Issues with KIC upgrade from v1.3.4 -> v2.0.x

Questions
1

Hi,

We are in the process of upgrading Kong Ingress Controller on GKE 1.21 from KIC 1.3.4 (Helm Chart 2.3.0) to KIC 2.0.x (Helm Chart 2.4.0), and the instructions around the changed ServiceAccount configuration (charts/charts/kong/UPGRADE.md at main · Kong/charts · GitHub) has us confused a bit.

Our current KIC 1.3.4 (Helm Chart 2.3.0) values-test.yaml section related to serviceAccount has:

ingressController:
  enabled: true
  image:
    repository: kong/kubernetes-ingress-controller
    tag: "1.3"
  serviceAccount:
    create: true
    annotations:
      iam.gke.io/gcp-service-account: svc-acct@some-project.iam.gserviceaccount.com

We plan to do:

First, pin the controller version and upgrade to chart 2.4.0:
$ helm upgrade --wait \
  --set ingressController.image.tag=1.3 \
  --version 2.4.0 \
  --namespace test \
  -f values-test.yaml \
  kong-test kong/kong

Second, temporarily disable the ingress controller:
$ helm upgrade --wait \
  --set ingressController.enabled=false \
  --set deployment.serviceaccount.create=true \
  --version 2.4.0 \
  --namespace test \
  -f values-test.yaml \
  kong-test kong/kong

Finally, re-enable the ingress controller at the new version:
$ helm upgrade --wait \
  --set ingressController.enabled=true \
  --set ingressController.image.tag=2.0 \
  --version 2.4.0 \
  --namespace test \
  -f values-test.yaml \
  kong-test kong/kong

The instructions
(charts/charts/kong/UPGRADE.md at main · Kong/charts · GitHub) says that we need to move ingressController.serviceAccount to deployment.serviceAccount and we can do that in the values-test.yaml.

What we are not clear on is:

The chart now creates a ServiceAccount by default. When enabled, 
upgrade migration hooks require the ServiceAccount, but Helm will 
not create it before the hooks run, and the migration jobs will fail. 
To avoid this, first perform an initial chart upgrade that does not 
update the Kong image version and sets 
migrations.preUpgrade=false and migrations.postUpgrade=false. 
This will create the account for future upgrades, and you can 
re-enable migrations and upgrade your Kong version after.

Since we are already creating a serviceAccount in values-test.yaml, do we still need to set: migrations.preUpgrade=false and migrations.postUpgrade=false in the first upgrade command where it does not update the Kong image?

Thanks in advance for your help!