Skip to content

Commit

Permalink
fix: make controller service account configurable (#3086)
Browse files Browse the repository at this point in the history
  • Loading branch information
@stuartwdouglas
stuartwdouglas authored Oct 11, 2024
1 parent 1cb2f4a commit 469512e
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 6 deletions.
6 changes: 3 additions & 3 deletions backend/controller/scaling/k8sscaling/deployment_provisioner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,7 @@ func (r *DeploymentProvisioner) handleNewDeployment(ctx context.Context, dep *sc
deployment.Spec.Template.Spec.ServiceAccountName = name
changes, err := r.syncDeployment(ctx, thisImage, deployment, dep)
if sec, ok := r.IstioSecurity.Get(); ok {
err = r.syncIstioPolicy(ctx, sec, name, service)
err = r.syncIstioPolicy(ctx, sec, name, service, thisDeployment)
if err != nil {
return err
}
Expand Down Expand Up @@ -431,7 +431,7 @@ func (r *DeploymentProvisioner) deleteMissingDeployments(ctx context.Context) {
}
}

func (r *DeploymentProvisioner) syncIstioPolicy(ctx context.Context, sec istioclient.Clientset, name string, service *kubecore.Service) error {
func (r *DeploymentProvisioner) syncIstioPolicy(ctx context.Context, sec istioclient.Clientset, name string, service *kubecore.Service, thisDeployment *kubeapps.Deployment) error {
logger := log.FromContext(ctx)
logger.Debugf("Creating new istio policy for %s", name)
var update func(policy *istiosec.AuthorizationPolicy) error
Expand Down Expand Up @@ -470,7 +470,7 @@ func (r *DeploymentProvisioner) syncIstioPolicy(ctx context.Context, sec istiocl
From: []*istiosecmodel.Rule_From{
{
Source: &istiosecmodel.Source{
Principals: []string{"cluster.local/ns/" + r.Namespace + "/sa/" + thisDeploymentName},
Principals: []string{"cluster.local/ns/" + r.Namespace + "/sa/" + thisDeployment.Spec.Template.Spec.ServiceAccountName},
},
},
},
Expand Down
4 changes: 2 additions & 2 deletions charts/templates/controller-role.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "ftl.fullname" . }}-controller
name: {{ .Values.controller.serviceAccountName }}
namespace: {{ .Release.Namespace }}
{{- if .Values.controller.controllersRoleArn }}
annotations:
Expand Down Expand Up @@ -45,4 +45,4 @@ roleRef:
name: {{ include "ftl.fullname" . }}-controller
subjects:
- kind: ServiceAccount
name: {{ include "ftl.fullname" . }}-controller
name: {{ .Values.controller.serviceAccountName }}
2 changes: 1 addition & 1 deletion charts/templates/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ spec:
{{- toYaml .Values.controller.podAnnotations | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "ftl.fullname" . }}-controller
serviceAccountName: {{ .Values.controller.serviceAccountName }}
containers:
- name: app
image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default $version }}"
Expand Down
1 change: 1 addition & 0 deletions charts/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ controller:
envFrom: null
dbConnectionString: "postgres://$(endpoint):$(port)/tbd?sslmode=disable&user=$(username)&password=$(password)"
kmsUri: "fake-kms://CKbvh_ILElQKSAowdHlwZS5nb29nbGVhcGlzLmNvbS9nb29nbGUuY3J5cHRvLnRpbmsuQWVzR2NtS2V5EhIaEE6tD2yE5AWYOirhmkY-r3sYARABGKbvh_ILIAE"
serviceAccountName: ftl

env:
- name: MY_POD_IP
Expand Down

0 comments on commit 469512e

Please sign in to comment.