From b0f36fccd394a08694a0854e0ad1cdb9e1bb4572 Mon Sep 17 00:00:00 2001
From: Tom Gundersen <teg@jklm.no>
Date: Wed, 27 Oct 2021 18:19:52 +0100
Subject: [PATCH] templates: add service account

Avoid using the default account, but use a dedicated one.

This follows the guidelines from AppSRE and is what was done for
image-builder.

Signed-off-by: Tom Gundersen <teg@jklm.no>
---
 templates/composer.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/templates/composer.yml b/templates/composer.yml
index 58b9c5a43..75aed9d20 100644
--- a/templates/composer.yml
+++ b/templates/composer.yml
@@ -35,6 +35,7 @@ objects:
         labels:
           app: composer
       spec:
+        serviceAccountName: image-builder
         containers:
         - image: "${IMAGE_NAME}:${IMAGE_TAG}"
           name: composer
@@ -125,6 +126,13 @@ objects:
           - name: PGSSLMODE
             value: "${PGSSLMODE}"
 
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: image-builder
+  imagePullSecrets:
+  - name: quay-cloudservices-pull
+
 - apiVersion: v1
   kind: Service
   metadata: