feat!: harmonize service account binding #major #363
Conversation
aslafy-z
force-pushed
the
aslafy-z-patch-3
branch
2 times, most recently
from
0ef820d to
7d495fb
Compare
aslafy-z
force-pushed
the
aslafy-z-patch-3
branch
from
7d495fb to
c127a42
Compare
application/templates/_helpers.tpl
Outdated
| {{- if .Values.rbac.enabled }} | ||
| {{- if and .Values.rbac.serviceAccount.enabled .Values.rbac.existingServiceAccountName }} | ||
| {{- fail "Conflict: 'rbac.existingServiceAccountName' is set, but a new service account is being created. Please disable 'rbac.serviceAccount.enabled' or unset 'rbac.existingServiceAccountName'." }} |
There was a problem hiding this comment.
I fear that this may just cause confusion when reading release values later down the line. I'd much rather have .Values.rbac.enabled be changed to .Values.rbac.create instead, but I realize that would be a breaking change. The way things are in this PR, I find it a bit confusing for a release using an existing service account:
.Values.rbac.serviceAccount.nameexists, but is completely empty, meaning default or disabled. The comments hint at the default value being{{ include "application.name" $ }}..Values.rbac.serviceAccount.enabledexists and is set to false. What that means is unclear unless we peek into the templates or make an assumption based on widely available charts..Values.rbac.existingServiceAccountexists is finally what we were expecting. Its mere presence introduces branching in the line of code this thread highlights.
If instead we had .Values.rbac.serviceAccount.create as a boolean defaulting to false, .Values.rbac.serviceAccount.name would always have the name of the mounted (when applicable) service account.
Do you believe this legibility tradeoff is enough to justify a breaking change? I find myself unable to make that judgment.
There was a problem hiding this comment.
I renamed enabled to create for it to be aligned with what is done in the community. I personally don't care about breaking changes if they are clearly indicated as such and major is bumped. I prefer to consistent and easily understandable APIs, over over-engineering for compatible solutions, even if it come with the cost of a breaking change. This is my personal take, I think it works for this chart. WDYT?
application/templates/_helpers.tpl
Outdated
| {{- if .Values.rbac.serviceAccount.enabled }} | ||
| {{- default (include "application.name" .) .Values.rbac.serviceAccount.name }} | ||
| {{- else }} | ||
| {{- default "null" .Values.rbac.existingServiceAccountName }} |
There was a problem hiding this comment.
Edge case, may or may not be something to take into consideration: service accounts named null. Also, we're assuming the result of this partial template to be interpreted as YAML rather than a raw string, that may create confusion.
| {{- default "null" .Values.rbac.existingServiceAccountName }} | |
| {{- $saName := .Values.rbac.existingServiceAccountName }} | |
| {{- empty $saName | ternary (quote $saName) "null" }} |
There was a problem hiding this comment.
the partial now only returns strings, do you think i should still quote the output?
aslafy-z
force-pushed
the
aslafy-z-patch-3
branch
4 times, most recently
from
4662e88 to
a6b974e
Compare
aslafy-z
changed the title
aslafy-z
changed the title
aslafy-z
force-pushed
the
aslafy-z-patch-3
branch
from
a6b974e to
6d404a8
Compare
aslafy-z
changed the title
aslafy-z
force-pushed
the
aslafy-z-patch-3
branch
from
6d404a8 to
0c15cb1
Compare
aslafy-z
force-pushed
the
aslafy-z-patch-3
branch
from
0c15cb1 to
de41a4f
Compare
Closes #320
Closes #361
BREAKING: Rename
rbac.serviceAccount.enabledfield torbac.serviceAccount.create.Fix inconsistencies in serviceAccount binding across
CronJob,Job, andDeploymenttemplates by introducing a newapplication.serviceAccountNametemplate:rbac.serviceAccount.createrbac.serviceAccount.nametrue""(include "application.name" .)true"foo""foo"false"""default"false"bar""bar"