From 86a8d269850fcc186e1f1530bd72379f714e0375 Mon Sep 17 00:00:00 2001
From: Paulo Gomes <paulo.gomes@weave.works>
Date: Mon, 4 Apr 2022 16:29:57 +0100
Subject: [PATCH] Update KubeConfig documentation When the flag
 --default-service-account was added it changed slightly the behaviour of the
 spec.KubeConfig field. It forces the impersonation to always take place,
 either via the contents of spec.ServiceAccountName or its fallback at
 controller level.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
---
 api/v2beta1/helmrelease_types.go                   |  7 ++++++-
 .../bases/helm.toolkit.fluxcd.io_helmreleases.yaml |  6 +++++-
 docs/api/helmrelease.md                            | 14 ++++++++++++--
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/api/v2beta1/helmrelease_types.go b/api/v2beta1/helmrelease_types.go
index 06d9e793c..11dd09e6a 100644
--- a/api/v2beta1/helmrelease_types.go
+++ b/api/v2beta1/helmrelease_types.go
@@ -74,7 +74,12 @@ type HelmReleaseSpec struct {
 	Interval metav1.Duration `json:"interval"`
 
 	// KubeConfig for reconciling the HelmRelease on a remote cluster.
-	// When specified, KubeConfig takes precedence over ServiceAccountName.
+	// When used in combination with HelmReleaseSpec.ServiceAccountName,
+	// forces the controller to act on behalf of that Service Account at the
+	// target cluster.
+	// If the --default-service-account flag is set, its value will be used as
+	// a controller level fallback for when HelmReleaseSpec.ServiceAccountName
+	// is empty.
 	// +optional
 	KubeConfig *KubeConfig `json:"kubeConfig,omitempty"`
 
diff --git a/config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml b/config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml
index 943131731..2c4c6fa63 100644
--- a/config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml
+++ b/config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml
@@ -237,7 +237,11 @@ spec:
                 type: string
               kubeConfig:
                 description: KubeConfig for reconciling the HelmRelease on a remote
-                  cluster. When specified, KubeConfig takes precedence over ServiceAccountName.
+                  cluster. When used in combination with HelmReleaseSpec.ServiceAccountName,
+                  forces the controller to act on behalf of that Service Account at
+                  the target cluster. If the --default-service-account flag is set,
+                  its value will be used as a controller level fallback for when HelmReleaseSpec.ServiceAccountName
+                  is empty.
                 properties:
                   secretRef:
                     description: SecretRef holds the name to a secret that contains
diff --git a/docs/api/helmrelease.md b/docs/api/helmrelease.md
index 6fc88526a..ee1ab6686 100644
--- a/docs/api/helmrelease.md
+++ b/docs/api/helmrelease.md
@@ -107,7 +107,12 @@ KubeConfig
 <td>
 <em>(Optional)</em>
 <p>KubeConfig for reconciling the HelmRelease on a remote cluster.
-When specified, KubeConfig takes precedence over ServiceAccountName.</p>
+When used in combination with HelmReleaseSpec.ServiceAccountName,
+forces the controller to act on behalf of that Service Account at the
+target cluster.
+If the &ndash;default-service-account flag is set, its value will be used as
+a controller level fallback for when HelmReleaseSpec.ServiceAccountName
+is empty.</p>
 </td>
 </tr>
 <tr>
@@ -743,7 +748,12 @@ KubeConfig
 <td>
 <em>(Optional)</em>
 <p>KubeConfig for reconciling the HelmRelease on a remote cluster.
-When specified, KubeConfig takes precedence over ServiceAccountName.</p>
+When used in combination with HelmReleaseSpec.ServiceAccountName,
+forces the controller to act on behalf of that Service Account at the
+target cluster.
+If the &ndash;default-service-account flag is set, its value will be used as
+a controller level fallback for when HelmReleaseSpec.ServiceAccountName
+is empty.</p>
 </td>
 </tr>
 <tr>