config-gen create and bind to a non-default service account

config-gen support for the capability introduced in kubernetes-sigs#2070

go.mod

@@ -4,6 +4,7 @@ go 1.15
 
 require (
 	github.com/cloudflare/cfssl v1.5.0 // for `kubebuilder alpha config-gen`
+	github.com/go-logr/logr v0.3.0 // indirect
 	github.com/gobuffalo/flect v0.2.2
 	// TODO: remove this in favor of embed once using 1.16
 	github.com/markbates/pkger v0.17.1 // for `kubebuilder alpha config-gen`
@@ -15,6 +16,8 @@ require (
 	golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e
 	// for `kubebuilder alpha config-gen`
 	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
+	k8s.io/api v0.20.2 // indirect
+	k8s.io/apiextensions-apiserver v0.20.1 // indirect
 	k8s.io/apimachinery v0.20.2 // for `kubebuilder alpha config-gen`
 	k8s.io/utils v0.0.0-20210111153108-fddb29f9d009 // indirect
 	sigs.k8s.io/controller-tools v0.3.0 // for `kubebuilder alpha config-gen`

pkg/cli/alpha/config-gen/cmd.go

@@ -148,54 +148,68 @@ The KubebuilderConfigGen resource has the following fields:
     crds:
       # path to go module source directory provided to controller-gen libraries
       # optional -- defaults to '.'
-	  sourceDirectory: ./relative/path
+      sourceDirectory: ./relative/path
 
-	# configure how the controller-manager is generated
+    # configure how the controller-manager is generated
     controllerManager:
-	  # image to run
-	  image: my-org/my-project:v0.1.0
+      # image to run
+      image: my-org/my-project:v0.1.0
 
-	  # if set, use component config for the controller-manager
-	  # optional
-	  componentConfig:
-	    # use component config
+      # if set, use component config for the controller-manager
+      # optional
+      componentConfig:
+        # use component config
         enable: true
 
-		# path to component config to put into a ConfigMap
-	    configFilepath: ./path/to/componentconfig.yaml
+        # path to component config to put into a ConfigMap
+        configFilepath: ./path/to/componentconfig.yaml
 
-	  # configure how metrics are exposed
-	  metrics:
-	    # disable the auth proxy required for scraping metrics
+      # configure how metrics are exposed
+      metrics:
+        # disable the auth proxy required for scraping metrics
         # disable: false
 
-		# generate prometheus ServiceMonitor resource
-	    enableServiceMonitor: true
+        # generate prometheus ServiceMonitor resource
+        enableServiceMonitor: true
+
+      serviceAccount:
+        # configure the service account used for RBAC
+        name: foo
+
+        # generate the service account resource
+        generate: true
+
+      serviceAccount:
+	    # configure the service account used for RBAC
+	    name: foo
+
+		# generate the service account resource
+        generate: true
 
     # configure how webhooks are generated
-	# optional -- defaults to not generating webhook configuration
+    # optional -- defaults to not generating webhook configuration
     webhooks:
-	  # enable will cause webhook config to be generated
-	  enable: true
+      # enable will cause webhook config to be generated
+      enable: true
 
-	  # configures crds which use conversion webhooks
+      # configures crds which use conversion webhooks
       enableConversion:
-	    # key is the name of the CRD
+        # key is the name of the CRD
         "bars.example.my.domain": true
 
       # configures where to get the certificate used for webhooks
-	  # discriminated union
-	  certificateSource:
-	    # type of certificate source
-		# one of ["certManager", "dev", "manual"] -- defaults to "manual"
-		# certManager: certmanager is used to manage certificates -- requires CertManager to be installed
-		# dev: certificate is generated and wired into resources
-		# manual: no certificate is generated or wired into resources
+      # discriminated union
+      certificateSource:
+        # type of certificate source
+        # one of ["certManager", "dev", "manual"] -- defaults to "manual"
+        # certManager: certmanager is used to manage certificates -- requires CertManager to be installed
+        # dev: certificate is generated and wired into resources
+        # manual: no certificate is generated or wired into resources
         type: "dev"
 
-		# options for a dev certificate -- requires "dev" as the type
-		devCertificate:
-		  duration: 1h
+        # options for a dev certificate -- requires "dev" as the type
+        devCertificate:
+          duration: 1h
     `)
 	c.Example = strings.TrimSpace(`
 #
@@ -209,7 +223,7 @@ apiVersion: kubebuilder.sigs.k8s.io/v1alpha1
     name: project
   spec:
     controllerManager
-	  image: org/project:v0.1.0
+      image: org/project:v0.1.0
 EOF
 
 # run the config generator

pkg/cli/alpha/config-gen/examples/kustomize/README.md

@@ -11,8 +11,10 @@ This enables using `config-gen` in traditional kustomize workflows (patch, bases
 to be customized using `commonLabels`, `commonAnnotations`, `namespace`, etc.
 
 When invoked from `kustomize`, `config-gen` will generate resources from the project code
-if they do not already exist as `resources` inputs.  If the resources that would have been
-generated are provided as `resources` input, the inputs will be modified by the transformer.
+if they do not already exist as `resources` inputs.
+
+If the resources that would have been generated are provided as `resources` input,
+the inputs will be modified by the transformer instead of generated a second time.
 
