chore(chart): improve doc regarding eks iam roles for service accounts

razielgn · razielgn · commit a369cec313a5 · 2022-05-10T10:46:26.000Z
diff --git a/charts/core-dump-handler/README.md b/charts/core-dump-handler/README.md
@@ -36,6 +36,9 @@ helm install core-dump-handler . --create-namespace --namespace observe \
 <tr>
     <td>AWS</td><td>EKS</td><td><a href="values.aws.yaml">values.aws.yaml</a></td>
 </tr>
+<tr>
+    <td>AWS</td><td>EKS with IAM roles for service accounts</td><td><a href="values.aws.sts.yaml">values.aws.yaml</a></td>
+</tr>
 <tr>
     <td>AWS</td><td>ROSA</td><td><a href="values.openshift.yaml">values.openshift.yaml</a></td>
 </tr>
@@ -140,6 +143,14 @@ Example S3 policy:
 }
 ```
 
+### EKS setup with IAM roles for service accounts
+
+This allows core-dump-handler to automatically assume the correct role with permissions on the S3 bucket without providing fixed credentials in the secret.
+
+See [this guide](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+
+[Example of `values.yaml`](values.aws.sts.yaml)
+
 ### Environment Variables
 
 The agent pod has the following environment variables and these are all set by the chart but included here for informational purposes:
diff --git a/charts/core-dump-handler/values.aws.sts.yaml b/charts/core-dump-handler/values.aws.sts.yaml
@@ -0,0 +1,9 @@
+# AWS requires a crio client to be copied to the server
+daemonset:
+  includeCrioExe: true
+  vendor: rhel7 # EKS EC2 images have an old libc=2.26
+
+serviceAccount:
+  annotations:
+    # See https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html
+    eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
