Unable to add extra SA with NS in the bundle manifest

[camilamacedo86]

Bug Report

Unable to define a namespace (ns) for an extra ServiceAccount shipped on the bundle.

What did you do?

Following the steps to reproduce the issue scenario with testdata/go/v3/memcached/

1. Create the testdata/go/v3/memcached-operator/config/rbac/service_account_pod.yaml:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-pod-service-account
  # If we fixed here the ns then the following error is faced with operator-sdk bundle validate
  # operator-sdk bundle validate ./bundle
  # ERRO[0000] Error: Value my-pod-service-account: error validating object: metadata.namespace: Forbidden: not allowed on this type. &{map[apiVersion:v1 kind:ServiceAccount metadata:map[name:my-pod-service-account namespace:other-ns]]}
  namespace: other-ns 

2 - Add the extra SA to: (testdata/go/v3/memcached-operator/config/rbac/kustomization.yaml)

...
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml
- service_account_pod.yaml 

3 - Run make bundle. That will fail when we run the command operator-sdk bundle validate

What did you expect to see?

operator-sdk bundle validate does not return an error when a specific ns for the service account is informed.

What did you see instead? Under which circumstances?

ERRO[0000] Error: Value my-pod-service-account: error validating object: metadata.namespace: Forbidden: not allowed on this type. &{map[apiVersion:v1 kind:ServiceAccount metadata:map[name:my-pod-service-account namespace:other-ns]]}

Environment

$ operator-sdk version

• 1.19.0

Possible Solution

To solve this issue is required to change the spec validations in the operator-framework/api and then bump it to SDK.

Additional context

If the namespace added to the extra SA does not exist then, OLM will be unable to install the Operator.

That means that if an Operator Author tries to do that to ship the Operator in any image where its CI checks if the project is at least deployable on the cluster with OLM then, it will fail if when the ns informed, is not created by default on the k8s vendor. So, this configuration will only work when:

• The ns informed already exist on the cluster before OLM try to install it
• To publish in OCP catalog or any index catalog used by it, if the ns informed is an ns created by default on the cluster.

OLM bundles do not accept we add an ns manifest to allow the specific ns to be created when OLM applies all to install the Operator on the cluster.

[varshaprasad96]

We need OLM to support this feature wherein a different SA is supported while specifying an extra SA.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[camilamacedo86]

/lifecycle frozen

@varshaprasad96 @jmrodri

OLM supports that (as far as I know)
We just need to change the validations to allow that.

OLM bundles do not accept we add an ns manifest to allow the specific ns to be created when OLM applies all to install the Operator on the cluster.

The goal of this one is we collab with Operator-Framework/api OR OLM valuations to allow users do it

[everettraven]

/unassign jmrodri

I'm a little confused by what this issue is asking for. @camilamacedo86 @varshaprasad96 Is this something we still want to consider implementing or can this issue be closed?