 ## Install kustomize
 
@@ -22,14 +24,14 @@ Install the latest version of `kustomize`.
 GO111MODULE=on go get sigs.k8s.io/kustomize/kustomize/v4
 ```
 
-## Configure `kubebuilder alpha config-gen` as a plugin
+## Install `kubebuilder alpha config-gen` as a plugin
 
 ```sh
 # create the script under $HOME/.config/kustomize/plugin/kubebuilder.sigs.k8s.io/kubebuilderconfiggen
 kubebuilder alpha config-gen install-as-plugin
 ```
 
-## Use `kustomize` to invoke the plugin
+## Build with `kustomize`
 
 Kustomize will invoke the `kubebuilder alpha config-gen` subcommand as a transformer plugin.
 

pkg/cli/alpha/config-gen/templates/resources/auth-proxy-rbac.template.yaml

@@ -23,7 +23,7 @@ roleRef:
   name: {{ .Name }}-proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Spec.ControllerManager.ServiceAccount.Name }}
   namespace: {{ .Namespace }}
 ---
 {{ end }}

pkg/cli/alpha/config-gen/templates/resources/controller-manager.template.yaml

@@ -29,6 +29,9 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+{{- if ne .Spec.ControllerManager.ServiceAccount.Name "default" }}
+      serviceAccountName: {{ .Spec.ControllerManager.ServiceAccount.Name }}
+{{- end }}
       terminationGracePeriodSeconds: 10
 ---
 {{- if .Spec.Webhooks.Enable  }}

pkg/cli/alpha/config-gen/templates/resources/rbac.template.yaml

@@ -8,7 +8,7 @@ roleRef:
   name: {{ .Namespace }}-manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Spec.ControllerManager.ServiceAccount.Name }}
   namespace: {{ .Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -55,6 +55,6 @@ roleRef:
   name: {{ .Namespace }}-leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Spec.ControllerManager.ServiceAccount.Name }}
   namespace: {{ .Namespace }}
 ---

pkg/cli/alpha/config-gen/templates/resources/service-account.template.yaml

@@ -0,0 +1,7 @@
+{{ if not .Spec.ControllerManager.ServiceAccount.NoGenerate }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Spec.ControllerManager.ServiceAccount.Name }}
+  namespace: {{ .Namespace }}
+{{ end }}

pkg/cli/alpha/config-gen/testdata/componentconfig/expected.yaml

@@ -210,7 +210,7 @@ roleRef:
   name: simple-system-leader-election-role
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: simple
     namespace: simple-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -223,7 +223,7 @@ roleRef:
   name: simple-proxy-role
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: simple
     namespace: simple-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -236,7 +236,7 @@ roleRef:
   name: simple-system-manager-role
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: simple
     namespace: simple-system
 ---
 apiVersion: v1
@@ -299,6 +299,7 @@ spec:
           ports:
             - containerPort: 8443
               name: https
+      serviceAccountName: simple
       terminationGracePeriodSeconds: 10
       volumes:
         - name: manager-config
@@ -323,3 +324,9 @@ data:
     leaderElection:
       leaderElect: true
       resourceName: 6858fb70.testproject.org
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: simple
+  namespace: simple-system

pkg/cli/alpha/config-gen/testdata/default/expected.yaml

@@ -210,7 +210,7 @@ roleRef:
   name: simple-system-leader-election-role
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: simple
     namespace: simple-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -223,7 +223,7 @@ roleRef:
   name: simple-proxy-role
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: simple
     namespace: simple-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -236,7 +236,7 @@ roleRef:
   name: simple-system-manager-role
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: simple
     namespace: simple-system
 ---
 apiVersion: v1
@@ -296,4 +296,11 @@ spec:
           ports:
             - containerPort: 8443
               name: https
+      serviceAccountName: simple
       terminationGracePeriodSeconds: 10
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: simple
+  namespace: simple-system

pkg/cli/alpha/config-gen/testdata/disableauthproxy/expected.yaml

@@ -196,7 +196,7 @@ roleRef:
   name: simple-system-leader-election-role
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: simple
     namespace: simple-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -209,7 +209,7 @@ roleRef:
   name: simple-system-manager-role
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: simple
     namespace: simple-system
 ---
 apiVersion: apps/v1
@@ -243,4 +243,11 @@ spec:
             requests:
               cpu: 100m
               memory: 20Mi
+      serviceAccountName: simple
       terminationGracePeriodSeconds: 10
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: simple
+  namespace: simple-system

pkg/cli/alpha/config-gen/testdata/enablecertmanager/expected.yaml

@@ -210,7 +210,7 @@ roleRef:
   name: simple-system-leader-election-role
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: simple
     namespace: simple-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -223,7 +223,7 @@ roleRef:
   name: simple-proxy-role
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: simple
     namespace: simple-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -236,7 +236,7 @@ roleRef:
   name: simple-system-manager-role
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: simple
     namespace: simple-system
 ---
 apiVersion: v1
@@ -318,13 +318,20 @@ spec:
           ports:
             - containerPort: 8443
               name: https
+      serviceAccountName: simple
       terminationGracePeriodSeconds: 10
       volumes:
         - name: cert
           secret:
             defaultMode: 420
             secretName: webhook-server-cert
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: simple
+  namespace: simple-system
+---
 # The following manifests contain a self-signed issuer CR and a certificate CR.
 # More document can be found at https://docs.cert-manager.io
 # WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for