If an app dev provides a service account in the workload, it supersedes the service account provided in the workload. This leads to more configuration than necessary, particularly in the case of a supply chain leveraging options to choose between templates.
Scenario:
A supply chain that has a default path of N steps. The supply chain author creates a service account with permission to stamp out the N resources. The supply chain then leverages options to allow a given step to stamp out a new resource type. Now there must be either a second service account available or the original service account must have an additional role added that won't be used by most workloads.
Instead, the supply chain could provide a service account that provides roles to manage all the common resources in the supply chain. And the workload can provide a service account with roles to manage the unique resources they will create.
Proposed solution
Given a supply chain that provides a service account with roles to manage resource type A
And a workload that provides a service account to manage resource type B
When the supply chain steps attempt to stamp out objects of type A and B
Then both objects are successfully created
Description of problem
The order of precedence of service accounts is described in our documentation: https://cartographer.sh/docs/v0.3.0/authentication/
If an app dev provides a service account in the workload, it supersedes the service account provided in the workload. This leads to more configuration than necessary, particularly in the case of a supply chain leveraging options to choose between templates.
Scenario: A supply chain that has a default path of N steps. The supply chain author creates a service account with permission to stamp out the N resources. The supply chain then leverages options to allow a given step to stamp out a new resource type. Now there must be either a second service account available or the original service account must have an additional role added that won't be used by most workloads.
Instead, the supply chain could provide a service account that provides roles to manage all the common resources in the supply chain. And the workload can provide a service account with roles to manage the unique resources they will create.
Proposed solution
Example
Both objects should successfully create.