ansible/helm - apply the service acount

Signed-off-by: Camila Macedo <cmacedo@redhat.com>
operator-framework · Mar 16, 2021 · 8fb8252 · 8fb8252
1 parent f28e25b
commit 8fb8252
Show file tree

Hide file tree

Showing 28 changed files with 529 additions and 277 deletions.
diff --git a/changelog/fragments/service_account.yaml b/changelog/fragments/service_account.yaml
@@ -1,70 +1,86 @@
 # entries is a list of entries to include in
 # release notes and/or the migration guide
 entries:
-  - description: >
-      (ansible/v1) (helm/v1) Create and bind to a non-default service account ([kubebuilder#2070](https://github.com/kubernetes-sigs/kubebuilder/pull/2070))
-      kind: addition
+    - description: >
+          (ansible/v1, helm/v1) Create and bind to a non-default service account ([kubebuilder#2070](https://github.com/kubernetes-sigs/kubebuilder/pull/2070))
+      kind: "addition"
+      breaking: false
+
+        # NOTE: ONLY USE `pull_request_override` WHEN ADDING THIS
+        # FILE FOR A PREVIOUSLY MERGED PULL_REQUEST!
+        #
+        # The generator auto-detects the PR number from the commit
+        # message in which this file was originally added.
+        #
+        # What is the pull request number (without the "#")?
+        # pull_request_override: 0
+
+
+        # Migration can be defined to automatically add a section to
+        # the migration guide. This is required for breaking changes.
       migration:
-      header: (go/v3) Add a `system:controller-manager` ServiceAccount to your project.
-      body: >
-        A non-default ServiceAccount `controller-manager` is scaffolded on `operator-sdk init`,
-        to improve security for operators installed in shared namespaces. To add this ServiceAccount
-        to your project, do the following:
-        ```sh
-        # Create the ServiceAccount.
-        cat <<EOF > config/rbac/service_account.yaml
-        apiVersion: v1
-        kind: ServiceAccount
-        metadata:
-          name: controller-manager
-          namespace: system
-        EOF
-        # Add it to the list of RBAC resources.
-        echo "- service_account.yaml" >> config/rbac/kustomization.yaml
-        # Update all RoleBinding and ClusterRoleBinding subjects that reference the operator's ServiceAccount.
-        find config/rbac -name *_binding.yaml -exec sed -i -E 's/  name: default/  name: controller-manager/g' {} \;
-        # Add the ServiceAccount name to the manager Deployment's spec.template.spec.serviceAccountName.
-        sed -i -E 's/([ ]+)(terminationGracePeriodSeconds:)/\1serviceAccountName: controller-manager\n\1\2/g' config/manager/manager.yaml
-        ```
-        The changes should look like:
-        ```diff
-        # config/manager/manager.yaml
-                   requests:
-                     cpu: 100m
-                     memory: 20Mi
-        +      serviceAccountName: controller-manager
-               terminationGracePeriodSeconds: 10
-        # config/rbac/auth_proxy_role_binding.yaml
-           name: proxy-role
-         subjects:
-         - kind: ServiceAccount
-        -  name: default
-        +  name: controller-manager
-           namespace: system
-        # config/rbac/kustomization.yaml
-         resources:
-        +- service_account.yaml
-         - role.yaml
-         - role_binding.yaml
-         - leader_election_role.yaml
-        # config/rbac/leader_election_role_binding.yaml
-           name: leader-election-role
-         subjects:
-         - kind: ServiceAccount
-        -  name: default
-        +  name: controller-manager
-           namespace: system
-        # config/rbac/role_binding.yaml
-           name: manager-role
-         subjects:
-         - kind: ServiceAccount
-        -  name: default
-        +  name: controller-manager
-           namespace: system
-        # config/rbac/service_account.yaml
-        +apiVersion: v1
-        +kind: ServiceAccount
-        +metadata:
-        +  name: controller-manager
-        +  namespace: system
-        ```
+          header: (ansible/v1, helm/v1) Add a `system:controller-manager` ServiceAccount to your project.
+          body: >
+              A non-default ServiceAccount `controller-manager` is scaffolded on `operator-sdk init`,
+              to improve security for operators installed in shared namespaces. To add this ServiceAccount
+              to your project, do the following:
+              ```sh
+              # Create the ServiceAccount.
+              cat <<EOF > config/rbac/service_account.yaml
+              apiVersion: v1
+              kind: ServiceAccount
+              metadata:
+                name: controller-manager
+                namespace: system
+              EOF
+              # Add it to the list of RBAC resources.
+              echo "- service_account.yaml" >> config/rbac/kustomization.yaml
+              # Update all RoleBinding and ClusterRoleBinding subjects that reference the operator's ServiceAccount.
+              find config/rbac -name *_binding.yaml -exec sed -i -E 's/  name: default/  name: controller-manager/g' {} \;
+              # Add the ServiceAccount name to the manager Deployment's spec.template.spec.serviceAccountName.
+              sed -i -E 's/([ ]+)(terminationGracePeriodSeconds:)/\1serviceAccountName: controller-manager\n\1\2/g' config/manager/manager.yaml
+              ```
+              The changes should look like:
+              ```diff
+              # config/manager/manager.yaml
+                         requests:
+                           cpu: 100m
+                           memory: 20Mi
+              +      serviceAccountName: controller-manager
+                     terminationGracePeriodSeconds: 10
+              # config/rbac/auth_proxy_role_binding.yaml
+                 name: proxy-role
+               subjects:
+               - kind: ServiceAccount
+              -  name: default
+              +  name: controller-manager
+                 namespace: system
+              # config/rbac/kustomization.yaml
+               resources:
+              +- service_account.yaml
+               - role.yaml
+               - role_binding.yaml
+               - leader_election_role.yaml
+              # config/rbac/leader_election_role_binding.yaml
+                 name: leader-election-role
+               subjects:
+               - kind: ServiceAccount
+              -  name: default
+              +  name: controller-manager
+                 namespace: system
+              # config/rbac/role_binding.yaml
+                 name: manager-role
+               subjects:
+               - kind: ServiceAccount
+              -  name: default
+              +  name: controller-manager
+                 namespace: system
+              # config/rbac/service_account.yaml
+              +apiVersion: v1
+              +kind: ServiceAccount
+              +metadata:
+              +  name: controller-manager
+              +  namespace: system
+              ```
+
+
diff --git a/internal/plugins/ansible/v1/scaffolds/internal/templates/config/rbac/kustomization.go b/internal/plugins/ansible/v1/scaffolds/internal/templates/config/rbac/kustomization.go
@@ -48,7 +48,7 @@ const kustomizeRBACTemplate = `resources:
 # if your manager will use a service account that exists at
 # runtime. Be sure to update RoleBinding and ClusterRoleBinding
 # subjects if changing service account names.
-- service_account.yam
+- service_account.yaml
 - role.yaml
 - role_binding.yaml
 - leader_election_role.yaml

