
  name: default
  namespace: YOUR_NAMESPACE

and then:

apiVersion: batch/v1
kind: Job
metadata:
  name: create-image-pull-secret
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-delete-policy": hook-succeeded
spec:
  template:
    spec:
      restartPolicy: Never
      containers:
      - name: k8s
        image: google/cloud-sdk
        imagePullPolicy: IfNotPresent
        command: ["/bin/sh","-c", "kubectl patch serviceaccount default -p '{\"imagePullSecrets\": [{\"name\": \"YOUR_SECRET_NAME\"}]}'"]

Note that I use a pre-install hook. I did that because I needed the imagePullSecret working for my child dependencies. Also, the patch command allowed to use a secret name that doesn't exist yet.

-- tproenca
Source: StackOverflow
5/2/2019

Following what @tproenca said, I had a similar problem and fixed it by making a template file named patch.yml file with the following:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": hook-succeeded
  name: default
  namespace: {{ .Release.Name }}
rules:
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": hook-succeeded
  name: default
  namespace: {{ .Release.Name }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: default
subjects:
- kind: ServiceAccount
  name: default
  namespace: {{ .Release.Name }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: patch-sa
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-delete-policy": hook-succeeded
spec:
  template:
    spec:
      restartPolicy: Never
      containers:
      - name: sa
        image: google/cloud-sdk
        imagePullPolicy: IfNotPresent
        command: ["/bin/sh", "-c", "kubectl patch serviceaccount default -p '{\"imagePullSecrets\": [{\"name\": \"secret-key\"}]}'"]

That way for the first installation you won't have to manually add role/rolebinding resources to your namespace as helm will do it and delete them for you.

-- Sartigan
Source: StackOverflow
4/4/2019

If I correctly understood you, the way to change the default service behind the helm (actually its server side: tiller) is pure Kubernetes like, just patch Deployment resource object related to helm following command:

kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"<YOUR_SVC_ACCOUNT>"}}}}'
-- Nepomucen
Source: StackOverflow