[dev-v2.8] [rancher-logging] Backport PR #2646, logging account service annotation

[wombelix]

Issue:

Backport of #2646 for Rancher 2.8

Problem

To avoid usage of long-lived credentials or EC2 Instance Profiles and to narrow down the granted permissions, it's best practice for AWS customers to use IAM Roles for Service Accounts (IRSA). In kube-logging and the plugin fluent-plugin-cloudwatch-logs this is in general supported but requires an appropriate serviceAccount annotation in the Logging resource. Every logging resource has it's own service account and therefore requires individual annotations.
Adding them after deploying rancher-logging is possible but more complicated and has the risk to be changed or override with the next Helm run.

Solution

Package patch version bumped based on https://github.com/rancher/charts/tree/dev-v2.9?tab=readme-ov-file#versioning-charts

I added a new value loggingServiceAccountAnnotations to add annotations based on the logging resource, usage:

## Syntax ##
#  <logging-name>:
#    <key>: <value>
#
## Example ##
#
#  root:
#    eks.amazonaws.com/role-arn: <RoleARN>
#
## Result - added to the Logging resource ##
#
#  spec:
#    fluentd:
#      serviceAccount:
#        metadata:
#          annotations:
#            eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-iam-role
#

My use case is limited to Amazon EKS, therefore I only added logic for the root and eks logging to use the values configured via loggingServiceAccountAnnotations. But for sure, this can be extended if required.

Testing

Engineering Testing

Manual Testing

Done as part of #2646

Automated Testing

QA Testing Considerations

Regressions Considerations

Backporting considerations

[github-actions]

Validation steps

• Ensure all container images have repository and tag on the same level to ensure that all container images are included in rancher-images.txt which are used by airgap customers.

  Ex:-
    longhorn-controller:
      repository: rancher/hardened-sriov-cni
      tag: v2.6.3-build20230913
  

• Add a 👍 (thumbs up) reaction to this comment once done. CI won't pass without this reaction to the github-action bot's latest validation comment.
• Approve the PR to run the CI check.

[wombelix]

@joshmeranda backport of the rancher-logging PR for logging sa annotation support as discussed by mail. My understanding of https://github.com/rancher/charts/tree/dev-v2.9?tab=readme-ov-file#versioning-charts is that the patch version has to be bumped as part of it. The rest is a cherry-pick from #2646. Looking forward to your feedback.

@kevinayres FYI

[nicholasSUSE]

Hello, we have improved the Charts documentation regarding Pull Request Rules.

Please take a look at it before making any new Pull Requests.
We are still approving Pull Requests and starting to inform all teams, soon we will require the standard in the documentation.

https://github.com/rancher/charts?tab=readme-ov-file#pull-request-rules

[wombelix]

@nicholasSUSE thanks for approving, is anything else required from me to merge the PR?
I see that #3731 cause a conflict now. Taking a look into the related issue rancher/rancher#44727 I wonder if that means I should backport on top of rancher-logging-103.1.0-rc1+up4.4.0 instead?

@joshmeranda I see you worked on the related PR, tagging you for feedback.

[kevinayres]

Is anything blocking this merge? Can we have action please? Thanks

[kevinayres]

@nicholasSUSE - error is "Error: The latest validation comment by github-actions[bot] does not have the required thumbs-up reaction!". Is there something you need from Dominic or can this be merged? It's been dormant a while now. Thank you.