diff --git a/internal/plugins/ansible/v1/scaffolds/internal/templates/config/rbac/service_account.go b/internal/plugins/ansible/v1/scaffolds/internal/templates/config/rbac/service_account.go
@@ -1,6 +1,5 @@
 /*
-Copyright 2019 The Kubernetes Authors.
-Modifications copyright 2020 The Operator-SDK Authors
+Copyright 2020 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

diff --git a/internal/plugins/helm/v1/chartutil/testdata/test-chart/templates/_helpers.tpl b/internal/plugins/helm/v1/chartutil/testdata/test-chart/templates/_helpers.tpl
@@ -55,9 +55,5 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "test-chart.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create -}}
-    {{ default (include "test-chart.fullname" .) .Values.serviceAccount.name }}
-{{- else -}}
-    {{ default "controller-manager" .Values.serviceAccount.name }}
-{{- end -}}
-{{- end -}}
+{{ default "controller-manager" .Values.serviceAccount.name }}
+{{- end -}}
diff --git a/internal/plugins/helm/v1/scaffolds/internal/templates/config/manager/manager.go b/internal/plugins/helm/v1/scaffolds/internal/templates/config/manager/manager.go
@@ -98,5 +98,6 @@ spec:
           requests:
             cpu: 100m
             memory: 60Mi
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
 `
diff --git a/internal/plugins/helm/v1/scaffolds/internal/templates/config/rbac/service_account.go b/internal/plugins/helm/v1/scaffolds/internal/templates/config/rbac/service_account.go
@@ -1,6 +1,5 @@
 /*
-Copyright 2019 The Kubernetes Authors.
-Modifications copyright 2020 The Operator-SDK Authors
+Copyright 2020 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

