From be374c06ecebf589c1dddf1a7faf5eaf894123bc Mon Sep 17 00:00:00 2001
From: Aleksandr Nogikh <nogikh@google.com>
Date: Thu, 27 Feb 2025 23:01:21 +0100
Subject: syz-cluster: use a separate service account for DB mgmt

This will let us use more granular IAM permissions.
---
 syz-cluster/db-mgmt/migrate-job.yaml                | 2 +-
 syz-cluster/overlays/minikube/service-accounts.yaml | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/syz-cluster/db-mgmt/migrate-job.yaml b/syz-cluster/db-mgmt/migrate-job.yaml
index 9eee8e1cf..d77ea1620 100644
--- a/syz-cluster/db-mgmt/migrate-job.yaml
+++ b/syz-cluster/db-mgmt/migrate-job.yaml
@@ -8,7 +8,7 @@ metadata:
 spec:
   template:
     spec:
-      serviceAccountName: gke-service-ksa
+      serviceAccountName: gke-db-admin-ksa
       containers:
       - name: migrate
         image: ${IMAGE_PREFIX}db-mgmt:${IMAGE_TAG}
diff --git a/syz-cluster/overlays/minikube/service-accounts.yaml b/syz-cluster/overlays/minikube/service-accounts.yaml
index bcec70c6c..40854fd3c 100644
--- a/syz-cluster/overlays/minikube/service-accounts.yaml
+++ b/syz-cluster/overlays/minikube/service-accounts.yaml
@@ -22,3 +22,11 @@ kind: ServiceAccount
 metadata:
   name: argo-controller-ksa
   namespace: argo
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gke-db-admin-ksa
+  namespace: default
-- 
cgit mrf-deployment