For the benefit of someone stumbling upon this thread, my current workaround is via a ClusterPolicy using kyverno. The helm hook is to ensure it installs before anything else, so when the operator spawns a statefulset kyverno is ready.
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: s3-access-service-account-stateful-set
annotations:
policies.kyverno.io/title: Add s3-access service account to operator StatefulSet
policies.kyverno.io/subject: StatefulSet
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/description: >-
Due to an issue with the percona operator, we can't set the correct service account to the
pods of the stateful set that make the replica set in order to get s3 access.
This automation will mutate operator stateful sets.
"helm.sh/hook": pre-install,pre-upgrade
spec:
rules:
- name: percona-operator-stateful-sets
match:
any:
- resources:
kinds:
- StatefulSet
labels:
app.kubernetes.io/managed-by: percona-server-mongodb-operator
mutate:
patchStrategicMerge:
spec:
template:
spec:
serviceAccount: my-service-account
serviceAccountName: my-service-account