If the service account used for impersonation has been deleted, skip pruning, log the error and continue with finalization to allow tenants removals from clusters.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Introduce the flag `--default-service-account` for allowing cluster admins to enforce impersonation for resources reconciliation.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Reconciler behaviour:
- Creates an inventory of objects to be applied (persisted in-cluster under `.status.inventory`).
- Applies first custom resource definitions (CRDs) and namespaces, waits for them to register and only then applies the custom resources.
- Validates all resources with server-side dry-run apply (namespaced objects must contain `metadata.namespace`, defaulting to the `default` namespace is no longer supported).
- Reconciles only the resources that drifted.
- Prunes the objects that were previously applied but are missing from the current inventory.
- Emits events for only the resources that where created, configured or deleted.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Add `values.yaml` to the supported kubeconfig secret key names in order for SOPS to correctly detect the storage format based on the file extension.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
When running in a cluster, the BearerTokenFile is set to point to
`/var/run/secrets/kubernetes.io/serviceaccount/token` where the service
account's token is auto-mounted. If this value is not cleared, the
setting of the BearerToken field will have no effect. Relevant
documentation:
https://pkg.go.dev/k8s.io/client-go@v0.20.2/rest#Config.BearerTokenFile
Signed-off-by: Brian Atkinson <brian@atkinson.mn>
Stefan Prodan
Brian Atkinson