Add the impersonation feature to API spec

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

docs/spec/v2beta1/helmreleases.md

@@ -21,10 +21,6 @@ type HelmReleaseSpec struct {
 	// +required
 	Interval metav1.Duration `json:"interval"`
 
-	// KubeConfig for reconciling the HelmRelease on a remote cluster.
-	// +optional
-	KubeConfig *KubeConfig `json:"kubeConfig,omitempty"`
-
 	// Suspend tells the controller to suspend reconciliation for this HelmRelease,
 	// it does not apply to already started reconciliations. Defaults to false.
 	// +optional
@@ -89,6 +85,16 @@ type HelmReleaseSpec struct {
 	// Values holds the values for this Helm release.
 	// +optional
 	Values *apiextensionsv1.JSON `json:"values,omitempty"`
+
+	// KubeConfig for reconciling the HelmRelease on a remote cluster.
+	// When specified, KubeConfig takes precedence over ServiceAccountName.
+	// +optional
+	KubeConfig *KubeConfig `json:"kubeConfig,omitempty"`
+
+	// The name of the Kubernetes service account to impersonate
+	// when reconciling this HelmRelease.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 // KubeConfig references a Kubernetes secret that contains a kubeconfig file.
@@ -824,6 +830,80 @@ spec:
         memory: 64Mi
 ```
 
+## Role-based access control
+
+By default, a `HelmRelease` runs under the cluster admin account and can create, modify, delete cluster level objects
+(cluster roles, cluster role binding, CRDs, etc) and namespeced objects (deployments, ingresses, etc).
+For certain `HelmReleases` a cluster admin may wish to control what types of Kubernetes objects can
+be reconciled and under which namespace.
+To restrict a `HelmRelease`, one can assign a service account under which the reconciliation is performed.
+
+Assuming you want to restrict a group of `HelmReleases` to a single namespace, you can create an account
+with a role binding that grants access only to that namespace:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: webapp
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: webapp-reconciler
+  namespace: webapp
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: webapp-reconciler
+  namespace: webapp
+rules:
+  - apiGroups: ['*']
+    resources: ['*']
+    verbs: ['*']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: webapp-reconciler
+  namespace: webapp
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: webapp-reconciler
+subjects:
+- kind: ServiceAccount
+  name: webapp-reconciler
+  namespace: webapp
+```
+
+> **Note** that the namespace, RBAC and service account manifests should be
+> placed in a Git source and applied with a Kustomization.
+
+Create a `HelmRelease` that prevents altering the cluster state outside of the `webapp` namespace:
+
+```yaml
+apiVersion: helm.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: webapp
+spec:
+  serviceAccountName: webapp-reconciler
+  interval: 5m
+  chart:
+    spec:
+      chart: podinfo
+      sourceRef:
+        kind: HelmRepository
+        name: podinfo
+```
+
+When the controller reconciles the `podinfo` release, it will impersonate the `webapp-reconciler`
+account. If the chart contains cluster level objects like CRDs, the reconciliation will fail since
+the account it runs under has no permissions to alter objects outside of the `webapp` namespace.
+
 ## Remote Clusters / Cluster-API
 
 If the `spec.kubeConfig` field is set, Helm actions will run against the default cluster specified