fix: service account name is wrong

linz · Oct 27, 2023 · 8a80fd4 · 8a80fd4
1 parent 9a0d5da
commit 8a80fd4
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 5 deletions.
diff --git a/infra/cdk8s.ts b/infra/cdk8s.ts
@@ -13,9 +13,12 @@ const app = new App();
 async function main(): Promise<void> {
   // Get cloudformation outputs
   const cfnOutputs = await getCfnOutputs(ClusterName);
-  const missingKeys = [...Object.values(CfnOutputKeys.Karpenter), ...Object.values(CfnOutputKeys.FluentBit)].filter(
-    (f) => cfnOutputs[f] == null,
-  );
+  //FIXME: is there a better way to do that?
+  const missingKeys = [
+    ...Object.values(CfnOutputKeys.Karpenter),
+    ...Object.values(CfnOutputKeys.FluentBit),
+    ...Object.values(CfnOutputKeys.Argo),
+  ].filter((f) => cfnOutputs[f] == null);
   if (missingKeys.length > 0) {
     throw new Error(`Missing CloudFormation Outputs for keys ${missingKeys.join(', ')}`);
   }

diff --git a/infra/charts/argo.workflows.ts b/infra/charts/argo.workflows.ts
@@ -62,7 +62,7 @@ export class ArgoWorkflows extends Chart {
           replicas: 2,
           workflowDefaults: {
             spec: {
-              serviceAccountName: 'workflow-runner-sa',
+              serviceAccountName: props.saName,
               ttlStrategy: { secondsAfterCompletion: Duration.days(7).toSeconds() },
               podGC: { strategy: 'OnPodCompletion' },
               tolerations: [

diff --git a/infra/eks/cluster.ts b/infra/eks/cluster.ts
@@ -212,11 +212,16 @@ export class LinzEksCluster extends Stack {
       metadata: { name: 'argo' },
     });
     const argoRunnerSa = this.cluster.addServiceAccount('ArgoRunnerServiceAccount', {
-      name: 'argo-runner-sa',
+      name: 'workflow-runner-sa',
       namespace: 'argo',
     });
     argoRunnerSa.node.addDependency(argoNs);
     new CfnOutput(this, 'ArgoRunnerServiceAccountRoleArn', { value: argoRunnerSa.role.roleArn });
     new CfnOutput(this, CfnOutputKeys.Argo.RunnerServiceAccountName, { value: argoRunnerSa.serviceAccountName });
+
+    // give read/write on the temporary (scratch) bucket
+    this.tempBucket.grantReadWrite(argoRunnerSa.role);
+    // give permission to the sa to assume a role
+    argoRunnerSa.role.addToPrincipalPolicy(new PolicyStatement({ actions: ['sts:AssumeRole'], resources: ['*'] }));
   }
 }