adding in service-account.yaml.tpl to get away from using the default service account in favor of a service specific service account

acornett21 · acornett21 · commit 342c8f94c222 · 2022-01-20T14:28:50.000-07:00
Signed-off-by: Adam D. Cornett &lt;adc@redhat.com&gt;
diff --git a/pkg/generate/ack/controller.go b/pkg/generate/ack/controller.go
@@ -35,6 +35,7 @@ var (
 		"config/rbac/cluster-role-binding.yaml.tpl",
 		"config/rbac/role-reader.yaml.tpl",
 		"config/rbac/role-writer.yaml.tpl",
+		"config/rbac/service-account.yaml.tpl",
 		"config/rbac/kustomization.yaml.tpl",
 		"config/crd/kustomization.yaml.tpl",
 		"config/overlays/namespaced/kustomization.yaml.tpl",
diff --git a/templates/config/controller/deployment.yaml.tpl b/templates/config/controller/deployment.yaml.tpl
@@ -61,6 +61,7 @@ spec:
             drop:
               - ALL
       terminationGracePeriodSeconds: 10
+      serviceAccountName: ack-{{ .ServicePackageName }}-service-account
       hostIPC: false
       hostNetwork: false
       hostPID: false
diff --git a/templates/config/rbac/cluster-role-binding.yaml.tpl b/templates/config/rbac/cluster-role-binding.yaml.tpl
@@ -8,5 +8,5 @@ roleRef:
   name: ack-{{ .ServicePackageName }}-controller
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: ack-{{ .ServicePackageName }}-service-account
   namespace: ack-system
diff --git a/templates/config/rbac/kustomization.yaml.tpl b/templates/config/rbac/kustomization.yaml.tpl
@@ -3,3 +3,5 @@ resources:
 - cluster-role-controller.yaml
 - role-reader.yaml
 - role-writer.yaml
+- service-account.yaml
+
diff --git a/templates/config/rbac/service-account.yaml.tpl b/templates/config/rbac/service-account.yaml.tpl
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ack-{{ .ServicePackageName }}-service-account
+  namespace: ack-system
