cirocosta
commented
2 years ago ps.: in case someone would want to add this to the current release making use of an overlay:
#@ load("@ytt:overlay", "overlay")
#@ load("@ytt:data", "data")
#@overlay/match by=overlay.subset({"kind":"ClusterSupplyChain"}),expects="1+"
---
spec:
#@overlay/match missing_ok=True
serviceAccountRef:
#@overlay/match missing_ok=True
name: #@ data.values.service_accountala
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: Package
metadata:
name: cartographer-catalog.community.tanzu.vmware.com.0.3.0
spec:
refName: cartographer-catalog.community.tanzu.vmware.com
releasedAt: "2022-04-13T17:50:24Z"
template:
spec:
deploy:
- kapp: {}
fetch:
- imgpkgBundle:
image: projects.registry.vmware.com/tce/cartographer@sha256:1657d88fc1d1492af7d92f12f9b3851342f6b5f119901057b7251c441192c83a
template:
- ytt:
ignoreUnknownComments: true
inline:
paths:
default-service-account.yaml: |
#@ load("@ytt:overlay", "overlay")
#@ load("@ytt:data", "data")
#@overlay/match by=overlay.subset({"kind":"ClusterSupplyChain"}),expects="1+"
---
spec:
#@overlay/match missing_ok=True
serviceAccountRef:
#@overlay/match missing_ok=True
name: #@ data.values.service_account
paths:
- config
- kbld:
paths:
- .imgpkg/images.yml
- '-'
# ...for a carvel package
problem description
in the current supplychain, we're passing the default
service_accountdata value toparams, but not tosupplychain.spec.serviceAccountRef, which has the effect of keeping the use ofdefaultas the serviceaccount when it comes to permissions for the controller, but still passing down to the children objects the one that goes via params.proposed solution
update
supplychain.spec.serviceaccountrefto point at the same serviceaccount name as the one configured in the package values.