It would be convenient to also accept service accounts as approvers or otherwise permit service accounts to update the approval status of an ApprovalTask resource.
Use case:
We'd like to use the manual approval gate to interrupt pipelines started by a custom CI/CD system. That system can add additional checks (e.g. wait for a pull request to be approved) and then continue the pipeline by approving the custom resource. In this case it's not a user interacting with the ApprovalTask but a pod running with a certain service account.
We propose to extend the definition of approvers like this:
spec:
approvers:
- name: pipelines
type: ServiceAccount
input: pendingor when used in a pipeline:
params:
- name: approvers
value:
- serviceaccount:<namespace>:<service-accunt-name>The webhook should then allow patch operation from service accounts listed as approvers.
It would be convenient to also accept service accounts as approvers or otherwise permit service accounts to update the approval status of an
ApprovalTaskresource.Use case:
We'd like to use the manual approval gate to interrupt pipelines started by a custom CI/CD system. That system can add additional checks (e.g. wait for a pull request to be approved) and then continue the pipeline by approving the custom resource. In this case it's not a user interacting with the ApprovalTask but a pod running with a certain service account.
We propose to extend the definition of approvers like this:
or when used in a pipeline:
The webhook should then allow patch operation from service accounts listed as approvers.