From 469512e4b4decd96c5b1f6ccb51e6f860db38e1a Mon Sep 17 00:00:00 2001 From: Stuart Douglas Date: Fri, 11 Oct 2024 17:59:35 +1100 Subject: [PATCH] fix: make controller service account configurable (#3086) --- .../controller/scaling/k8sscaling/deployment_provisioner.go | 6 +++--- charts/templates/controller-role.yaml | 4 ++-- charts/templates/controller.yaml | 2 +- charts/values.yaml | 1 + 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/backend/controller/scaling/k8sscaling/deployment_provisioner.go b/backend/controller/scaling/k8sscaling/deployment_provisioner.go index 463862525..c8798b7bb 100644 --- a/backend/controller/scaling/k8sscaling/deployment_provisioner.go +++ b/backend/controller/scaling/k8sscaling/deployment_provisioner.go @@ -272,7 +272,7 @@ func (r *DeploymentProvisioner) handleNewDeployment(ctx context.Context, dep *sc deployment.Spec.Template.Spec.ServiceAccountName = name changes, err := r.syncDeployment(ctx, thisImage, deployment, dep) if sec, ok := r.IstioSecurity.Get(); ok { - err = r.syncIstioPolicy(ctx, sec, name, service) + err = r.syncIstioPolicy(ctx, sec, name, service, thisDeployment) if err != nil { return err } @@ -431,7 +431,7 @@ func (r *DeploymentProvisioner) deleteMissingDeployments(ctx context.Context) { } } -func (r *DeploymentProvisioner) syncIstioPolicy(ctx context.Context, sec istioclient.Clientset, name string, service *kubecore.Service) error { +func (r *DeploymentProvisioner) syncIstioPolicy(ctx context.Context, sec istioclient.Clientset, name string, service *kubecore.Service, thisDeployment *kubeapps.Deployment) error { logger := log.FromContext(ctx) logger.Debugf("Creating new istio policy for %s", name) var update func(policy *istiosec.AuthorizationPolicy) error @@ -470,7 +470,7 @@ func (r *DeploymentProvisioner) syncIstioPolicy(ctx context.Context, sec istiocl From: []*istiosecmodel.Rule_From{ { Source: &istiosecmodel.Source{ - Principals: []string{"cluster.local/ns/" + r.Namespace + "/sa/" + thisDeploymentName}, + Principals: []string{"cluster.local/ns/" + r.Namespace + "/sa/" + thisDeployment.Spec.Template.Spec.ServiceAccountName}, }, }, }, diff --git a/charts/templates/controller-role.yaml b/charts/templates/controller-role.yaml index eb91fe1e9..9aa729190 100644 --- a/charts/templates/controller-role.yaml +++ b/charts/templates/controller-role.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "ftl.fullname" . }}-controller + name: {{ .Values.controller.serviceAccountName }} namespace: {{ .Release.Namespace }} {{- if .Values.controller.controllersRoleArn }} annotations: @@ -45,4 +45,4 @@ roleRef: name: {{ include "ftl.fullname" . }}-controller subjects: - kind: ServiceAccount - name: {{ include "ftl.fullname" . }}-controller + name: {{ .Values.controller.serviceAccountName }} diff --git a/charts/templates/controller.yaml b/charts/templates/controller.yaml index 6e6778515..a55c8c943 100644 --- a/charts/templates/controller.yaml +++ b/charts/templates/controller.yaml @@ -20,7 +20,7 @@ spec: {{- toYaml .Values.controller.podAnnotations | nindent 8 }} {{- end }} spec: - serviceAccountName: {{ include "ftl.fullname" . }}-controller + serviceAccountName: {{ .Values.controller.serviceAccountName }} containers: - name: app image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default $version }}" diff --git a/charts/values.yaml b/charts/values.yaml index 5a4eb823f..85fee925e 100644 --- a/charts/values.yaml +++ b/charts/values.yaml @@ -24,6 +24,7 @@ controller: envFrom: null dbConnectionString: "postgres://$(endpoint):$(port)/tbd?sslmode=disable&user=$(username)&password=$(password)" kmsUri: "fake-kms://CKbvh_ILElQKSAowdHlwZS5nb29nbGVhcGlzLmNvbS9nb29nbGUuY3J5cHRvLnRpbmsuQWVzR2NtS2V5EhIaEE6tD2yE5AWYOirhmkY-r3sYARABGKbvh_ILIAE" + serviceAccountName: ftl env: - name: MY_POD_IP