cartographer icon indicating copy to clipboard operation
cartographer copied to clipboard

Published 20 hours ago verified publisher icon vmware-tanzu

Service Accounts on Supply Chain and Workload should be cumulative

Open waciumawanjohi opened this issue 2 years ago • 1 comments

Description of problem

The order of precedence of service accounts is described in our documentation: https://cartographer.sh/docs/v0.3.0/authentication/

If an app dev provides a service account in the workload, it supersedes the service account provided in the workload. This leads to more configuration than necessary, particularly in the case of a supply chain leveraging options to choose between templates.

Scenario: A supply chain that has a default path of N steps. The supply chain author creates a service account with permission to stamp out the N resources. The supply chain then leverages options to allow a given step to stamp out a new resource type. Now there must be either a second service account available or the original service account must have an additional role added that won't be used by most workloads.

Instead, the supply chain could provide a service account that provides roles to manage all the common resources in the supply chain. And the workload can provide a service account with roles to manage the unique resources they will create.

Proposed solution

Given a supply chain that provides a service account with roles to manage resource type A
And a workload that provides a service account to manage resource type B
When the supply chain steps attempt to stamp out objects of type A and B
Then both objects are successfully created

Example

apiVersion: carto.run/v1alpha1
kind: ClusterSupplyChain
metadata:
  name: supply-chain
spec:
  resources:
    - name: resource-type-a
      templateRef:
        kind: ClusterTemplate
        name: a-template-creating-object-of-type-a
    - name: resource-type-b
      templateRef:
        kind: ClusterTemplate
        name: a-template-creating-object-of-type-b

  serviceAccountRef:
    name: service-account-with-role-to-create-resource-type-a
    namespace: default

  selector:
    workload-type: demo

---
apiVersion: carto.run/v1alpha1
kind: Workload
metadata:
  name: demo
  labels:
    workload-type: demo
spec:
  serviceAccountName: service-account-with-role-to-create-resource-type-b

Both objects should successfully create.

waciumawanjohi avatar May 11 '22 07:05 waciumawanjohi

@garethjevans added a label for items that need technical review

karayim avatar Oct 07 '22 18:10 karayim