docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon crossplane

[Web Bug] - Providers

Open cjuega opened this issue 6 months ago • 1 comments

URL: https://docs.crossplane.io/v1.20/concepts/providers/#configuring-metadata-of-runtime-resources

The note about serviceAccountTemplate and the alternative for using an existing service account is misleading. It's not enough to define the deploymentTemplate.spec.template.spec.serviceAccountName property because there are some mandatory fields in that schema.

It would be nice to add an example to prevent the trial-error process. Here is a minimum working example to set an existing service account:

apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
  name: name-of-the-drc
spec:
  deploymentTemplate:
    spec:
      selector: {}       # selector must be defined as it's required by the schema
      template:
        spec:
          containers: [] # containers must be defined as it's required by the schema
          serviceAccountName: name-of-an-existing-sa

cjuega avatar Jun 24 '25 08:06 cjuega

Good point @cjuega, thanks for calling that out! Looks like we mention this general problem in the green tip box in https://docs.crossplane.io/v1.20/concepts/providers/#runtime-configuration:

Since DeploymentRuntimeConfig uses the same schema as Kubernetes Deployment spec, you may need to pass empty values to bypass the schema validation. For example, if you just want to change the replicas field, you would need to pass the following...

and there's also a small bit of information about the scenario you're referencing in the red important box in https://docs.crossplane.io/v1.20/concepts/providers/#configuring-metadata-of-runtime-resources:

If you just want to use an existing service account, you should instead only set the deploymentTemplate.spec.template.spec.serviceAccountName field. Crossplane will then use the existing service account without taking the ownership and still take care of binding the necessary permissions.

But clearly that wasn't sufficient to prevent you having a hard time, so maybe we could do better. I think there's 2 areas to think about on this page:

  1. are any of the yaml examples provided on the page wrong, i.e. they will not work as printed?
  2. are there any important missing scenarios that we don't have examples for, but should add one?

Your scenario may fall into that 2nd category, but there could be some instances of the first also 😊 - do you feel up for opening a PR with changes you'd like to see? 🙏

jbw976 avatar Jun 24 '25 14:06 jbw976