exposed service account name for tcp pods

api/v1alpha1/tenantcontrolplane_types.go

@@ -153,6 +153,9 @@ type DeploymentSpec struct {
 	// AdditionalVolumeMounts allows to mount an additional volume into each component of the Control Plane
 	// (kube-apiserver, controller-manager, and scheduler).
 	AdditionalVolumeMounts *AdditionalVolumeMounts `json:"additionalVolumeMounts,omitempty"`
+	// +kubebuilder:default="default"
+	// ServiceAccountName allows to specify the service account to be mounted to the pods of the Control plane deployment
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 // AdditionalVolumeMounts allows mounting additional volumes to the Control Plane components.

charts/kamaji/crds/tenantcontrolplane.yaml

@@ -5959,6 +5959,11 @@ spec:
                             empty definition that uses the default runtime handler.
                             More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
                           type: string
+                        serviceAccountName:
+                          default: default
+                          description: ServiceAccountName allows to specify the service
+                            account to be mounted to the pods of the Control plane deployment
+                          type: string
                         strategy:
                           default:
                             rollingUpdate:

cmd/manager/cmd.go

@@ -175,7 +175,9 @@ func NewCmd(scheme *runtime.Scheme) *cobra.Command {
 					handlers.Freeze{},
 				},
 				routes.TenantControlPlaneDefaults{}: {
-					handlers.TenantControlPlaneDefaults{DefaultDatastore: datastore},
+					handlers.TenantControlPlaneDefaults{
+						DefaultDatastore: datastore,
+					},
 				},
 				routes.TenantControlPlaneValidate{}: {
 					handlers.TenantControlPlaneName{},

config/crd/bases/kamaji.clastix.io_tenantcontrolplanes.yaml

@@ -6280,6 +6280,11 @@ spec:
                           empty definition that uses the default runtime handler.
                           More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
                         type: string
+                      serviceAccountName:
+                        default: default
+                        description: ServiceAccountName allows to specify the service
+                          account to be mounted to the pods of the Control plane deployment
+                        type: string
                       strategy:
                         default:
                           rollingUpdate:

config/install.yaml

@@ -6247,6 +6247,10 @@ spec:
                           empty definition that uses the default runtime handler.
                           More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
                         type: string
+                      serviceAccountName:
+                        default: default
+                        description: ServiceAccountName allows to specify the service account to be mounted to the pods of the Control plane deployment
+                        type: string
                       strategy:
                         default:
                           rollingUpdate:

docs/content/reference/api.md

@@ -1084,6 +1084,15 @@ empty definition that uses the default runtime handler.
 More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>serviceAccountName</b></td>
+        <td>string</td>
+        <td>
+          ServiceAccountName allows to specify the service account to be mounted to the pods of the Control plane deployment<br/>
+          <br/>
+            <i>Default</i>: default<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b><a href="#tenantcontrolplanespeccontrolplanedeploymentstrategy">strategy</a></b></td>
         <td>object</td>