diff --git a/internal/scorecard/testdata/pod.yaml b/internal/scorecard/testdata/pod.yaml
@@ -24,7 +24,7 @@ spec:
   dnsPolicy: ClusterFirst
   restartPolicy: Never
   securityContext: {}
-  serviceAccount: controller-manager
+  serviceAccount: default
   serviceAccountName: default
   volumes:
   - name: scorecard-bundle

diff --git a/test/e2e/ansible/cluster_test.go b/test/e2e/ansible/cluster_test.go
@@ -245,11 +245,9 @@ var _ = Describe("Running ansible projects", func() {
 			Eventually(verifyMemcachedPatch, time.Minute, time.Second).Should(Succeed())
 
 			By("granting permissions to access the metrics and read the token")
-			_, err = tc.Kubectl.Command(
-				"create",
-				"clusterrolebinding", metricsClusterRoleBindingName,
+			_, err = tc.Kubectl.Command("create", "clusterrolebinding", metricsClusterRoleBindingName,
 				fmt.Sprintf("--clusterrole=%s-metrics-reader", tc.ProjectName),
-				fmt.Sprintf("--serviceaccount=%s:default", tc.Kubectl.Namespace))
+				fmt.Sprintf("--serviceaccount=%s:%s", tc.Kubectl.Namespace, tc.Kubectl.ServiceAccount))
 			Expect(err).NotTo(HaveOccurred())
 
 			By("reading the metrics token")
@@ -276,19 +274,21 @@ var _ = Describe("Running ansible projects", func() {
 			_, err = tc.Kubectl.CommandInNamespace(cmdOpts...)
 			Expect(err).NotTo(HaveOccurred())
 
-			By("validating the curl pod running as expected")
+			By("validating that the curl pod is running as expected")
 			verifyCurlUp := func() error {
 				// Validate pod status
 				status, err := tc.Kubectl.Get(
 					true,
 					"pods", "curl", "-o", "jsonpath={.status.phase}")
-				Expect(err).NotTo(HaveOccurred())
+				if err != nil {
+					return err
+				}
 				if status != "Completed" && status != "Succeeded" {
 					return fmt.Errorf("curl pod in %s status", status)
 				}
 				return nil
 			}
-			Eventually(verifyCurlUp, 4*time.Minute, time.Second).Should(Succeed())
+			Eventually(verifyCurlUp, 2*time.Minute, time.Second).Should(Succeed())
 
 			By("checking metrics endpoint serving as expected")
 			getCurlLogs := func() string {

diff --git a/test/e2e/ansible/suite_test.go b/test/e2e/ansible/suite_test.go
@@ -56,6 +56,7 @@ var _ = BeforeSuite(func() {
 	tc.Kind = "Memcached"
 	tc.ProjectName = "memcached-operator"
 	tc.Kubectl.Namespace = fmt.Sprintf("%s-system", tc.ProjectName)
+	tc.Kubectl.ServiceAccount = fmt.Sprintf("%s-controller-manager", tc.ProjectName)
 
 	By("copying sample to a temporary e2e directory")
 	Expect(exec.Command("cp", "-r", "../../../testdata/ansible/memcached-operator", tc.Dir).Run()).To(Succeed())

diff --git a/test/e2e/go/cluster_test.go b/test/e2e/go/cluster_test.go
@@ -154,7 +154,9 @@ var _ = Describe("operator-sdk", func() {
 				status, err := tc.Kubectl.Get(
 					true,
 					"pods", "curl", "-o", "jsonpath={.status.phase}")
-				ExpectWithOffset(1, err).NotTo(HaveOccurred())
+				if err != nil {
+					return err
+				}
 				if status != "Completed" && status != "Succeeded" {
 					return fmt.Errorf("curl pod in %s status", status)
 				}

diff --git a/test/e2e/helm/cluster_test.go b/test/e2e/helm/cluster_test.go
@@ -202,11 +202,9 @@ var _ = Describe("Running Helm projects", func() {
 			Eventually(verifyReleaseUpgrade, time.Minute, time.Second).Should(Succeed())
 
