Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(argo-cd): create service account for repo server by default #1161

Merged
merged 1 commit into from
Mar 10, 2022
Merged

fix(argo-cd): create service account for repo server by default #1161

merged 1 commit into from
Mar 10, 2022

Conversation

eddycharly
Copy link
Contributor

This PR enables the creation of a service account for repo server by default.

@mbevc1 mbevc1 added the argo-cd label Mar 7, 2022
@mbevc1 mbevc1 changed the title fix: create service account for repo server by default fix(argo-cd): create service account for repo server by default Mar 7, 2022
@mbevc1
Copy link
Collaborator

mbevc1 commented Mar 7, 2022

Thanks, seems this would align this to other charts. Could you please provide changelog infor as well?

@eddycharly
Copy link
Contributor Author

@mbevc1 sure, how shall I provide the changelog ?

@mbevc1
Copy link
Collaborator

mbevc1 commented Mar 8, 2022

There is an annotation that is used, i.e. https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L22-L24

@mbevc1
Copy link
Collaborator

mbevc1 commented Mar 8, 2022

Thanks! Mind you need to replace current one as artifacthub is appending it automatically.

@eddycharly
Copy link
Contributor Author

Done, do I need to bump the chart version ?
I guess i will have to regen the docs too.

@mbevc1
Copy link
Collaborator

mbevc1 commented Mar 8, 2022

Yes, please. Version needs bumping as well. Docs should be fine unless there are any changes related to those.

@eddycharly
fix: create service account for repo server by default
4f3245a 
This PR enables the creation of a service account for repo server by default.

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
@eddycharly
Copy link
Contributor Author

@mbevc1 version bumped and docs up to date.

@mbevc1
Copy link
Collaborator

mbevc1 commented Mar 9, 2022

Looks good, just before merging thinking if we should bump minor version as this changes current default 🤔
Thoughts @mkilchhofer @davidkarlsen @yann-soubeyrand ?

mkilchhofer
mkilchhofer reviewed Mar 9, 2022
View reviewed changes
Copy link
Member

@mkilchhofer mkilchhofer left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to ask for the use case? :-)

The upstream manifest (which are our template) do not create a ServiceAccount for the repo-server. Also the server does not have a mounted service account token by default

Ref:

@eddycharly
Copy link
Contributor Author

@mkilchhofer the use case is to identify to allow usage of CiliumNetworkPolicy with rules based on service accounts.

@eddycharly
Copy link
Contributor Author

IMHO it shouldn't hurt to have a service account. Even if you don't specify one it will fallback to use default.
TBH, i don't see any case where it's not advisable to create one.

@mkilchhofer
Copy link
Member

mkilchhofer commented Mar 9, 2022
edited
Loading

@mkilchhofer the use case is to identify to allow usage of CiliumNetworkPolicy with rules based on service accounts.

Okay. This is a valable use case, I also override to true as I use helm plugins talking to the kube-api.

But it still is not comply in these two ideas:

  • charts README

    The default installation is intended to be similar to the provided ArgoCD releases.

  • least privilege principle (okay to be fair, the default SA normally also has kube-api access)

Idk, I am okay if we proceed and merge as it is such a small change ;)

@eddycharly
Copy link
Contributor Author

Idk, I am okay if we proceed and merge as it is such a small change ;)

Let's do that ;)

@mbevc1 mbevc1 merged commit ec6cd35 into argoproj:master Mar 10, 2022
@eddycharly eddycharly deleted the patch-1 branch March 10, 2022 11:26
terrych0u pushed a commit to terrych0u/argo-helm that referenced this pull request Aug 4, 2022
@eddycharly @terrych0u
fix: create service account for repo server by default (argoproj#1161)
2b2450f 
This PR enables the creation of a service account for repo server by default.

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkilchhofer mkilchhofer mkilchhofer left review comments

@mbevc1 mbevc1 mbevc1 approved these changes

@davidkarlsen davidkarlsen Awaiting requested review from davidkarlsen

@yann-soubeyrand yann-soubeyrand Awaiting requested review from yann-soubeyrand

Assignees
No one assigned
Labels
argo-cd size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eddycharly @mbevc1 @mkilchhofer