From c380f7435ee0491b7206868f9c02ee0ae7e66bf9 Mon Sep 17 00:00:00 2001
From: Hasan Turken <turkenh@gmail.com>
Date: Wed, 11 Sep 2024 10:04:11 +0300
Subject: [PATCH] Add note on configuring provider service accounts

Signed-off-by: Hasan Turken <turkenh@gmail.com>
---
 content/master/concepts/providers.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/content/master/concepts/providers.md b/content/master/concepts/providers.md
index 591d009e..17550100 100644
--- a/content/master/concepts/providers.md
+++ b/content/master/concepts/providers.md
@@ -766,6 +766,20 @@ spec:
       name: my-service-account
 ```
 
+{{<hint "important" >}}
+Setting the `serviceAccountTemplate.metadata.name` field will override the
+the name of service account created by the package manager and used in the
+provider deployment. The package manager will own that service account and
+will be fighting to take ownership if there are other owners. A common mistake
+is configuring the same service account for multiple packages in this way
+which ends up frequent reconciliation loops and loads on the API server.
+
+If you just want to use an existing service account, you should instead only
+set the `deploymentTemplate.spec.template.spec.serviceAccountName` field.
+Crossplane will then use the existing service account without taking the ownership
+and still take care of binding the necessary permissions.
+{{</hint >}}
+
 ### Provider configuration
 
 The `ProviderConfig` determines settings the Provider uses communicating to the