This commit adds a ServiceAccount (config/rbac/service_account.yaml)

and kustomize ValueAddTransformer (config/default/service_account_transformer.yaml)
that allow a user to specify which service account their manager
should be created in. They may change this value by updating
both files, minding the name prefix.

pkg/plugins/golang/v3: update all scaffolds referencing the
default service account with references to the "controller-manager"
service account, specified in service_account.yaml, and
scaffold the SerivceAccount and ValueAddTransformer

Signed-off-by: Eric Stroczynski <ericstroczynski@gmail.com>

pkg/plugins/golang/v3/scaffolds/init.go

@@ -105,6 +105,7 @@ func (s *initScaffolder) scaffold() error {
 		&rbac.RoleBinding{},
 		&rbac.LeaderElectionRole{},
 		&rbac.LeaderElectionRoleBinding{},
+		&rbac.ServiceAccount{},
 		&manager.Kustomization{},
 		&manager.Config{Image: imageName},
 		&manager.ControllerManagerConfig{},
@@ -123,6 +124,7 @@ func (s *initScaffolder) scaffold() error {
 		&kdefault.Kustomization{},
 		&kdefault.ManagerAuthProxyPatch{},
 		&kdefault.ManagerConfigPatch{},
+		&kdefault.ServiceAccountTransformer{},
 		&prometheus.Kustomization{},
 		&prometheus.Monitor{},
 		&certmanager.Certificate{},

pkg/plugins/golang/v3/scaffolds/internal/templates/config/kdefault/kustomization.go

@@ -89,6 +89,11 @@ patchesStrategicMerge:
 # 'CERTMANAGER' needs to be enabled to use ca injection
 #- webhookcainjection_patch.yaml
 
+# Transformers perform complex, specific operations during a kustomize build.
+transformers:
+# Replaces all default service account name references with a custom value.
+- service_account_transformer.yaml
+
 # the following config is for teaching kustomize how to do var substitution
 vars:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.

pkg/plugins/golang/v3/scaffolds/internal/templates/config/kdefault/service_account_transformer.go

@@ -0,0 +1,77 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kdefault
+
+import (
+	"path/filepath"
+
+	"sigs.k8s.io/kubebuilder/v3/pkg/model/file"
+)
+
+var _ file.Template = &ServiceAccountTransformer{}
+
+// ServiceAccountTransformer scaffolds a file that defines the kustomization scheme for the default overlay folder
+type ServiceAccountTransformer struct {
+	file.TemplateMixin
+	file.ProjectNameMixin
+}
+
+// SetTemplateDefaults implements file.Template
+func (f *ServiceAccountTransformer) SetTemplateDefaults() error {
+	if f.Path == "" {
+		f.Path = filepath.Join("config", "default", "service_account_transformer.yaml")
+	}
+
+	f.TemplateBody = saReplaceTemplate
+
+	f.IfExistsAction = file.Error
+
+	return nil
+}
+
+//nolint:lll
+const saReplaceTemplate = `# This transformer replaces the service account name in config/rbac/service_account.yaml with
+# the result of applying the config/default name prefix to that name.
+apiVersion: builtin
+kind: ValueAddTransformer
+metadata:
+  name: serviceAccountSubstitute
+
+# If you change this value, you must also update metadata.name in config/rbac/service_account.yaml.
+# Make sure the new value matches the result of applying any name prefix to the ServiceAccount's name.
+value: {{ .ProjectName }}-controller-manager
+
+# Update all RoleBindings and ClusterRoleBindings that have a ServiceAccount subject,
+# and the manager's Deployment.
+targets:
+- selector:
+    kind: RoleBinding
+    group: rbac.authorization.k8s.io
+    version: v1
+  fieldPath: subjects/[kind=ServiceAccount]/name
+- selector:
+    kind: ClusterRoleBinding
+    group: rbac.authorization.k8s.io
+    version: v1
+  fieldPath: subjects/[kind=ServiceAccount]/name
+- selector:
+    kind: Deployment
+    group: apps
+    version: v1
+    name: controller-manager
+  fieldPath: spec/template/spec/serviceAccountName
+`

pkg/plugins/golang/v3/scaffolds/internal/templates/config/manager/config.go

@@ -100,5 +100,6 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
 `

pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/auth_proxy_role_binding.go

@@ -50,6 +50,6 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
 `

pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/kustomization.go

@@ -43,6 +43,12 @@ func (f *Kustomization) SetTemplateDefaults() error {
 }
 
 const kustomizeRBACTemplate = `resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to set the existing service account name as
+# the "value" in config/default/service_account_transformer.yaml.
+- service_account.yaml
 - role.yaml
 - role_binding.yaml
 - leader_election_role.yaml

pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/leader_election_role_binding.go

@@ -50,6 +50,6 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
 `

pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/role_binding.go

@@ -50,6 +50,6 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
 `

pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/service_account.go

@@ -0,0 +1,48 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rbac
+
+import (
+	"path/filepath"
+
+	"sigs.k8s.io/kubebuilder/v3/pkg/model/file"
+)
+
+var _ file.Template = &ServiceAccount{}
+
+// ServiceAccount scaffolds a file that defines the service account the manager is deployed in.
+type ServiceAccount struct {
+	file.TemplateMixin
+}
+
+// SetTemplateDefaults implements file.Template
+func (f *ServiceAccount) SetTemplateDefaults() error {
+	if f.Path == "" {
+		f.Path = filepath.Join("config", "rbac", "service_account.yaml")
+	}
+
+	f.TemplateBody = serviceAccountTemplate
+
+	return nil
+}
+
+const serviceAccountTemplate = `apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system
+`

testdata/project-v3-addon/config/default/kustomization.yaml

@@ -43,6 +43,11 @@ patchesStrategicMerge:
 # 'CERTMANAGER' needs to be enabled to use ca injection
 #- webhookcainjection_patch.yaml
 
