WASdev · kabicin · Feb 12, 2024 · May 3, 2024
diff --git a/controllers/ltpa_keys_sharing.go b/controllers/ltpa_keys_sharing.go
@@ -231,7 +231,7 @@ func (r *ReconcileWebSphereLiberty) generateLTPAKeys(instance *wlv1.WebSphereLib
 				err = r.GetClient().Get(context.TODO(), types.NamespacedName{Name: generateLTPAKeysJob.Name, Namespace: generateLTPAKeysJob.Namespace}, generateLTPAKeysJob)
 				if err != nil && kerrors.IsNotFound(err) {
 					err = r.CreateOrUpdate(generateLTPAKeysJob, instance, func() error {
-						lutils.CustomizeLTPAJob(generateLTPAKeysJob, instance, ltpaSecret.Name, ltpaServiceAccountName, ltpaKeysCreationScriptConfigMap.Name)
+						lutils.CustomizeLTPAJob(generateLTPAKeysJob, instance, ltpaSecret.Name, ltpaServiceAccountName, ltpaKeysCreationScriptConfigMap.Name, r.GetClient())
 						return nil
 					})
 					if err != nil {
@@ -240,7 +240,7 @@ func (r *ReconcileWebSphereLiberty) generateLTPAKeys(instance *wlv1.WebSphereLib
 				} else if err == nil {
 					// If the LTPA Secret is not yet created (LTPA Job has not successfully completed)
 					// and the LTPA Job's configuration is outdated, retry LTPA generation with the new configuration
-					if lutils.IsLTPAJobConfigurationOutdated(generateLTPAKeysJob, instance) {
+					if lutils.IsLTPAJobConfigurationOutdated(generateLTPAKeysJob, instance, r.GetClient()) {
 						// Delete the Job request to restart the entire LTPA generation process (i.e. reloading the script, ltpa.xml, and Job)
 						err = r.DeleteResource(ltpaJobRequest)
 						if err != nil {

diff --git a/utils/utils.go b/utils/utils.go
@@ -576,6 +576,15 @@ func CustomizeEnvSSO(pts *corev1.PodTemplateSpec, instance *wlv1.WebSphereLibert
 	return nil
 }
 
+func LocalObjectReferenceContainsName(list []corev1.LocalObjectReference, name string) bool {
+	for _, v := range list {
+		if v.Name == name {
+			return true
+		}
+	}
+	return false
+}
+
 func Contains(list []string, s string) bool {
 	for _, v := range list {
 		if v == s {
@@ -673,7 +682,7 @@ func CustomizeLTPAServerXML(xmlSecret *corev1.Secret, la *wlv1.WebSphereLibertyA
 }
 
 // Returns true if the WebSphereApplication leader's state has changed, causing existing LTPA Jobs to need a configuration update, otherwise return false
-func IsLTPAJobConfigurationOutdated(job *v1.Job, appLeaderInstance *wlv1.WebSphereLibertyApplication) bool {
+func IsLTPAJobConfigurationOutdated(job *v1.Job, appLeaderInstance *wlv1.WebSphereLibertyApplication, client client.Client) bool {
 	// The Job contains the leader's pull secret
 	if appLeaderInstance.GetPullSecret() != nil && *appLeaderInstance.GetPullSecret() != "" {
 		ltpaJobHasLeaderPullSecret := false
@@ -686,6 +695,18 @@ func IsLTPAJobConfigurationOutdated(job *v1.Job, appLeaderInstance *wlv1.WebSphe
 			return true
 		}
 	}
+	// The Job contains the leader's custom ServiceAccount's pull secrets
+	if leaderSAName := rcoutils.GetServiceAccountName(appLeaderInstance); len(leaderSAName) > 0 {
+		customServiceAccount := &corev1.ServiceAccount{}
+		if err := client.Get(context.TODO(), types.NamespacedName{Name: leaderSAName, Namespace: appLeaderInstance.GetNamespace()}, customServiceAccount); err == nil {
+			for _, customSAObjectReference := range customServiceAccount.ImagePullSecrets {
+				// If one of the custom SA's pull secret's is not found within the Job, return outdated as true
+				if !LocalObjectReferenceContainsName(job.Spec.Template.Spec.ImagePullSecrets, customSAObjectReference.Name) {
+					return true
+				}
+			}
+		}
+	}
 	if len(job.Spec.Template.Spec.Containers) != 1 {
 		return true
 	}
@@ -700,7 +721,7 @@ func IsLTPAJobConfigurationOutdated(job *v1.Job, appLeaderInstance *wlv1.WebSphe
 	return false
 }
 
-func CustomizeLTPAJob(job *v1.Job, la *wlv1.WebSphereLibertyApplication, ltpaSecretName string, serviceAccountName string, ltpaScriptName string) {
+func CustomizeLTPAJob(job *v1.Job, la *wlv1.WebSphereLibertyApplication, ltpaSecretName string, serviceAccountName string, ltpaScriptName string, client client.Client) {
 	encodingType := "aes" // the password encoding type for securityUtility (one of "xor", "aes", or "hash")
 	job.Spec.Template.ObjectMeta.Name = "liberty"
 	job.Spec.Template.Spec.Containers = []corev1.Container{
@@ -726,6 +747,20 @@ func CustomizeLTPAJob(job *v1.Job, la *wlv1.WebSphereLibertyApplication, ltpaSec
 		})
 	}
 	job.Spec.Template.Spec.ServiceAccountName = serviceAccountName
+	// If there is a custom ServiceAccount, include it's pull secrets into the LTPA Job
+	if leaderSAName := rcoutils.GetServiceAccountName(la); len(leaderSAName) > 0 {
+		customServiceAccount := &corev1.ServiceAccount{}
+		if err := client.Get(context.TODO(), types.NamespacedName{Name: leaderSAName, Namespace: la.GetNamespace()}, customServiceAccount); err == nil {
+			// For each of the custom SA's pull secret's, if it is not found within the Job, append it to the Job
+			for _, customSAObjectReference := range customServiceAccount.ImagePullSecrets {
+				if !LocalObjectReferenceContainsName(job.Spec.Template.Spec.ImagePullSecrets, customSAObjectReference.Name) {
+					job.Spec.Template.Spec.ImagePullSecrets = append(job.Spec.Template.Spec.ImagePullSecrets, corev1.LocalObjectReference{
+						Name: customSAObjectReference.Name,
+					})
+				}
+			}
+		}
+	}
 	job.Spec.Template.Spec.RestartPolicy = corev1.RestartPolicyOnFailure
 	var number int32
 	number = 0777