Using the Percona XtraDB Helm Operator, running on AWS EKS with IRSA enabled.
How would we specify the Service Account used by the backup process so that the AWS credentials can be injected into the pod when the backup gets run?
Access to the S3 bucket is restricted, and to safely and securely grant access to the S3 bucket without injecting credentials into a Kubernetes secret (or granting the underlying worker node access to the S3 bucket) we want to use the IAM Roles for Service Accounts (IRSA) functionality of EKS.
This means that the backup process needs to be provided a ServiceAccount to use which has an annotation on it for an AWS role using:
Having gone through the source of the Operator we’ve found a fair few undocumented features and being able to specify the service account for backups is one of these as well as the annotations on the actual storage defined.
Which is the correct approach to specify the service account to use for the backups.