ServiceAccountName replaces ServiceAccount

Following in the k8s footsteps, deprecate ServiceAccount and replace it with ServiceAccountName. ServiceAccountName will always take precedence over ServiceAccount. If ServiceAccountName is not set, the value provided by ServiceAccount will be used instead.
fraenkel · Sep 12, 2019 · 5190761 · 5190761
1 parent 1ac3262
commit 5190761
Show file tree

Hide file tree

Showing 23 changed files with 387 additions and 113 deletions.
diff --git a/docs/auth.md b/docs/auth.md
@@ -73,7 +73,7 @@ kind: TaskRun
 metadata:
   name: build-push-task-run-2
 spec:
-  serviceAccount: build-bot
+  serviceAccountName: build-bot
   taskRef:
     name: build-push
 ```
@@ -87,7 +87,7 @@ spec:
      name: demo-pipeline
      namespace: default
    spec:
-     serviceAccount: build-bot
+     serviceAccountName: build-bot
      pipelineRef:
        name: demo-pipeline
    ```
@@ -145,7 +145,7 @@ to authenticate when retrieving any `PipelineResources`.
    metadata:
      name: build-push-task-run-2
    spec:
-     serviceAccount: build-bot
+     serviceAccountName: build-bot
      taskRef:
        name: build-push
    ```
@@ -159,7 +159,7 @@ to authenticate when retrieving any `PipelineResources`.
      name: demo-pipeline
      namespace: default
    spec:
-     serviceAccount: build-bot
+     serviceAccountName: build-bot
      pipelineRef:
        name: demo-pipeline
    ```
@@ -218,7 +218,7 @@ kind: TaskRun
 metadata:
   name: build-push-task-run-2
 spec:
-  serviceAccount: build-bot
+  serviceAccountName: build-bot
   taskRef:
     name: build-push
 ```
@@ -232,7 +232,7 @@ spec:
      name: demo-pipeline
      namespace: default
    spec:
-     serviceAccount: build-bot
+     serviceAccountName: build-bot
      pipelineRef:
        name: demo-pipeline
    ```
@@ -283,7 +283,7 @@ addition to the one described above.
    metadata:
      name: build-with-basic-auth
    spec:
-     serviceAccount: build-bot
+     serviceAccountName: build-bot
      steps:
      ...
    ```

diff --git a/docs/pipelineruns.md b/docs/pipelineruns.md
@@ -38,7 +38,7 @@ following fields:
 
   - [`resources`](#resources) - Specifies which
     [`PipelineResources`](resources.md) to use for this `PipelineRun`.
-  - [`serviceAccount`](#service-account) - Specifies a `ServiceAccount` resource
+  - [`serviceAccountName`](#service-account) - Specifies a `ServiceAccount` resource
     object that enables your build to run with the defined authentication
     information.
   - [`serviceAccounts`](#service-accounts) - Specifies a list of `ServiceAccount` 
@@ -88,8 +88,8 @@ spec:
 ### Service Account
 
 Specifies the `name` of a `ServiceAccount` resource object. Use the
-`serviceAccount` field to run your `Pipeline` with the privileges of the
-specified service account. If no `serviceAccount` field is specified, your
+`serviceAccountName` field to run your `Pipeline` with the privileges of the
+specified service account. If no `serviceAccountName` field is specified, your
 resulting `TaskRuns` run using the
 [`default` service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server)
 that is in the
@@ -103,14 +103,14 @@ For examples and more information about specifying service accounts, see the
 
 Specifies the list of `ServiceAccount` and `PipelineTask` pairs. Specified 
 `PipelineTask` will be run with configured `ServiceAccount`, 
-overwriting [`serviceAccount`](#service-account) configuration, for example:
+overwriting [`serviceAccountName`](#service-account) configuration, for example:
 
 ```yaml
 spec:
-  serviceAccount: sa-1
+  serviceAccountName: sa-1
   serviceAccounts:
     - taskName: build-task
-      serviceAccount: sa-for-build
+      serviceAccountName: sa-for-build
 ```
 If used with this `Pipeline`, `test-task` will use the `ServiceAccount` `sa-1`, while `build-task` will use `sa-for-build`.
 

diff --git a/docs/taskruns.md b/docs/taskruns.md
@@ -44,7 +44,7 @@ following fields:
       the [`Task`](tasks.md) you want to run
 - Optional:
 
-  - [`serviceAccount`](#service-account) - Specifies a `ServiceAccount` resource
+  - [`serviceAccountName`](#service-account) - Specifies a `ServiceAccount` resource
     object that enables your build to run with the defined authentication
     information.
   - [`inputs`] - Specifies [input parameters](#input-parameters) and
@@ -155,8 +155,8 @@ default, if `default-timeout-minutes` is set to 0.
 ### Service Account
 
