Open cirocosta opened 2 years ago
ps.: in case someone would want to add this to the current release making use of an overlay:
#@ load("@ytt:overlay", "overlay")
#@ load("@ytt:data", "data")
#@overlay/match by=overlay.subset({"kind":"ClusterSupplyChain"}),expects="1+"
---
spec:
#@overlay/match missing_ok=True
serviceAccountRef:
#@overlay/match missing_ok=True
name: #@ data.values.service_account
ala
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: Package
metadata:
name: cartographer-catalog.community.tanzu.vmware.com.0.3.0
spec:
refName: cartographer-catalog.community.tanzu.vmware.com
releasedAt: "2022-04-13T17:50:24Z"
template:
spec:
deploy:
- kapp: {}
fetch:
- imgpkgBundle:
image: projects.registry.vmware.com/tce/cartographer@sha256:1657d88fc1d1492af7d92f12f9b3851342f6b5f119901057b7251c441192c83a
template:
- ytt:
ignoreUnknownComments: true
inline:
paths:
default-service-account.yaml: |
#@ load("@ytt:overlay", "overlay")
#@ load("@ytt:data", "data")
#@overlay/match by=overlay.subset({"kind":"ClusterSupplyChain"}),expects="1+"
---
spec:
#@overlay/match missing_ok=True
serviceAccountRef:
#@overlay/match missing_ok=True
name: #@ data.values.service_account
paths:
- config
- kbld:
paths:
- .imgpkg/images.yml
- '-'
# ...
for a carvel package
problem description
in the current supplychain, we're passing the default
service_account
data value toparams
, but not tosupplychain.spec.serviceAccountRef
, which has the effect of keeping the use ofdefault
as the serviceaccount when it comes to permissions for the controller, but still passing down to the children objects the one that goes via params.proposed solution
update
supplychain.spec.serviceaccountref
to point at the same serviceaccount name as the one configured in the package values.