Custom service accounts enabled for webapp deployments
Infrastructure operators can now bring their own service accounts or inject custom annotations for webapp deployments, unlocking native AWS IRSA and Workload Identity.
Operators can now bring their own service accounts or inject custom annotations directly through the Helm configuration. This unlocks native cloud integrations like AWS IRSA and Kubernetes Workload Identity, allowing the webapp to authenticate with cloud resources natively without requiring out-of-band patching.
These capabilities are configured entirely within the Kubernetes hosting directory, matching the existing pattern used for supervisor deployments. When custom service accounts are provided, operators maintain full control over the role-based access control permissions granted to the webapp.
View Original GitHub Description
Mirrors the existing supervisor.serviceAccount pattern onto webapp so operators can annotate the SA (IRSA eks.amazonaws.com/role-arn, Workload Identity, etc.) or bring their own SA. Without this, webapp.serviceAccount.annotations isn't exposed and operators have to patch the SA out-of-band.
webapp:
serviceAccount:
create: true
name: ""
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/trigger-webapp
Three pieces, same as supervisor:
webapp.serviceAccount.createtoggle on the SA blockwebapp.serviceAccount.annotations+namevaluestrigger-v4.webappServiceAccountNamehelper, used by the SA, the token-syncer RoleBinding subject, and the Deployment'sserviceAccountName
Role + RoleBinding are left unguarded (matching supervisor's shape where rbac.create is a separate toggle from serviceAccount.create) - BYO-SA users take on the responsibility of ensuring the SA they supply has the permissions the RoleBinding grants.
Verified with helm template against default values, an IRSA annotation override, and create: false with a custom name.