Closed jandubois closed 5 years ago
:white_check_mark: Hey jandubois! The commit authors and yourself have already signed the CLA.
Is this necessary? Can we just have another "post-deployment-setup" for Eirini only?
It is not necessary, we can duplicate the post-deployment setup job, but Satadru and I considered the role duplication worse than adding this mechanism because duplicated configuration will inevitably get out of sync over time (see also CAP-106).
The right solution would be to have a separate post-deployment-setup role specifically for eirini and not mix it in with the general post-deployment. That way it can be guarded by a if_feature: eirini
gate and have its own service account. That would be my preferred solution if you are willing to implement it.
If we have to implement this mechanism, is it possible to make it more generic? i.e. bring the ability to shortcut to rendering for any value
The mechanism already "works" for any value, at least in principle. This PR just disables validation for the templated service account (and prevents it from being created). This additional logic is specific to the particular setting and cannot be generalized with reasonable effort.
The right solution would be to have a separate post-deployment-setup role specifically for eirini and not mix it in with the general post-deployment.
This is being implemented by https://github.com/SUSE/scf/pull/2470
This allows the user to "tunnel through" a template expression to select the service account at deployment time based on the enabled features, e.g.
Any service account name generated by the template expression must also be used by at least one role in the chart unconditionally because will will not emit definitions for service account that are not used by the chart at all (normally only the service accounts for the tests).