Merge pull request #188 from controlplaneio-fluxcd/olm-default-sa-config

Introduce `DEFAULT_SERVICE_ACCOUNT` env var for OLM config
controlplaneio-fluxcd · Feb 24, 2025 · 71ba15e · 71ba15e
2 parents 833a584 + 4acc830
commit 71ba15e
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/cmd/operator/main.go b/cmd/operator/main.go
@@ -92,6 +92,13 @@ func main() {
 		setupLog.Info("RUNTIME_NAMESPACE env var not set, defaulting to " + fluxcdv1.DefaultNamespace)
 	}
 
+	// Allow the default service account name to be set by an environment variable.
+	// Needed for the OLM Subscription that only allows env var configuration.
+	defaultSA := os.Getenv("DEFAULT_SERVICE_ACCOUNT")
+	if defaultSA != "" {
+		defaultServiceAccount = defaultSA
+	}
+
 	reporter.MustRegisterMetrics()
 
 	ctx := ctrl.SetupSignalHandler()

diff --git a/docs/api/v1/resourceset.md b/docs/api/v1/resourceset.md
@@ -529,10 +529,25 @@ the resources defined in the ResourceSet.
 
 On multi-tenant clusters, it is recommended to use a dedicated ServiceAccount per tenant namespace
 with the minimum required permissions. To enforce a ServiceAccount for all ResourceSets,
-the `--default-service-account=flux-operator`flag can be set in the flux-operator container arguments.
+the `--default-service-account=flux-operator` flag can be set in the flux-operator container arguments.
 With this flag set, only the ResourceSets created in the same namespace as the flux-operator
 will run with cluster-admin permissions.
 
+When installing the Flux Operator with Helm, you can change the default service account name with:
+
+```shell
+helm install flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \
+  --namespace flux-system \
+  --create-namespace \
+  --set multitenancy.enabled=true \
+  --set multitenancy.defaultServiceAccount=flux-operator
+```
+
+When installing the Flux Operator on OpenShift from OperatorHub, the default service account name
+can be changed by setting the `DEFAULT_SERVICE_ACCOUNT` environment variable using the OLM
+[Subscription](https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/subscription-config.md)
+`.spec.config.env` field.
+
 ### Garbage collection
 
 The operator performs garbage collection of the resources previously generated by a ResourceSet