IRSA Bug with OLM

[urton]

Describe the bug
When a new installplan is approved and the corresponding csv rolls out, the eks.amazonaws.com/role-arn annotation is removed from the ack-<service>-controller serviceaccount.

Steps to reproduce
annotate the serviceaccount, rollout the currently deployment, approve a new installplan (or set subscription to automatic approval), and then the new pod will error due to permissions.

Expected outcome
The eks.amazonaws.com/role-arn should persist.

Environment

• Kubernetes version v1.32.5
• Using EKS (yes/no), if so version? No (ROSA v4.19.2)
• AWS service targeted (S3, RDS, etc.) All

[github-actions]

Hello @urton 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

[a-hilaly]

cc @acornett21

[acornett21]

@urton You're saying during an update process you lose this configuration on a given service account? If so that is expect, since OLM is itself a reconciler, which reconciles everything in the CSV back to the state in the new version.

I don't think there is anything that ACK can do to get around this.

[urton]

Hey @acornett21! Totally understand OLM is doing its job, but with this behavior, maybe pulling the service account out and making that a prerequisite configuration is an option, or a BYOSA (like the external-secrets operator model), or even the AWS EFS operator model where you have to create the secret with the role. Thoughts?

[acornett21]

Since the CSV can't be modified after deployment time, pulling out the SA isn't an option, since this would break the deployment that is pulled from the CSV, also I think this might invalidate the bundle, though I'm not 100% sure on that.

I don't think vault is package as an operator for OLM, so I think that model only works for helm.

For the last ask I believe you are asking similar to this closed issue which never got working, is this what you are really asking for?

• Relates: STS support by reading an AWS config in a secret #1785

[urton]

I think so, that looks like exactly what the AWS EFS CSI Driver Operator is doing in order to use IRSA with its pre-defined service accounts rather than annotations.