feat: Fixed yace service account issue (#234)

Added yace service account name variable
wandb · Jun 26, 2024 · 8d290b8 · 8d290b8
1 parent 8a34f58
commit 8d290b8
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 16 deletions.
diff --git a/main.tf b/main.tf
@@ -14,14 +14,14 @@ locals {
 }
 
 module "file_storage" {
-  count     = var.create_bucket ? 1 : 0
-  source    = "./modules/file_storage"
-  
-  create_queue = !local.use_internal_queue
+  count  = var.create_bucket ? 1 : 0
+  source = "./modules/file_storage"
+
+  create_queue        = !local.use_internal_queue
   deletion_protection = var.deletion_protection
-  kms_key_arn   = local.kms_key_arn
-  namespace = var.namespace
-  sse_algorithm = "aws:kms"
+  kms_key_arn         = local.kms_key_arn
+  namespace           = var.namespace
+  sse_algorithm       = "aws:kms"
 }
 
 locals {
@@ -172,8 +172,8 @@ module "app_lb" {
   acm_certificate_arn   = local.acm_certificate_arn
   zone_id               = var.zone_id
 
-  fqdn                      = local.full_fqdn
-  extra_fqdn                = local.extra_fqdn
+  fqdn                        = local.full_fqdn
+  extra_fqdn                  = local.extra_fqdn
   allowed_inbound_cidr        = var.allowed_inbound_cidr
   allowed_inbound_ipv6_cidr   = var.allowed_inbound_ipv6_cidr
   target_port                 = local.internal_app_port
@@ -235,13 +235,12 @@ locals {
   lb_name_truncated  = "${substr(var.namespace, 0, local.max_lb_name_length)}-alb-k8s"
 }
 
-data "aws_region" "current" {}
-
 module "iam_role" {
-   count  = var.enable_yace ? 1 : 0
-   source = "./modules/iam_role"
-   namespace = var.namespace
-   aws_iam_openid_connect_provider_url = module.app_eks.aws_iam_openid_connect_provider
+  count                               = var.enable_yace ? 1 : 0
+  source                              = "./modules/iam_role"
+  yace_sa_name                        = var.yace_sa_name
+  namespace                           = var.namespace
+  aws_iam_openid_connect_provider_url = module.app_eks.aws_iam_openid_connect_provider
 }
 
 module "wandb" {
@@ -322,6 +321,53 @@ module "wandb" {
         }, var.app_wandb_env)
       }
 
+      # To support otel rds and redis metrics need operator-wandb chart minimum version 0.13.8 ( yace subchart)
+      yace = var.enable_yace ? {
+        install        = true
+        regions        = [data.aws_region.current.name]
+        serviceAccount = { annotations = { "eks.amazonaws.com/role-arn" = module.iam_role[0].role_arn } }
+        } : {
+        install        = false
+        regions        = []
+        serviceAccount = {}
+      }
+
+      otel = {
+        daemonset = var.enable_yace ? {
+          config = {
+            receivers = {
+              prometheus = {
+                config = {
+                  scrape_configs = [
+                    { job_name     = "yace"
+                      scheme       = "http"
+                      metrics_path = "/metrics"
+                      dns_sd_configs = [
+                        { names = ["wandb-yace"]
+                          type  = "A"
+                          port  = 5000
+                        }
+                      ]
+                    }
+                  ]
+                }
+              }
+            }
+            service = {
+              pipelines = {
+                metrics = {
+                  receivers = ["hostmetrics", "k8s_cluster", "kubeletstats", "prometheus"]
+                }
+              }
+            }
+          }
+          } : { config = {
+            receivers = {}
+            service   = {}
+          }
+        }
+      }
+
       # To support otel rds and redis metrics need operator-wandb chart minimum version 0.13.8 ( yace subchart)
       yace = var.enable_yace ? {
         install = true

diff --git a/modules/iam_role/main.tf b/modules/iam_role/main.tf
@@ -14,7 +14,7 @@ resource "aws_iam_role" "irsa" {
         Action    = ["sts:AssumeRoleWithWebIdentity"]
         Condition = {
           StringLike = {
-            "${var.aws_iam_openid_connect_provider_url}:sub" = "system:serviceaccount:*:yace"
+            "${var.aws_iam_openid_connect_provider_url}:sub" = "system:serviceaccount:default:${var.yace_sa_name}"
             "${var.aws_iam_openid_connect_provider_url}:aud" = "sts.amazonaws.com"
           }
         }

diff --git a/modules/iam_role/variables.tf b/modules/iam_role/variables.tf
@@ -5,4 +5,8 @@ variable "namespace" {
 
 variable "aws_iam_openid_connect_provider_url" {
   type        = string
+}
+
+variable "yace_sa_name" {
+  type = string
 }
diff --git a/variables.tf b/variables.tf
@@ -459,4 +459,9 @@ variable "enable_yace" {
   type = bool
   description = "deploy yet another cloudwatch exporter to fetch aws resources metrics"
   default = true
+}
+
+variable "yace_sa_name" {
+  type = string
+  default = "wandb-yace"
 }