Cross namespace storage accounts with per namespace blob container

[b1zzu]

Describe the current behavior

Currently, if I want to use a storage account in multiple namespaces with a container per namespace I have to recreate the whole ResourceGroup -> SotorageAccount -> StorageAccountsBlobService -> StorageAccountsBlobServicesContainer. While I can annotate the ResourceGroup, StorageAccountsBlobService, StorageAccountsBlobServicesContainer with the serviceoperator.azure.com/reconcile-policy: skip annotations so that I don't have multiple namespaces trying to manage the same resource I still have to set the SotorageAccount as managed otherwise the secret with the keys is not created in the namespace I need them.

Describe the improvement

I see two improvements:

• Minor: allow referencing resources across namespaces
• Define an additional reconcile-policy to only sync secrets or make the skip policy sync secrets in the cluster

[theunrepentantgeek]

Kubernetes object ownership cannot cross namespace boundaries:

Cross-namespace owner references are disallowed by design. Namespaced dependents can specify cluster-scoped or namespaced owners. A namespaced owner must exist in the same namespace as the dependent.

That said, I think we have a couple of things on our backlog that would solve much, if not all, of your problem.

The first is feature request #2357, which would allow owners to be arbitrary ARM references.

The second is bug report #2985, where a user wants config-maps to be published from a resource even if marked with skip. We think treating secrets the same way would be appropriate.

Do you think that combination would work in your context?

[b1zzu]

@theunrepentantgeek Yes it should work, I think we can then close this task in favor of the issues you have mentioned.

[matthchr]

Closing this as requested.