[k8s-image-swapper]: chart clusterrole out of sync with 1.1.0 app version

[KhrisRichardson-BO]

I believe 1.1.0 introduced the mutation of service accounts with image pull secrets, but the clusterrole in the chart doesn't yet reflect the new rules required.

Would it be possible to add a flag to toggle the service account mutation behavior?

Thanks

[estahn]

Hi @KhrisRichardson-BO, I assume you're referring to support for imagePullSecrets via service accounts. Can you describe the issue and what rules you're referring to? If something is missing we can certainly add it.

You're probably already aware, but just to be sure, the flag secretReader.enabled needs to be set to true.

[KhrisRichardson-BO]

This is the type of error we are seeing, with secretReader.enabled set to false by design.

7:00PM ERR github.com/estahn/k8s-image-swapper@v1.1.0/pkg/secrets/kubernetes.go:75 > error fetching referenced service account, continue without service account imagePullSecrets error="serviceaccounts \"management-us-east-1-cert-manager-us-east-1-cainjector\" is forbidden: User \"system:serviceaccount:k8s-image-swapper:k8s-image-swapper\" cannot get resource \"serviceaccounts\" in API group \"\" in the namespace \"cert-manager\""

There are no rules related to service accounts in the clusterrole. It may be possible that I need to file an additional issue in the k8s-image-swapper repository if that logic should only be applicable when secretReader is enabled.

[estahn]

@KhrisRichardson-BO I see, that makes sense. I wonder if we should have a serviceAccountReader 🤔

I don't think you need to adjust anything in k8s-image-swapper itself. It's purely a permission issue of the clusterrole.

[estahn]

https://github.com/estahn/charts/releases/tag/k8s-image-swapper-1.0.1