Use a service account for pull secrets #579
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also updates the SA using controllerutil.CreateOrUpdate
This will ensure that we're enforcing our desired rbac on the orchestrator even though it can't be changed through the CR
We know they apply to the orchestrator because we're in an orchestrator specific function.
OpenShift creates a default pull secret with the service account so before this change we were fighting with OpenShift by removing their pull secret and replacing it with ours. This commit checks to see if there are any other secrets in the SA and appends ours to the list if it isn't already there.
The only use was removed in f68458c
Specifically add a service account to be used by all components that don't require one for other reasons.
This way they will all have access to the pull secret if needed
…et name The workers should be using the common service acount either way so might as well also use it to get access to the pull secret
carbonin
force-pushed
the
use_sa_for_pull_secrets
branch
from
e430210 to
966f161
Compare
|
Checked commits carbonin/manageiq-pods@9a4f39a~...966f161 with ruby 2.5.7, rubocop 0.69.0, haml-lint 0.28.0, and yamllint |
bdunne
approved these changes
Jul 8, 2020
carbonin
added a commit
to carbonin/manageiq-pods
that referenced
this pull request
Jul 8, 2020
Use a service account for pull secrets
This was referenced Jul 8, 2020
|
Backported to jansa via #580 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR creates a default service account which will be used by any deployment not already using one we define (the orchestrator and, in some cases, httpd, already use a service account to escalate various privileges). Having done that, we can now associate the image pull secret to all the service accounts we create to ensure it is available to all deployments that are created by either the operator or orchestrator.
I think we may want this in Jansa, so I'll probably have to make a separate PR there as master has diverged rather significantly with the
CreateOrUpdatechanges.