Skip to content

Fix portainer-agent chart ServiceAccount naming [PLA-709]#18

Open
yajith wants to merge 2 commits intomainfrom
fix/pla-709/agent-chart-sa
Open

Fix portainer-agent chart ServiceAccount naming [PLA-709]#18
yajith wants to merge 2 commits intomainfrom
fix/pla-709/agent-chart-sa

Conversation

@yajith
Copy link
Copy Markdown
Member

@yajith yajith commented Apr 24, 2026

Summary

  • The unified portainer-agent helm chart was using the fullname helper for ServiceAccount/ClusterRoleBinding naming, producing names like portainer-agent instead of portainer-sa-clusteradmin
  • This caused kubectl-shell to fail on edge agent clusters (proxmox clusters 2 & 3) where no server chart is present to create the expected SA
  • The legacy agent, edge, and edge-async charts all defaulted to portainer-sa-clusteradmin — the unified chart missed this

Changes

  • Default serviceAccount.name to portainer-sa-clusteradmin in values.yaml
  • Use serviceAccountName helper (already existed in _helpers.tpl) in serviceaccount.yaml, rbac.yaml, and deployment.yaml
  • Name ClusterRoleBinding as portainer-sa-clusteradmin-crb (matches portainer-crb- cleanup pattern)
  • Add container port 80 for edge/edge-async modes (matching official manifest)

Companion PR

  • portainer/internal-platforms — disables SA creation where server chart already provides it

Test plan

  • helm template dry-run for agent, edge, and edge-async modes confirms SA named portainer-sa-clusteradmin
  • helm template with serviceAccount.create=false produces no SA/CRB but deployment still references portainer-sa-clusteradmin
  • Deploy on proxmox kubernetes TIA — verify kubectl-shell works on edge agent environments
  • Deploy on vSphere — verify no helm ownership conflicts with companion PR

@yajith yajith requested a review from a team as a code owner April 24, 2026 04:26
@linear
Copy link
Copy Markdown

linear Bot commented Apr 24, 2026

PLA-709 kubectl-shell not working in edge agent environments on new TIA deployments

yajith and others added 2 commits April 24, 2026 20:17
@yajith @claude
Fix portainer-agent chart to use portainer-sa-clusteradmin service ac…
32df713 
…count [PLA-709]

The unified portainer-agent chart was using the fullname helper for
ServiceAccount naming, producing names like 'portainer-agent' instead of
'portainer-sa-clusteradmin'. This caused kubectl-shell to fail on edge
agent clusters where no server chart is present to create the expected SA.

- Default serviceAccount.name to portainer-sa-clusteradmin in values.yaml
- Use serviceAccountName helper in serviceaccount.yaml, rbac.yaml, deployment.yaml
- Name ClusterRoleBinding as portainer-sa-clusteradmin-crb
- Add container port 80 for edge/edge-async modes (matching official manifest)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@yajith
SA creation control
5e73fd4
@yajith yajith force-pushed the fix/pla-709/agent-chart-sa branch from c8fb317 to 5e73fd4 Compare April 24, 2026 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yajith