fix(helm): Ensure non-default service account name works with namespaces-cache and configmaps-cache role bindings (#557)

gunzy83 · web-flow · commit 9715a2a71531 · 2024-11-04T22:24:45.000Z
Issue #, if available: N/A Relates to aws-controllers-k8s/kms-controller#83 Description of changes: This change ensures that the required `ClusterRoleBinding` and `RoleBinding` objects apply to a `ServiceAccount` with a custom name. Error seen with custom service account name: ``` pkg/mod/k8s.io/client-go@v0.30.1/tools/cache/reflector.go:232: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:kms-controller:kms-controller" cannot list resource "configmaps" in API group "" in the namespace "kms-controller" ``` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/templates/helm/templates/caches-role-binding.yaml.tpl b/templates/helm/templates/caches-role-binding.yaml.tpl
@@ -8,7 +8,7 @@ roleRef:
   name: ack-namespaces-cache-{{ .ControllerName }}-controller
 subjects:
 - kind: ServiceAccount
-  name: ack-{{ .ControllerName }}-controller
+  name: {{ IncludeTemplate "service-account.name" }}
   namespace: {{ "{{ .Release.Namespace }}" }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -22,5 +22,5 @@ roleRef:
   name: ack-configmaps-cache-{{ .ControllerName }}-controller
 subjects:
 - kind: ServiceAccount
-  name: ack-{{ .ControllerName }}-controller
-  namespace: {{ "{{ .Release.Namespace }}" }}
+  name: {{ IncludeTemplate "service-account.name" }}
+  namespace: {{ "{{ .Release.Namespace }}" }}
