Proposal: remove -serviceaccount suffix from KSA names in helm chart #10892
Conversation
It's quite annoying to have `-serviceaccount` in each service account name as this is a useless 15 characters that provides no additional information. "why is this so frustrating to you Jake?" GCP service accounts have 30 char name limit https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating For manageability / clarity I'd like to keep KSA and GSA names exactly the same when using workload identity which maps KSA<>GSA 1:1 https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity.
|
I'm okay with this change; are there any adverse effects when upgrading from before to after? |
There are known problems with Helm Updating various resources in Kubernetes. Particularly Service Account name upgrade will not work it seems helm/helm#5473 and helm/helm#4429 Seems there is an open "umbrella" issue to make this work for different kinds of resources that helm manages in Kubernetes: helm/helm#5915 If we had the chart released - that would be a breaking change. I'd say definitely when we release it, we should have a separate chart/UPDATING.md or smth, and this change should be explained there IMHO. But for now we do not even have a version that we can refer to as "when it changed" :). So the question is - do we want to start keeping track of those and other similar changes already or do we start after releasing it for the first time? |
|
@schnie @dimberman Can you take a look at it? This helps us to create a secure environment on GKE. If we use Workload Identity, then we don't have to use long-lived credentials keys. |
Only after the first version is released, we can maintain the changelog. Now we are in a phase of intense development, so breaking changes are natural. We don't maintain semver or any other versioning, so maintaining this type of documentation would be difficult. |
…10892) * [WIP] remove -serviceaccount suffix in helm chart It's quite annoying to have `-serviceaccount` in each service account name as this is a useless 15 characters that provides no additional information. "why is this so frustrating to you Jake?" GCP service accounts have 30 char name limit https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating For manageability / clarity I'd like to keep KSA and GSA names exactly the same when using workload identity which maps KSA<>GSA 1:1 https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. (cherry picked from commit 23768f6)
…10892) * [WIP] remove -serviceaccount suffix in helm chart It's quite annoying to have `-serviceaccount` in each service account name as this is a useless 15 characters that provides no additional information. "why is this so frustrating to you Jake?" GCP service accounts have 30 char name limit https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating For manageability / clarity I'd like to keep KSA and GSA names exactly the same when using workload identity which maps KSA<>GSA 1:1 https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. (cherry picked from commit 23768f6)
…10892) * [WIP] remove -serviceaccount suffix in helm chart It's quite annoying to have `-serviceaccount` in each service account name as this is a useless 15 characters that provides no additional information. "why is this so frustrating to you Jake?" GCP service accounts have 30 char name limit https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating For manageability / clarity I'd like to keep KSA and GSA names exactly the same when using workload identity which maps KSA<>GSA 1:1 https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. (cherry picked from commit 23768f6)
…10892) * [WIP] remove -serviceaccount suffix in helm chart It's quite annoying to have `-serviceaccount` in each service account name as this is a useless 15 characters that provides no additional information. "why is this so frustrating to you Jake?" GCP service accounts have 30 char name limit https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating For manageability / clarity I'd like to keep KSA and GSA names exactly the same when using workload identity which maps KSA<>GSA 1:1 https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. (cherry picked from commit 23768f6)
…pache#10892) * [WIP] remove -serviceaccount suffix in helm chart It's quite annoying to have `-serviceaccount` in each service account name as this is a useless 15 characters that provides no additional information. "why is this so frustrating to you Jake?" GCP service accounts have 30 char name limit https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating For manageability / clarity I'd like to keep KSA and GSA names exactly the same when using workload identity which maps KSA<>GSA 1:1 https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. (cherry picked from commit 23768f6)
It's quite annoying to have
-serviceaccountin each service account name as this is a useless 15 characters that provides no additional information about the account's purpose."why do you care so much about naming convention Jake?"
Actually there is a practical reason: GCP service accounts have 30 char name limit https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating
For manageability / clarity I'd like to keep KSA and GSA names exactly the same when using workload identity which maps KSA<>GSA 1:1 https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity.
If i have a simple release name like
airflowI already violate the 30 char limit withairflow-scheduler-serviceaccount(32 chars)R: @ashb
CC: @potiuk @mik-laj (in our project I'm just going to truncate GSA names to 30 chars as I imagine we may get push back on a PR like this which could have adverse affects for others in the community who may rely on the current SA naming convention)