 			By("granting permissions to access the metrics and read the token")
-			_, err = tc.Kubectl.Command(
-				"create",
-				"clusterrolebinding", metricsClusterRoleBindingName,
+			_, err = tc.Kubectl.Command("create", "clusterrolebinding", metricsClusterRoleBindingName,
 				fmt.Sprintf("--clusterrole=%s-metrics-reader", tc.ProjectName),
-				fmt.Sprintf("--serviceaccount=%s:default", tc.Kubectl.Namespace))
+				fmt.Sprintf("--serviceaccount=%s:%s", tc.Kubectl.Namespace, tc.Kubectl.ServiceAccount))
 			Expect(err).NotTo(HaveOccurred())
 
 			By("reading the metrics token")
@@ -233,19 +231,19 @@ var _ = Describe("Running Helm projects", func() {
 			_, err = tc.Kubectl.CommandInNamespace(cmdOpts...)
 			Expect(err).NotTo(HaveOccurred())
 
-			By("validating the curl pod running as expected")
+			By("validating that the curl pod is running as expected")
 			verifyCurlUp := func() error {
 				// Validate pod status
 				status, err := tc.Kubectl.Get(
 					true,
 					"pods", "curl", "-o", "jsonpath={.status.phase}")
-				Expect(err).NotTo(HaveOccurred())
+				ExpectWithOffset(1, err).NotTo(HaveOccurred())
 				if status != "Completed" && status != "Succeeded" {
 					return fmt.Errorf("curl pod in %s status", status)
 				}
 				return nil
 			}
-			Eventually(verifyCurlUp, 4*time.Minute, time.Second).Should(Succeed())
+			Eventually(verifyCurlUp, 2*time.Minute, time.Second).Should(Succeed())
 
 			By("checking metrics endpoint serving as expected")
 			getCurlLogs := func() string {

diff --git a/test/e2e/helm/suite_test.go b/test/e2e/helm/suite_test.go
@@ -54,6 +54,7 @@ var _ = BeforeSuite(func() {
 	tc.Resources = "memcacheds"
 	tc.ProjectName = "memcached-operator"
 	tc.Kubectl.Namespace = fmt.Sprintf("%s-system", tc.ProjectName)
+	tc.Kubectl.ServiceAccount = fmt.Sprintf("%s-controller-manager", tc.ProjectName)
 
 	By("copying sample to a temporary e2e directory")
 	Expect(exec.Command("cp", "-r", "../../../testdata/helm/memcached-operator", tc.Dir).Run()).To(Succeed())

diff --git a/testdata/ansible/memcached-operator/bundle/manifests/cache.example.com_memcacheds.yaml b/testdata/ansible/memcached-operator/bundle/manifests/cache.example.com_memcacheds.yaml
@@ -0,0 +1,46 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: memcacheds.cache.example.com
+spec:
+  group: cache.example.com
+  names:
+    kind: Memcached
+    listKind: MemcachedList
+    plural: memcacheds
+    singular: memcached
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Memcached is the Schema for the memcacheds API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of Memcached
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            description: Status defines the observed state of Memcached
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/...-operator-controller-manager-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml b/...-operator-controller-manager-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml
@@ -0,0 +1,13 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: memcached-operator-controller-manager-metrics-monitor
+spec:
+  endpoints:
+  - path: /metrics
+    port: https
+  selector:
+    matchLabels:
+      control-plane: controller-manager
diff --git a/...or/bundle/manifests/memcached-operator-controller-manager-metrics-service_v1_service.yaml b/...or/bundle/manifests/memcached-operator-controller-manager-metrics-service_v1_service.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    control-plane: controller-manager
+  name: memcached-operator-controller-manager-metrics-service
+spec:
+  ports:
+  - name: https
+    port: 8443
+    targetPort: https
+  selector:
+    control-plane: controller-manager
+status:
+  loadBalancer: {}
diff --git a/...ed-operator/bundle/manifests/memcached-operator-controller-manager_v1_serviceaccount.yaml b/...ed-operator/bundle/manifests/memcached-operator-controller-manager_v1_serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  creationTimestamp: null
+  name: memcached-operator-controller-manager