diff --git a/content/master/concepts/providers.md b/content/master/concepts/providers.md index 591d009e..f1d99e0d 100644 --- a/content/master/concepts/providers.md +++ b/content/master/concepts/providers.md @@ -766,6 +766,22 @@ spec: name: my-service-account ``` + +{{}} +Setting the `serviceAccountTemplate.metadata.name` field will override the +name of service account created by the package manager and used in the +provider deployment. The package manager will own that service account and +may conflict with other owners attempting to take ownership. A common mistake +is configuring the same service account for multiple packages in this way +which ends up causing frequent reconciliation loops and loads on the API server. + +If you just want to use an existing service account, you should instead only +set the `deploymentTemplate.spec.template.spec.serviceAccountName` field. +Crossplane will then use the existing service account without taking the ownership +and still take care of binding the necessary permissions. +{{}} + + ### Provider configuration The `ProviderConfig` determines settings the Provider uses communicating to the diff --git a/content/v1.15/concepts/providers.md b/content/v1.15/concepts/providers.md index 591d009e..f1d99e0d 100644 --- a/content/v1.15/concepts/providers.md +++ b/content/v1.15/concepts/providers.md @@ -766,6 +766,22 @@ spec: name: my-service-account ``` + +{{}} +Setting the `serviceAccountTemplate.metadata.name` field will override the +name of service account created by the package manager and used in the +provider deployment. The package manager will own that service account and +may conflict with other owners attempting to take ownership. A common mistake +is configuring the same service account for multiple packages in this way +which ends up causing frequent reconciliation loops and loads on the API server. + +If you just want to use an existing service account, you should instead only +set the `deploymentTemplate.spec.template.spec.serviceAccountName` field. +Crossplane will then use the existing service account without taking the ownership +and still take care of binding the necessary permissions. +{{}} + + ### Provider configuration The `ProviderConfig` determines settings the Provider uses communicating to the diff --git a/content/v1.16/concepts/providers.md b/content/v1.16/concepts/providers.md index 591d009e..f1d99e0d 100644 --- a/content/v1.16/concepts/providers.md +++ b/content/v1.16/concepts/providers.md @@ -766,6 +766,22 @@ spec: name: my-service-account ``` + +{{}} +Setting the `serviceAccountTemplate.metadata.name` field will override the +name of service account created by the package manager and used in the +provider deployment. The package manager will own that service account and +may conflict with other owners attempting to take ownership. A common mistake +is configuring the same service account for multiple packages in this way +which ends up causing frequent reconciliation loops and loads on the API server. + +If you just want to use an existing service account, you should instead only +set the `deploymentTemplate.spec.template.spec.serviceAccountName` field. +Crossplane will then use the existing service account without taking the ownership +and still take care of binding the necessary permissions. +{{}} + + ### Provider configuration The `ProviderConfig` determines settings the Provider uses communicating to the diff --git a/content/v1.17/concepts/providers.md b/content/v1.17/concepts/providers.md index 591d009e..f1d99e0d 100644 --- a/content/v1.17/concepts/providers.md +++ b/content/v1.17/concepts/providers.md @@ -766,6 +766,22 @@ spec: name: my-service-account ``` + +{{}} +Setting the `serviceAccountTemplate.metadata.name` field will override the +name of service account created by the package manager and used in the +provider deployment. The package manager will own that service account and +may conflict with other owners attempting to take ownership. A common mistake +is configuring the same service account for multiple packages in this way +which ends up causing frequent reconciliation loops and loads on the API server. + +If you just want to use an existing service account, you should instead only +set the `deploymentTemplate.spec.template.spec.serviceAccountName` field. +Crossplane will then use the existing service account without taking the ownership +and still take care of binding the necessary permissions. +{{}} + + ### Provider configuration The `ProviderConfig` determines settings the Provider uses communicating to the