From 3b6da48a4ff2da4cb37667b8e8f60ab603cb584b Mon Sep 17 00:00:00 2001 From: Hasan Turken Date: Wed, 11 Sep 2024 10:04:11 +0300 Subject: [PATCH] Add note on configuring provider service accounts Signed-off-by: Hasan Turken --- content/master/concepts/providers.md | 16 ++++++++++++++++ content/v1.15/concepts/providers.md | 16 ++++++++++++++++ content/v1.16/concepts/providers.md | 16 ++++++++++++++++ content/v1.17/concepts/providers.md | 16 ++++++++++++++++ 4 files changed, 64 insertions(+) diff --git a/content/master/concepts/providers.md b/content/master/concepts/providers.md index 591d009e..f1d99e0d 100644 --- a/content/master/concepts/providers.md +++ b/content/master/concepts/providers.md @@ -766,6 +766,22 @@ spec: name: my-service-account ``` + +{{}} +Setting the `serviceAccountTemplate.metadata.name` field will override the +name of service account created by the package manager and used in the +provider deployment. The package manager will own that service account and +may conflict with other owners attempting to take ownership. A common mistake +is configuring the same service account for multiple packages in this way +which ends up causing frequent reconciliation loops and loads on the API server. + +If you just want to use an existing service account, you should instead only +set the `deploymentTemplate.spec.template.spec.serviceAccountName` field. +Crossplane will then use the existing service account without taking the ownership +and still take care of binding the necessary permissions. +{{}} + + ### Provider configuration The `ProviderConfig` determines settings the Provider uses communicating to the diff --git a/content/v1.15/concepts/providers.md b/content/v1.15/concepts/providers.md index 591d009e..f1d99e0d 100644 --- a/content/v1.15/concepts/providers.md +++ b/content/v1.15/concepts/providers.md @@ -766,6 +766,22 @@ spec: name: my-service-account ``` + +{{}} +Setting the `serviceAccountTemplate.metadata.name` field will override the +name of service account created by the package manager and used in the +provider deployment. The package manager will own that service account and +may conflict with other owners attempting to take ownership. A common mistake +is configuring the same service account for multiple packages in this way +which ends up causing frequent reconciliation loops and loads on the API server. + +If you just want to use an existing service account, you should instead only +set the `deploymentTemplate.spec.template.spec.serviceAccountName` field. +Crossplane will then use the existing service account without taking the ownership +and still take care of binding the necessary permissions. +{{}} + + ### Provider configuration The `ProviderConfig` determines settings the Provider uses communicating to the diff --git a/content/v1.16/concepts/providers.md b/content/v1.16/concepts/providers.md index 591d009e..f1d99e0d 100644 --- a/content/v1.16/concepts/providers.md +++ b/content/v1.16/concepts/providers.md @@ -766,6 +766,22 @@ spec: name: my-service-account ``` + +{{}} +Setting the `serviceAccountTemplate.metadata.name` field will override the +name of service account created by the package manager and used in the +provider deployment. The package manager will own that service account and +may conflict with other owners attempting to take ownership. A common mistake +is configuring the same service account for multiple packages in this way +which ends up causing frequent reconciliation loops and loads on the API server. + +If you just want to use an existing service account, you should instead only +set the `deploymentTemplate.spec.template.spec.serviceAccountName` field. +Crossplane will then use the existing service account without taking the ownership +and still take care of binding the necessary permissions. +{{}} + + ### Provider configuration The `ProviderConfig` determines settings the Provider uses communicating to the diff --git a/content/v1.17/concepts/providers.md b/content/v1.17/concepts/providers.md index 591d009e..f1d99e0d 100644 --- a/content/v1.17/concepts/providers.md +++ b/content/v1.17/concepts/providers.md @@ -766,6 +766,22 @@ spec: name: my-service-account ``` + +{{}} +Setting the `serviceAccountTemplate.metadata.name` field will override the +name of service account created by the package manager and used in the +provider deployment. The package manager will own that service account and +may conflict with other owners attempting to take ownership. A common mistake +is configuring the same service account for multiple packages in this way +which ends up causing frequent reconciliation loops and loads on the API server. + +If you just want to use an existing service account, you should instead only +set the `deploymentTemplate.spec.template.spec.serviceAccountName` field. +Crossplane will then use the existing service account without taking the ownership +and still take care of binding the necessary permissions. +{{}} + + ### Provider configuration The `ProviderConfig` determines settings the Provider uses communicating to the