5

Any ideas how can I replace variables via Kustomize? I simply want to use a different ACCOUNT_ID and IAM_ROLE_NAME for each overlay.

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/${IAM_ROLE_NAME}

Thanks in advance!

cosmos-1905-14
  • 783
  • 2
  • 12
  • 23

2 Answers2

13

Kustomize doesn't use "variables". The way you would typically handle this is by patching the annotation in an overlay. That is, you might start with a base directory that looks like:

base
├── kustomization.yaml
└── serviceaccount.yaml

Where serviceaccount.yaml contains your ServiceAccount manifest:

apiVersion: v1
kind: ServiceAccount
metadata:
    name: my-service-account
    annotions:
      eks.amazonaws.com/role-arn: "THIS VALUE DOESN'T MATTER"

And kustomization.yaml looks like:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: my-namespace

resources:
  - serviceaccount.yaml

Then in your overlays, you would replace the eks.amazonaws.com/role-arn annotation by using a patch. For example, if you had an overlay called production, you might end up with this layout:

.
├── base
│   ├── kustomization.yaml
│   └── serviceaccount.yaml
└── overlay
    └── production
        ├── kustomization.yaml
        └── patch_aws_creds.yaml

Where overlay/production/patch_aws_creds.yaml looks like:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::1234:role/production-role

And overlay/production/kustomization.yaml looks like:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - ../../base

patches:
  - patch_aws_creds.yaml

With this in place, running...

kustomize build overlay/production

...would generate output using your production role information, and so forth for any other overlays you choose to create.

If you don't like the format of the strategic merge patch, you can use a json patch document instead. Here's what it would look like inline in your kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - ../../base

patches:
  - target:
      version: v1
      kind: ServiceAccount
      name: my-service-account
    patch: |-
      - op: replace
        path: /metadata/annotations/eks.amazonaws.com~1role-arn
        value: arn:aws:iam::1234:role/production-role

I don't think this really gets you anything, though.

larsks
  • 277,717
  • 41
  • 399
  • 399
  • Well-explained, thanks! I'm aware of patching in kustomize, but isn't there any workarounds to use environment variables or easier way other than replicating of the whole ServiceAccount.yaml in all overlays? – cosmos-1905-14 Sep 21 '21 at 23:35
  • Keep in mind that the only reason you're replicating the "whole serviceaccount" is because it's very, very small. If it were larger (lots of labels, additional annotations, or something like a pod spec) then you wouldn't to replicate it: all you need is the version/kind/name triple to identify it. – larsks Sep 22 '21 at 00:03
  • how about if I keep ServiceAccount yaml and just add annotation in kustomization.yaml instead of a patch file? If it is possible, how can I do that? I didn't get to see anything but `commonAnnotations`. But this would add the annotation to all resources I believe. @larsks – cosmos-1905-14 Sep 22 '21 at 00:26
  • I think you're going to have to follow a patching model, or use a tool other than customize if you want templating features like variable replacement. I've updated the answer with a different patch syntax, but I think the number of required lines is just about identical. – larsks Sep 22 '21 at 03:30
  • should it be `patchesStrategicMerge` instead of `patches` over the patch_aws_creds.yaml example? – David Tam Feb 24 '23 at 12:18
  • No. You use a single `patches` section for both types of patches. – larsks Feb 24 '23 at 12:34
1

You can resolve this case using json-pointer: ~1

Change the / by ~1 in path:

path: /metadata/annotations/eks.amazonaws.com~1role-arn

Ref:https://jsonpatch.com/#json-pointer

CACHAC
  • 29
  • 1
  • 2