Document the spec.hubTemplateOptions.serviceAccountName field

Relates: https://issues.redhat.com/browse/ACM-13572 Signed-off-by: mprahl <[email protected]>
open-cluster-management-io · Sep 17, 2024 · 166702f · 166702f
1 parent e5ef033
commit 166702f
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/api/v1/policy_types.go b/api/v1/policy_types.go
@@ -67,6 +67,10 @@ type PolicyDependency struct {
 }
 
 type HubTemplateOptions struct {
+	// ServiceAccountName is the name of a service account in the same namespace as the policy to use for all hub
+	// template lookups. The service account must have list and watch permissions on any object the hub templates
+	// look up. If not specified, lookups are restricted to namespaced objects in the same namespace as the policy and
+	// to the `ManagedCluster` object associated with the propagated policy.
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 

diff --git a/deploy/crds/kustomize/policy.open-cluster-management.io_policies.yaml b/deploy/crds/kustomize/policy.open-cluster-management.io_policies.yaml
@@ -122,6 +122,11 @@ spec:
                   templates.
                 properties:
                   serviceAccountName:
+                    description: |-
+                      ServiceAccountName is the name of a service account in the same namespace as the policy to use for all hub
+                      template lookups. The service account must have list and watch permissions on any object the hub templates
+                      look up. If not specified, lookups are restricted to namespaced objects in the same namespace as the policy and
+                      to the `ManagedCluster` object associated with the propagated policy.
                     type: string
                 type: object
               policy-templates:

diff --git a/deploy/crds/policy.open-cluster-management.io_policies.yaml b/deploy/crds/policy.open-cluster-management.io_policies.yaml
@@ -134,6 +134,11 @@ spec:
                   templates.
                 properties:
                   serviceAccountName:
+                    description: >-
+                      ServiceAccountName is the name of a service account in the same namespace as the policy to use for all hub
+                      template lookups. The service account must have list and watch permissions on any object the hub templates
+                      look up. If not specified, lookups are restricted to namespaced objects in the same namespace as the policy and
+                      to the `ManagedCluster` object associated with the propagated policy.
                     type: string
                 type: object
               policy-templates: