cloudfoundry-incubator / fissile

Turn a BOSH release into container images / files
Apache License 2.0
67 stars 36 forks source link

CAP-106 Skip validation of templated service account names #503

Closed jandubois closed 5 years ago

jandubois commented 5 years ago

This allows the user to "tunnel through" a template expression to select the service account at deployment time based on the enabled features, e.g.

service-account: '{{if .Values.enable.feature}}feature{{else}}default{{end}}'

Any service account name generated by the template expression must also be used by at least one role in the chart unconditionally because will will not emit definitions for service account that are not used by the chart at all (normally only the service accounts for the tests).

cfdreddbot commented 5 years ago

:white_check_mark: Hey jandubois! The commit authors and yourself have already signed the CLA.

jandubois commented 5 years ago

Is this necessary? Can we just have another "post-deployment-setup" for Eirini only?

It is not necessary, we can duplicate the post-deployment setup job, but Satadru and I considered the role duplication worse than adding this mechanism because duplicated configuration will inevitably get out of sync over time (see also CAP-106).

The right solution would be to have a separate post-deployment-setup role specifically for eirini and not mix it in with the general post-deployment. That way it can be guarded by a if_feature: eirini gate and have its own service account. That would be my preferred solution if you are willing to implement it.

If we have to implement this mechanism, is it possible to make it more generic? i.e. bring the ability to shortcut to rendering for any value

The mechanism already "works" for any value, at least in principle. This PR just disables validation for the templated service account (and prevents it from being created). This additional logic is specific to the particular setting and cannot be generalized with reasonable effort.

jandubois commented 5 years ago

The right solution would be to have a separate post-deployment-setup role specifically for eirini and not mix it in with the general post-deployment.

This is being implemented by https://github.com/SUSE/scf/pull/2470