Support "Update" without "Create" management policy combinations #681
Comments
|
Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as |
|
/fresh |
|
Thanks @tvandinther for creating the issue, sorry for noticing it late. Seems like this is still relevant. IMO it would make sense to add The change should not be big:
Adding this as a |
What problem are you facing?
Suppose you want to extend functionality of a resource of which you should not be managing the lifecycle of. To extend functionality of this resource you may need to add some annotations as is common in Kubernetes.
A more concrete example is providing a Kubernetes service account with AWS credentials via IRSA. This requires creating an IAM Role with the required policies and adding an annotation to the service account to link it to the IAM Role. However, this service account is created via a helm chart and you do not want to take "ownership" of the resource.
The problem is deciding on the right supported combination of management policies for the service account resource. All combinations of
UpdaterequireCreateto also be given. But this is not in the scope of this composition, it is designed to only annotate the service account if it exists and should fail otherwise. We are assuming a pre-existing resource, and will try again later if it is missing, presumably when the helm chart is installed.How could Crossplane help solve your problem?
Crossplane could solve this problem by allowing a combination of
ObserveandUpdatemanagement policies so that the provider can correctly annotate the service account without creating it if it is missing. The managed resource should fail to sync if it is missing and therefore cause the containing composition to not be ready.The text was updated successfully, but these errors were encountered: