search

open-policy-agent / kube-mgmt

Sidecar for managing OPA instances in Kubernetes.
Apache License 2.0
235 stars 105 forks source link

Add template for ServiceAccount annotations #239

Closed crdueck closed 10 months ago

crdueck commented 10 months ago

ServiceAccount annotations are needed to support web identity credentials: https://www.openpolicyagent.org/docs/latest/management-bundles/#web-identity-credentials

crdueck commented 10 months ago

I added a simple unit test for the serviceaccount annotations, but I'm less sure what to do about the values schema and linting you asked for.

The only example of schema & linting I found was for the image field, which makes sense because it has required sub-fields image.{repository,tag}. Whereas annotations aren't required and can have arbitrary sub-fields. My motivating use case just happens to be the IRSA role annotation.

So, could you help me better understand what you would want to see for annotations schema and linting?

eshepelyuk commented 10 months ago

I added a simple unit test for the serviceaccount annotations, but I'm less sure what to do about the values schema and linting you asked for.

The only example of schema & linting I found was for the image field, which makes sense because it has required sub-fields image.{repository,tag}. Whereas annotations aren't required and can have arbitrary sub-fields. My motivating use case just happens to be the IRSA role annotation.

So, could you help me better understand what you would want to see for annotations schema and linting?

Hello

  1. schema must reflect\describe entire structure of values.yaml. It was recently introduced, so it's kinda empty, but it's assumed it will be improved with time.
  2. annotations are not arbitrary values, it is dictionary of string to string and this can be described via json schema. Also in schema one can point that service account annotation by default is an empty dictionary.

You can use this as an example

https://github.com/eshepelyuk/cmak-operator/blob/master/values.schema.json

crdueck commented 10 months ago

I added a schema for the serviceAccount values and a lint check for the annotations. Rebased and squashed as well

eshepelyuk commented 10 months ago

Thanks for the contribution Will be abailable in 8.5.3

https://github.com/open-policy-agent/kube-mgmt/actions/runs/6748036699