Listener ServiceAccount does not allow to add Annotations #4293
Description
Checks
- I've already read https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors and I'm sure my issue is not covered in the troubleshooting guide.
- I am using charts that are officially provided
Controller Version
0.13.0
Deployment Method
Helm
Checks
- This isn't a question or user support case (For Q&A and community support, go to Discussions).
- I've read the Changelog before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes
To Reproduce
1. declare helm chart and set annotations, example is in tf
resource "helm_release" "gha_runner_scale_set" {
name = local.runner_name
namespace = local.runner_namespace
chart = "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set"
version = var.arc_version
create_namespace = true
dependency_update = true
values = [jsonencode({
githubConfigUrl = "https://github.com/ORG_NAME"
githubConfigSecret = local.github_secret_name
controllerServiceAccount = {
namespace = local.listener_namespace
name = "arc-gha-rs-controller"
}
minRunners = 1
maxRunners = 10
# this is the annotation i want to add to the listener service account
annotations = {
"eks.amazonaws.com/role-arn" = aws_iam_role.listener_secrets_access.arn
}
listenerTemplate = {
spec = {
volumes = [{
name = "secrets-store"
csi = {
driver = "secrets-store.csi.k8s.io"
readOnly = true
volumeAttributes = {
secretProviderClass = local.github_secret_name
}
}
}]
containers = [{
name = "listener"
volumeMounts = [{
name = "secrets-store"
mountPath = "/mnt/secrets-store"
readOnly = true
}]
}]
}
}
labels = { for k, v in local.tags : k => tostring(v) }
})]
depends_on = [
kubernetes_manifest.github_app_secret_provider,
helm_release.gha_runner_scale_set_controller
]
}
2. apply and look up info of the listener ServiceAccount in the controller namespace
Name: ***-754b578d-listener
Namespace: arc-systems
Labels: actions.github.com/organization=***
actions.github.com/scale-set-name=***
actions.github.com/scale-set-namespace=arc-runners
app.kubernetes.io/component=runner-scale-set-listener
app.kubernetes.io/instance=***
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=***
app.kubernetes.io/part-of=gha-runner-scale-set
app.kubernetes.io/version=0.13.0
helm.sh/chart=gha-rs-0.13.0
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: <none>
Events: <none>
looking at the listener pod definition we see that this is the ServiceAccount that is used
Name: ***-754b578d-listener
Namespace: arc-systems
Priority: 0
Service Account: ***-754b578d-listener
[...]
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 12m default-scheduler Successfully assigned arc-systems/***-754b578d-listener to ip-10-170-16-192.eu-central-1.compute.internal
Warning FailedMount 119s (x13 over 12m) kubelet MountVolume.SetUp failed for volume "secrets-store" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod arc-systems/***-754b578d-listener, err: rpc error: code = Unknown desc = eu-central-1: An IAM role must be associated with service account ***-754b578d-listener (namespace: arc-systems)
In order to avoid confusion, the ServiceAccounts in the runner namespace to get the annotations ([code](https://github.com/actions/actions-runner-controller/blob/3c1a323381a7f5ba782fb1a66c5db04767f70c7b/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml#L12))Describe the bug
It's not possible to add annotations to the listener ServiceAccount.
We are using the secret-store csi driver to sync from aws secrets manager to kubernetes secrets, we store the github app id/installation id/pem inside the aws secret and want to sync it to kubernetes.
My first problem is that there is a circular dependency issue, the the controller only creates the listener if the secret exists, but the secret is created when the volume is mounted when the listener pod is started. I worked around this by manually creating a secret, as this is a one time action and only necessary during the initial setup this is acceptable for us.
The next step is to allow the ServiceAccount to assume the iam role, so it can read the secret and sync it to the k8s secret. In order to do this you add an annotation to the ServiceAccount.
I looked up the code for the ServiceAccount for the listener, which is here
and we see that it is not possible to pass in annotations. As far as I can tell we would only need to add the following line Annotations: autoscalingListener.Annotations,
I want to note that I had it up and running before I tried to add the csi driver secret store, using a normal kubernetes secret, so the problems are all related to that.
Describe the expected behavior
Custom annotation are correctly passed into the listener service account.
Additional Context
I added the passed in values above in tfController Logs
https://gist.github.com/jonny-rimek/49eee36949fa2023f8c5b46036376c22Runner Pod Logs
runner doesn't start, because the listener doesn't start