The provider-helm by default has only essential RBAC permissions for accessing CRDs in 'helm.crossplane.io'.
It cannot deploy additional resources.
In order to grant those additional permissions we previously gave cluster-admin role.
This is suboptimal as that grants more than necessary.
Now we give only the required permissions and set a dedicated service account.
The reason we create a new service account (instead of granting/aggregating additional permissions) is that the service account managed by Crossplane has a name with some hash value. This value is difficult to guess and makes deployment via ArgoCD impossible since ArgoCD would have to somewhat discover this name.
I've read Design Doc RBAC manager, but AFAICT there's no way for platform operators to aggregate to the provider's service account.
Luckily the ControllerConfig allows us to set a different service account name.
Note: This currently only affects the local environment with kind, since the operator basically expects that provider-helm has all necessary permissions to deploy charts. However, in tutorials or in component-crossplane we need to grant those additional permissions as well (outside of scope here).
Checklist
[x] Categorize the PR by setting a good title and adding one of the labels:
bug, enhancement, documentation, change, breaking, dependency
as they show up in the changelog
[x] PR contains the label area:operator
[ ] Link this PR to related issues
[x] I have not made any changes in the charts/ directory.
Summary
The provider-helm by default has only essential RBAC permissions for accessing CRDs in 'helm.crossplane.io'. It cannot deploy additional resources. In order to grant those additional permissions we previously gave cluster-admin role. This is suboptimal as that grants more than necessary. Now we give only the required permissions and set a dedicated service account.
The reason we create a new service account (instead of granting/aggregating additional permissions) is that the service account managed by Crossplane has a name with some hash value. This value is difficult to guess and makes deployment via ArgoCD impossible since ArgoCD would have to somewhat discover this name. I've read Design Doc RBAC manager, but AFAICT there's no way for platform operators to aggregate to the provider's service account. Luckily the
ControllerConfigallows us to set a different service account name.Note: This currently only affects the local environment with
kind, since the operator basically expects that provider-helm has all necessary permissions to deploy charts. However, in tutorials or in component-crossplane we need to grant those additional permissions as well (outside of scope here).Checklist
bug,enhancement,documentation,change,breaking,dependencyas they show up in the changelogarea:operatorcharts/directory.