e2e/tcp_custom_sa_test.go

@@ -0,0 +1,74 @@
+// Copyright 2022 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package e2e
+
+import (
+	"context"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	pointer "k8s.io/utils/ptr"
+
+	kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
+)
+
+var _ = Describe("Deploy a TenantControlPlane with resource with custom service account", func() {
+	// service account object
+	sa := &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+	}
+	// Fill TenantControlPlane object
+	tcp := &kamajiv1alpha1.TenantControlPlane{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "tcp-clusterip-customsa",
+			Namespace: "default",
+		},
+		Spec: kamajiv1alpha1.TenantControlPlaneSpec{
+			ControlPlane: kamajiv1alpha1.ControlPlane{
+				Deployment: kamajiv1alpha1.DeploymentSpec{
+					Replicas:           pointer.To(int32(1)),
+					ServiceAccountName: sa.GetName(),
+				},
+				Service: kamajiv1alpha1.ServiceSpec{
+					ServiceType: "ClusterIP",
+				},
+			},
+			NetworkProfile: kamajiv1alpha1.NetworkProfileSpec{
+				Address: "172.18.0.2",
+			},
+			Kubernetes: kamajiv1alpha1.KubernetesSpec{
+				Version: "v1.23.6",
+				Kubelet: kamajiv1alpha1.KubeletSpec{
+					CGroupFS: "cgroupfs",
+				},
+				AdmissionControllers: kamajiv1alpha1.AdmissionControllers{
+					"LimitRanger",
+					"ResourceQuota",
+				},
+			},
+			Addons: kamajiv1alpha1.AddonsSpec{},
+		},
+	}
+
+	// Create service account and TenantControlPlane resources into the cluster
+	JustBeforeEach(func() {
+		Expect(k8sClient.Create(context.Background(), sa)).NotTo(HaveOccurred())
+		Expect(k8sClient.Create(context.Background(), tcp)).NotTo(HaveOccurred())
+	})
+
+	// Delete the service account and TenantControlPlane resources after test is finished
+	JustAfterEach(func() {
+		Expect(k8sClient.Delete(context.Background(), tcp)).Should(Succeed())
+	})
+	// Check if TenantControlPlane resource has been created and if its pods have the right service account
+	It("Should be Ready and have correct sa", func() {
+		StatusMustEqualTo(tcp, kamajiv1alpha1.VersionReady)
+		PodsServiceAccountMustEqualTo(tcp, sa)
+	})
+})

e2e/utils_test.go

@@ -175,3 +175,23 @@ func AllPodsAnnotationMustEqualTo(tcp *kamajiv1alpha1.TenantControlPlane, annota
 		return true
 	}, 5*time.Minute, time.Second).Should(BeTrue())
 }
+
+func PodsServiceAccountMustEqualTo(tcp *kamajiv1alpha1.TenantControlPlane, sa *corev1.ServiceAccount) {
+	saName := sa.GetName()
+	Eventually(func() bool {
+		tcpPods := &corev1.PodList{}
+		err := k8sClient.List(context.Background(), tcpPods, client.MatchingLabels{
+			"kamaji.clastix.io/name": tcp.GetName(),
+		})
+		if err != nil {
+			return false
+		}
+		for _, pod := range tcpPods.Items {
+			if pod.Spec.ServiceAccountName != saName {
+				return false
+			}
+		}
+
+		return true
+	}, 5*time.Minute, time.Second).Should(BeTrue())
+}

internal/builders/controlplane/deployment.go

@@ -77,6 +77,7 @@ func (d Deployment) Build(ctx context.Context, deployment *appsv1.Deployment, te
 	d.setContainers(&deployment.Spec.Template.Spec, tenantControlPlane, address)
 	d.setAdditionalVolumes(&deployment.Spec.Template.Spec, tenantControlPlane)
 	d.setVolumes(&deployment.Spec.Template.Spec, tenantControlPlane)
+	d.setServiceAccount(&deployment.Spec.Template.Spec, tenantControlPlane)
 	d.Client.Scheme().Default(deployment)
 }
 
@@ -1071,3 +1072,13 @@ func (d Deployment) setToleration(spec *corev1.PodSpec, tcp kamajiv1alpha1.Tenan
 func (d Deployment) setAffinity(spec *corev1.PodSpec, tcp kamajiv1alpha1.TenantControlPlane) {
 	spec.Affinity = tcp.Spec.ControlPlane.Deployment.Affinity
 }
+
+func (d Deployment) setServiceAccount(spec *corev1.PodSpec, tcp kamajiv1alpha1.TenantControlPlane) {
+	if len(tcp.Spec.ControlPlane.Deployment.ServiceAccountName) > 0 {
+		spec.ServiceAccountName = tcp.Spec.ControlPlane.Deployment.ServiceAccountName
+
+		return
+	}
+
+	spec.ServiceAccountName = "default"
+}