Service account is not propagated to Medusa standalone deployment

[c3-clement]

What happened?

The Medusa standalone deployment is using the default service account.

For AWS role based auth, that means that the default service account needs to be properly annotated and needs to be properly bound with the AWS IAM role.
Therefore, any pods created without a SA specified will be granted with AWS permissions.
This against the least privilege principle.

Did you expect to see something different?

I expect the Medusa standalone deployment's service account to be set to the value K8ssandraCluster.cassandra.serviceAccount .

How to reproduce it (as minimally and precisely as possible):

Create a k8ssandra cluster with medusa enabled and a non-default service account.

Environment

• K8ssandra Operator version:
  1.15
• Kubernetes version information:
  1.29
• Kubernetes cluster kind:
  EKS

┆Issue is synchronized with this Jira Story by Unito
┆Issue Number: K8OP-31

[adejanovski]

We'll most probably remove the Medusa standalone pod altogether shortly as part of this issue.

[c3-clement]

We'll most probably remove the Medusa standalone pod altogether shortly as part of this issue.

makes sense

[L1ghtman2k]

@adejanovski do you know what are the guidelines on removing medusa standalone pod after k8ssandra upgrade?

Would it be sufficient to cleanup just the deployment? (My expectation was for the operator to remove it, as part of an upgrade, but I can't seem to find docs suggesting that we should do the cleanup on our own)

[adejanovski]

Yes, I dropped the ball when implementing its removal. Just delete the deployment and it won't get recreated.
Sorry about this