+# Transformers perform complex, specific operations during a kustomize build.
+transformers:
+# Replaces all default service account name references with a custom value.
+- service_account_transformer.yaml
+
 # the following config is for teaching kustomize how to do var substitution
 vars:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.

testdata/project-v3-addon/config/default/service_account_transformer.yaml

@@ -0,0 +1,30 @@
+# This transformer replaces the service account name in config/rbac/service_account.yaml with
+# the result of applying the config/default name prefix to that name.
+apiVersion: builtin
+kind: ValueAddTransformer
+metadata:
+  name: serviceAccountSubstitute
+
+# If you change this value, you must also update metadata.name in config/rbac/service_account.yaml.
+# Make sure the new value matches the result of applying any name prefix to the ServiceAccount's name.
+value: project-v3-addon-controller-manager
+
+# Update all RoleBindings and ClusterRoleBindings that have a ServiceAccount subject,
+# and the manager's Deployment.
+targets:
+- selector:
+    kind: RoleBinding
+    group: rbac.authorization.k8s.io
+    version: v1
+  fieldPath: subjects/[kind=ServiceAccount]/name
+- selector:
+    kind: ClusterRoleBinding
+    group: rbac.authorization.k8s.io
+    version: v1
+  fieldPath: subjects/[kind=ServiceAccount]/name
+- selector:
+    kind: Deployment
+    group: apps
+    version: v1
+    name: controller-manager
+  fieldPath: spec/template/spec/serviceAccountName

testdata/project-v3-addon/config/manager/manager.yaml

@@ -52,4 +52,5 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10

testdata/project-v3-addon/config/rbac/auth_proxy_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system

testdata/project-v3-addon/config/rbac/kustomization.yaml

@@ -1,4 +1,10 @@
 resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to set the existing service account name as
+# the "value" in config/default/service_account_transformer.yaml.
+- service_account.yaml
 - role.yaml
 - role_binding.yaml
 - leader_election_role.yaml

testdata/project-v3-addon/config/rbac/leader_election_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system

testdata/project-v3-addon/config/rbac/role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system

testdata/project-v3-addon/config/rbac/service_account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system

testdata/project-v3-config/config/default/kustomization.yaml

@@ -43,6 +43,11 @@ patchesStrategicMerge:
 # 'CERTMANAGER' needs to be enabled to use ca injection
 #- webhookcainjection_patch.yaml
 
+# Transformers perform complex, specific operations during a kustomize build.
+transformers:
+# Replaces all default service account name references with a custom value.
+- service_account_transformer.yaml
+
 # the following config is for teaching kustomize how to do var substitution
 vars:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.

testdata/project-v3-config/config/default/service_account_transformer.yaml

@@ -0,0 +1,30 @@
+# This transformer replaces the service account name in config/rbac/service_account.yaml with
+# the result of applying the config/default name prefix to that name.
+apiVersion: builtin
+kind: ValueAddTransformer
+metadata:
+  name: serviceAccountSubstitute
+
+# If you change this value, you must also update metadata.name in config/rbac/service_account.yaml.
+# Make sure the new value matches the result of applying any name prefix to the ServiceAccount's name.
+value: project-v3-config-controller-manager
+
+# Update all RoleBindings and ClusterRoleBindings that have a ServiceAccount subject,
+# and the manager's Deployment.
+targets:
+- selector:
+    kind: RoleBinding
+    group: rbac.authorization.k8s.io
+    version: v1
+  fieldPath: subjects/[kind=ServiceAccount]/name
+- selector:
+    kind: ClusterRoleBinding
+    group: rbac.authorization.k8s.io
+    version: v1
+  fieldPath: subjects/[kind=ServiceAccount]/name
+- selector:
+    kind: Deployment
+    group: apps
+    version: v1
+    name: controller-manager
+  fieldPath: spec/template/spec/serviceAccountName

testdata/project-v3-config/config/manager/manager.yaml

@@ -50,4 +50,5 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10

testdata/project-v3-config/config/rbac/auth_proxy_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system

testdata/project-v3-config/config/rbac/kustomization.yaml

@@ -1,4 +1,10 @@
 resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to set the existing service account name as
+# the "value" in config/default/service_account_transformer.yaml.
+- service_account.yaml
 - role.yaml
 - role_binding.yaml
 - leader_election_role.yaml

testdata/project-v3-config/config/rbac/leader_election_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system

testdata/project-v3-config/config/rbac/role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system

testdata/project-v3-config/config/rbac/service_account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system

testdata/project-v3-multigroup/config/default/kustomization.yaml

@@ -43,6 +43,11 @@ patchesStrategicMerge:
 # 'CERTMANAGER' needs to be enabled to use ca injection
 #- webhookcainjection_patch.yaml
 
+# Transformers perform complex, specific operations during a kustomize build.
+transformers:
+# Replaces all default service account name references with a custom value.
+- service_account_transformer.yaml
+
 # the following config is for teaching kustomize how to do var substitution
 vars:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.