Annotations on keda-operator service account not reflecting

[praveenkpatidar]

Report

Version 2.14.0
If using Existing Service Account IRSA role: the helm verification is failing stating the missing lables in service account keda-operator
If provising annotations in the values : The annotations are well passed into service accounts keda-webhook and keda-metrics-server however no change in the keda-oprator.

I tried providing new name of the serviceAccount.name: keda-oprator-1 but seems that is also not working.

      values: 
        serviceAccount: 
          name: kedaServiceAccountName
          annotations: 
            "eks.amazonaws.com/role-arn": "ROLE_ARN"
            "test.annotations": "this_is_test"

Expected Behavior

The keda-operator service account either accept a existing service account or it should create service account with given annotations.

Actual Behavior

Three Service accounts got created -
keda-oprator: No custom annotations. (Thats issue)
keda-webhook: having all custom annotations
keda-metrics-server: having all custom annotations.

Steps to Reproduce the Problem

apply the helm using the values file

    values: 
       serviceAccount: 
         name: kedaServiceAccountName
         annotations: 
           "eks.amazonaws.com/role-arn": "ROLE_ARN"
           "test.annotations": "this_is_test"

Logs from KEDA operator

> kubectl get sa -n keda keda-operator -o yaml

apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
  annotations:
    meta.helm.sh/release-name: keda
    meta.helm.sh/release-namespace: keda
  creationTimestamp: "2024-05-01T03:14:07Z"
  labels:
    app.kubernetes.io/component: operator
    app.kubernetes.io/instance: keda
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keda-operator
    app.kubernetes.io/part-of: keda-operator
    app.kubernetes.io/version: 2.14.0
    helm.sh/chart: keda-2.14.0

KEDA Version

2.14.0

Kubernetes Version

1.28

Platform

Amazon Web Services

Scaler Details

No response

Anything else?

No response

[JorTurFer]

Hello,
I can reproduce the annotations issue. I'd suggest using the specific podIdentity section to set IRSA annotations on service accounts:

podIdentity:
  aws:
    irsa:
      enabled: true
      roleArn: "test"

But definitively, we have to fix the annotations bug too

[praveenkpatidar]

Hello @JorTurFer Thanks for the updates.

Tried with below values but got another issue -

---
operator:
  name: keda-operator
podIdentity:
  aws:
    irsa:
      enabled: true
      roleArn: arn:aws:iam::xxxxxxx:role/test
serviceAccount:
  name: keda-operator
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::xxxxx:role/test

Error:

Error: YAML parse error on keda/templates/manager/serviceaccount.yaml: error converting YAML to JSON: yaml: line 17: did not find expected key\n'

Then I removed serviceAccount from values, tried with below values only and it worked -

---
operator:
  name: keda-operator
podIdentity:
  aws:
    irsa:
      enabled: true
      roleArn: arn:aws:iam::xxxxxxx:role/test

I am using AWS CDK to deploy helm. That's why more logs are not visible. But I am sure it may be annotation duplication that is causing issue here. So in the PR you raised make sure the annotations get merged and unique values are updated.

Another way to make it work is below -

Create Service Account keda-operator with below Annotations and Labels.

annotations: 
   eks.amazonaws.com/role-arn: roleArn
   meta.helm.sh/release-name: keda
   meta.helm.sh/release-namespace: keda
labels: 
   app.kubernetes.io/managed-by: Helm

Now Deploy with values : (the annotation will be there in all service accounts)

serviceAccount:
  create: false
  name: keda-operator
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::xxxxx:role/test

[JorTurFer]

lol, I haven't seen this message before @praveenkpatidar , sorry :(
The duplication issue will still be there, are you willing to open a PR adding that check to charts repo?
https://github.com/kedacore/charts