config-gen create and bind to a non-default service account

config-gen support for the capability introduced in kubernetes-sigs#2070
pwittrock · Mar 13, 2021 · a9164bb · a9164bb
1 parent 73cda2b
commit a9164bb
Show file tree

Hide file tree

Showing 14 changed files with 827 additions and 9 deletions.
diff --git a/go.mod b/go.mod
@@ -4,6 +4,7 @@ go 1.15
 
 require (
 	github.com/cloudflare/cfssl v1.5.0 // for `kubebuilder alpha config-gen`
+	github.com/go-logr/logr v0.3.0 // indirect
 	github.com/gobuffalo/flect v0.2.2
 	// TODO: remove this in favor of embed once using 1.16
 	github.com/markbates/pkger v0.17.1 // for `kubebuilder alpha config-gen`
@@ -15,6 +16,8 @@ require (
 	golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e
 	// for `kubebuilder alpha config-gen`
 	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
+	k8s.io/api v0.20.2 // indirect
+	k8s.io/apiextensions-apiserver v0.20.1 // indirect
 	k8s.io/apimachinery v0.20.2 // for `kubebuilder alpha config-gen`
 	k8s.io/utils v0.0.0-20210111153108-fddb29f9d009 // indirect
 	sigs.k8s.io/controller-tools v0.3.0 // for `kubebuilder alpha config-gen`

diff --git a/go.sum b/go.sum
diff --git a/pkg/cli/alpha/config-gen/cmd.go b/pkg/cli/alpha/config-gen/cmd.go
@@ -172,6 +172,13 @@ The KubebuilderConfigGen resource has the following fields:
 		# generate prometheus ServiceMonitor resource
 	    enableServiceMonitor: true
 
+      serviceAccount:
+	    # configure the service account used for RBAC
+	    name: default
+
+		# generate the service account resource
+        generate: true
+
     # configure how webhooks are generated
 	# optional -- defaults to not generating webhook configuration
     webhooks:

diff --git a/pkg/cli/alpha/config-gen/examples/kustomize/README.md b/pkg/cli/alpha/config-gen/examples/kustomize/README.md
@@ -11,8 +11,10 @@ This enables using `config-gen` in traditional kustomize workflows (patch, bases
 to be customized using `commonLabels`, `commonAnnotations`, `namespace`, etc.
 
 When invoked from `kustomize`, `config-gen` will generate resources from the project code
-if they do not already exist as `resources` inputs.  If the resources that would have been
-generated are provided as `resources` input, the inputs will be modified by the transformer.
+if they do not already exist as `resources` inputs.
+
+If the resources that would have been generated are provided as `resources` input,
+the inputs will be modified by the transformer instead of generated a second time.
 
 ## Install kustomize
 
@@ -22,14 +24,14 @@ Install the latest version of `kustomize`.
 GO111MODULE=on go get sigs.k8s.io/kustomize/kustomize/v4
 ```
 
-## Configure `kubebuilder alpha config-gen` as a plugin
+## Install `kubebuilder alpha config-gen` as a plugin
 
 ```sh
 # create the script under $HOME/.config/kustomize/plugin/kubebuilder.sigs.k8s.io/kubebuilderconfiggen
 kubebuilder alpha config-gen install-as-plugin
 ```
 
-## Use `kustomize` to invoke the plugin
+## Build with `kustomize`
 
 Kustomize will invoke the `kubebuilder alpha config-gen` subcommand as a transformer plugin.
 

diff --git a/pkg/cli/alpha/config-gen/templates/resources/auth-proxy-rbac.template.yaml b/pkg/cli/alpha/config-gen/templates/resources/auth-proxy-rbac.template.yaml
@@ -23,7 +23,7 @@ roleRef:
   name: {{ .Name }}-proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Spec.ControllerManager.ServiceAccount.Name }}
   namespace: {{ .Namespace }}
 ---
 {{ end }}
diff --git a/pkg/cli/alpha/config-gen/templates/resources/controller-manager.template.yaml b/pkg/cli/alpha/config-gen/templates/resources/controller-manager.template.yaml
@@ -29,6 +29,9 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+{{- if ne .Spec.ControllerManager.ServiceAccount.Name "default" }}
+      serviceAccountName: {{ .Spec.ControllerManager.ServiceAccount.Name }}
+{{- end }}
       terminationGracePeriodSeconds: 10
 ---
 {{- if .Spec.Webhooks.Enable  }}

diff --git a/pkg/cli/alpha/config-gen/templates/resources/rbac.template.yaml b/pkg/cli/alpha/config-gen/templates/resources/rbac.template.yaml
@@ -8,7 +8,7 @@ roleRef:
   name: {{ .Namespace }}-manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Spec.ControllerManager.ServiceAccount.Name }}
   namespace: {{ .Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -55,6 +55,6 @@ roleRef:
   name: {{ .Namespace }}-leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Spec.ControllerManager.ServiceAccount.Name }}
   namespace: {{ .Namespace }}
 ---
diff --git a/pkg/cli/alpha/config-gen/templates/resources/service-account.template.yaml b/pkg/cli/alpha/config-gen/templates/resources/service-account.template.yaml
@@ -0,0 +1,7 @@
+{{ if .Spec.ControllerManager.ServiceAccount.Generate }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Spec.ControllerManager.ServiceAccount.Name }}
+  namespace: {{ .Namespace }}
+{{ end }}
diff --git a/pkg/cli/alpha/config-gen/testdata/serviceaccount/config.yaml b/pkg/cli/alpha/config-gen/testdata/serviceaccount/config.yaml
@@ -0,0 +1,12 @@
+apiVersion: kubebuilder.sigs.k8s.io/v1alpha1
+kind: KubebuilderConfigGen
+metadata:
+  name: simple
+spec:
+  crds:
+    sourceDirectory: ../project/...
+
+  controllerManager:
+    image: example/simple:latest
+    serviceAccount:
+      name: foo