-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cert_manager with IRSA creates policy with incorrect service account name #267
Comments
@joaocc can you please provide the code to reproduce the issue? |
Not sure I will be able to. We have this inside a non-trivial terragrunt setup. I can try checking if we can create a simplified version, but don't know when I will have time. I will also try to upgrade to 1.9.1, and revent cert-manager to 1.12 (as we had that working with IAM though not IRSA). |
Description
We are deploying cert-manager using the addons, in order to use IRSA for DNS01 with Route53.
We also checked https://cert-manager.io/docs/configuration/acme/dns01/route53/#eks-iam-role-for-service-accounts-irsa and configured the cluster issuers and the certificates as per the documentation.
There may be a relation with #185 (comment)
At the moment we are receiving the following error
The module creates the following trust policy, which has an incorrect service account name.
We have used the same mechanism for external-dns (and others) and it is working (meaning basic parameters like cluster info and oidc should be ok).
In this case, the SA is created as
cert-man-cert-manager
(withcert-man
being the helm release name, andsys--cert
being the namespace).Versions
Module version: 1.9.0
Terraform version:
1.5.7
Provider version(s):
"registry.terraform.io/gavinbunney/kubectl" "1.14.0"
"registry.terraform.io/hashicorp/aws" "4.67.0"
"registry.terraform.io/hashicorp/helm" "2.10.1"
"registry.terraform.io/hashicorp/kubernetes" "2.22.0"
"registry.terraform.io/hashicorp/null" "3.2.1"
"registry.terraform.io/hashicorp/random" "3.5.1"
"registry.terraform.io/hashicorp/time" "0.9.1"
"registry.terraform.io/metio/k8s" "2023.9.4"
Reproduction Code [Required]
Expected behaviour
The account name in the trust policy document should be corrected
Actual behaviour
The module creates a service-account which seems to either use a default or ignore the release name.
Terminal Output Screenshot(s)
The text was updated successfully, but these errors were encountered: