0

I need to be able to patch the serviceAccountName inside a HelmRelease via Kustomization. The special setup here is, that the kustomization where I want to apply the patch is in a tenant repository, and the HelmRelease in a synced Git repository:

I am using flux and kustomization. In my tenant repository I have a kustomization configuration, which includes a git repository podinfo.

The git repository podinfo contains the following files:

kustomization.yaml
release.yaml
repository.yaml

The kustomization is very basic:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - repository.yaml
  - release.yaml

And the release.yaml contains

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: podinfo
  namespace: apps
spec:
  releaseName: podinfo
  chart:
    spec:
      chart: podinfo
      sourceRef:
        kind: HelmRepository
        name: podinfo
  interval: 5m

NOTE there is no serviceAccountName defined for the HelmRelease.

Question:

How can I write a patch in the tenant repository to add the serviceAccountName to the HelmRelease in the podinfo repo, without explicitly referencing the name to the HelmRelease?

--

I already tried the following in the tenant repository kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- auth.yaml
- rbac.yaml
- sync.yaml
patches:
  - patch: |
      - op: add
        path: /spec/serviceAccountName
        value: platform-podinfo
    target:
      kind: HelmRelease

Where sync.yaml is including the podinfo repository via:

apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: platform-podinfo
  namespace: apps-platform
spec:
  interval: 1m0s
  ref:
    branch: main
  secretRef:
    name: platform-podinfo-auth
  url: ssh://git@git.example.com/group/podinfo.git
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: platform-podinfo
  namespace: apps-platform
spec:
  interval: 1m0s
  path: ./
  prune: false
  serviceAccountName: platform-podinfo
  sourceRef:
    kind: GitRepository
    name: platform-podinfo
  targetNamespace: apps-platform

But the patch is not applied to the HelmRelease in the included git repo (from sync.yaml).

Stefan Profanter
  • 6,458
  • 6
  • 41
  • 73
  • I don't understand the relationship between the second `kustomization.yaml` and the other manifests in your question. It doesn't appear that the `kustomization.yaml` with the patch ever includes those other manifests. – larsks Jun 14 '23 at 14:26
  • @larsks the kustomization.yaml in the tenants repo includes the other manifests via a git repo. I updated my question to also include that sync.yaml content. – Stefan Profanter Jun 14 '23 at 14:35
  • Kustomize can only patch resources that are directly included in the `resources` section (or generated via configMapGenerator, etc). So you could apply patches to `sync.yaml` itself, but you cannot apply a patch to something in the other repository because that content isn't generated by kustomize. – larsks Jun 14 '23 at 14:38
  • Hmm, that's a bummer :( I would like to avoid that we need to change the podinfo repo, if we deploy it with a different service account. This should be injectable from the tenants repo. Similar as it already works with the targetNamespace, which is overriding the namespaces. – Stefan Profanter Jun 14 '23 at 14:44

0 Answers0