tofu-controller icon indicating copy to clipboard operation
tofu-controller copied to clipboard

Published 20 hours ago verified publisher icon flux-iac

Enable CrossNamespaceReferences for ServiceAccounts

Open dfreilich opened this issue 1 year ago • 8 comments

Currently, Terraform objects contain a reference to a serviceAccount, an entity which must be present in order to proceed with the object.

This reference is currently just a string reference to a serviceAccount object in the Terraform objects namespace: https://github.com/weaveworks/tf-controller/blob/a4d31bb311e7d405bb9e0d3b357b4bb7766927b5/api/v1alpha1/terraform_types.go#L179-L183

Can this be switched to a CrossNamespaceReference, similar to SourceRef? https://github.com/weaveworks/tf-controller/blob/a4d31bb311e7d405bb9e0d3b357b4bb7766927b5/api/v1alpha1/terraform_types.go#L135-L137

In our current use-case, we are creating Terraform objects in a number of different namespaces, based on permissions, and to escape this limitation we are creating serviceAccounts with the correct ClusterRoleBinding in every namespace we create, but ideally I'd like to just point it to the service account that the TFController creates, so that we don't have any long-term compatibility issues (if permissions in the serviceAccount change).

What do you think?

dfreilich avatar Dec 04 '22 19:12 dfreilich