Incorrect IRSA implementation

Summary

Both the chart and therefore the documentation are incorrect for setting up IAM roles for service accounts (IRSA). It's the service accounts which need annotating not the pods. The global.platform.eksRoleArn can be completly removed as the global.serviceAccount.annotations can be set with eks.amazonaws.com/role-arn pointing at the role.

Steps to reproduce

Follow the guide to setup IRSA
Check the pods for the IRSA environment variables (e.g. AWS_WEB_IDENTITY_TOKEN_FILE)

Configuration used

global:
  platform:
    eksRoleArn: arn:aws:iam::xxxxxxxxxxxx:role/gitlab

Current behavior

IRSA doesn't work so no AWS credentials are available to the pods.

Expected behavior

AWS credentials should be present in the pods.

Versions

Chart: 4.11.3
Platform:
- Cloud: EKS
Kubernetes:
- Client: v1.19.7
- Server: v1.18.9
Helm:
- Client: n/a
- Server: v3.5.4

Relevant logs

n/a

Edited May 07, 2021 by Steve Hipwell