fix(rbac): add list/watch/update verbs for serviceaccounts and create…#7
Merged
fix(rbac): add list/watch/update verbs for serviceaccounts and create…#7
Conversation
… builder SA in operator namespace The controller-runtime cache requires list+watch to set up informers for ServiceAccounts. CreateOrUpdate also needs the update verb. Adds a Helm template to pre-create the builder SA in the operator namespace with the IRSA annotation when build.roleArn is set.
…make helm The helm-generator was cleaning all templates on each run, so the manually created serviceaccount-operator-builder.yaml was deleted by CI. Added an addBuilderServiceAccount step to the generator so it produces the conditional Helm template. Also updated config/rbac/role.yaml with list/watch/update verbs so make helm generates the correct ClusterRole.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
… builder SA in operator namespace
The controller-runtime cache requires list+watch to set up informers for ServiceAccounts. CreateOrUpdate also needs the update verb. Adds a Helm template to pre-create the builder SA in the operator namespace with the IRSA annotation when build.roleArn is set.
Summary by cubic
Fixes ServiceAccount RBAC so the
controller-runtimecache can list/watch andCreateOrUpdatecan update SAs. Adds a Helm template (and generator step) to pre-create the builder ServiceAccount with optional IRSA, and restores CRDs to CIcontroller-genv0.18.0.Bug Fixes
list,watch, andupdateon coreserviceaccountsto the operator manager role; update kubebuilder markers and Helm ClusterRole templates somake helmgenerates the correct RBAC.controller-genv0.18.0; minor lint cleanup after extracting theensureServiceAccounthelper.New Features
chart/templates/serviceaccount-builder.yamlto optionally create the builder ServiceAccount witheks.amazonaws.com/role-arnwhenbuild.roleArnis set.hack/helm-generatorto emit the builder SA template duringmake helm.Written for commit a67717b. Summary will update on new commits.