Add ServiceAccount enricher and configuration

[jstrachan]

Right now its a little bit involved to add a ServiceAccount; you need to

• create a sa.yml file
• create a deployment.yml file if you have not already and add the spec.serviceAccountName: xyz entry

For folks who have a deployment.yml already its not a biggie; but maybe it should just be flag thats enabled which would then generate an SA if its not already created (for the same name as the deployment) along with adding the serviceAccountName to the deployment spec

[rhuss]

This could be easily done by a specific enricher, which

• Checks every deployment for references to SAs
• Checks whether the SA already exists in the resource list.
• If not, create the SA on the fly.

We could also add a config option to the DefaultControllerEnricher for SA.

[jstrachan]

Agreed. It does feel like we should just have an enricher flag we could enable in the pom.xml to enable the SA stuff.

I wonder if by default if you add an sa.yml we should by default use it in the Deployment (if there's only 1 Deployment) as its probably what folks mean and avoids them having to write the deployment.yml and remember the right level of indentation to add the serviceAccountName?

[rhuss]

I wonder if by default if you add an sa.yml we should by default use it in the Deployment (if there's only 1 Deployment) as its probably what folks mean and avoids them having to write the deployment.yml and remember the right level of indentation to add the serviceAccountName?

This should be also no problem by adding to the DefaultControllerEnricher which does this if it detects a given SA in the list to enrich, and adds the proper field to either an existing Deployment object or to the one which this enricher creates by default.

However it makes more sense to allow the configuration of an SA directly in the config like in

<enricher>
   <config>
      <fmp-controller>
           <service-account>....</service-account>
      </fmp-controller>
   </config>
</enricher>

or by setting a property

fabric8.enricher.fmp-controller.service-account

or (when we finally give our XML configuration some love ;-) in XML config

<resources>
   ....
   <service-accounts>
       <sa>...</sa>
       <sa>...</sa>
    <service-accounts>
</resources>

Not yet sure about the proper XML syntax has we could combine it directly with allowing role bindings in the declaration, so that we might have a top-level XML config <authorization>...</authorization> which groups together such kind of things.

[stale]

This issue has been automatically marked as stale because it has not had any activity since 90 days. It will be closed if no further activity occurs within 7 days. Thank you for your contributions!

[rhuss]

The idea for the service account enricher would be that if it is configured with a name, its added to the generated deployment / deployment config

[stale]

This issue has been automatically marked as stale because it has not had any activity since 90 days. It will be closed if no further activity occurs within 7 days. Thank you for your contributions!