 Specifies the `name` of a `ServiceAccount` resource object. Use the
-`serviceAccount` field to run your `Task` with the privileges of the specified
-service account. If no `serviceAccount` field is specified, your `Task` runs
+`serviceAccountName` field to run your `Task` with the privileges of the specified
+service account. If no `serviceAccountName` field is specified, your `Task` runs
 using the
 [`default` service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server)
 that is in the
@@ -516,7 +516,7 @@ kind: TaskRun
 metadata:
   name: test-task-with-serviceaccount-git-ssh
 spec:
-  serviceAccount: test-task-robot-git-ssh
+  serviceAccountName: test-task-robot-git-ssh
   inputs:
     resources:
       - name: workspace
@@ -528,7 +528,7 @@ spec:
       args: ["-c", "cat README.md"]
 ```
 
-Where `serviceAccount: test-build-robot-git-ssh` references the following
+Where `serviceAccountName: test-build-robot-git-ssh` references the following
 `ServiceAccount`:
 
 ```yaml
@@ -560,8 +560,8 @@ data:
 ```
 
 Specifies the `name` of a `ServiceAccount` resource object. Use the
-`serviceAccount` field to run your `Task` with the privileges of the specified
-service account. If no `serviceAccount` field is specified, your `Task` runs
+`serviceAccountName` field to run your `Task` with the privileges of the specified
+service account. If no `serviceAccountName` field is specified, your `Task` runs
 using the
 [`default` service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server)
 that is in the

diff --git a/pkg/apis/pipeline/v1alpha1/pipelinerun_types.go b/pkg/apis/pipeline/v1alpha1/pipelinerun_types.go
@@ -50,7 +50,11 @@ type PipelineRunSpec struct {
 	// Params is a list of parameter names and values.
 	Params []Param `json:"params,omitempty"`
 	// +optional
-	ServiceAccount string `json:"serviceAccount"`
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+	// DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+	// Deprecated: Use serviceAccountName instead.
+	// +optional
+	DeprecatedServiceAccount string `json:"serviceAccount,omitempty"`
 	// +optional
 	ServiceAccounts []PipelineRunSpecServiceAccount `json:"serviceAccounts,omitempty"`
 	// Deprecation Notice: The field Results will be removed in v0.8.0
@@ -175,8 +179,11 @@ func (pr *PipelineRunStatus) InitializeConditions() {
 
 // PipelineRunSpecServiceAccount can be used to configure specific ServiceAccount for a concrete Task
 type PipelineRunSpecServiceAccount struct {
-	TaskName       string `json:"taskName,omitempty"`
-	ServiceAccount string `json:"serviceAccount,omitempty"`
+	TaskName           string `json:"taskName,omitempty"`
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+	// DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+	// Deprecated: Use serviceAccountName instead.
+	DeprecatedServiceAccount string `json:"serviceAccount,omitempty"`
 }
 
 // SetCondition sets the condition, unsetting previous conditions with the same

diff --git a/pkg/apis/pipeline/v1alpha1/pipelinerun_validation_test.go b/pkg/apis/pipeline/v1alpha1/pipelinerun_validation_test.go
@@ -60,7 +60,7 @@ func TestPipelineRun_Invalidate(t *testing.T) {
 					Name: "pipelinelineName",
 				},
 				Spec: v1alpha1.PipelineRunSpec{
-					ServiceAccount: "foo",
+					ServiceAccountName: "foo",
 				},
 			},
 			want: apis.ErrMissingField("pipelinerun.spec.Pipelineref.Name"),

diff --git a/pkg/apis/pipeline/v1alpha1/taskrun_types.go b/pkg/apis/pipeline/v1alpha1/taskrun_types.go
@@ -42,7 +42,11 @@ type TaskRunSpec struct {
 	// +optional
 	Results *Results `json:"results,omitempty"`
 	// +optional
-	ServiceAccount string `json:"serviceAccount,omitempty"`
+	ServiceAccountName string `json:"serviceAccountName"`
+	// DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+	// Deprecated: Use serviceAccountName instead.
+	// +optional
+	DeprecatedServiceAccount string `json:"serviceAccount,omitempty"`
 	// no more than one of the TaskRef and TaskSpec may be specified.
 	// +optional
 	TaskRef *TaskRef `json:"taskRef,omitempty"`
@@ -306,3 +310,11 @@ func (tr *TaskRun) IsCancelled() bool {
 func (tr *TaskRun) GetRunKey() string {
 	return fmt.Sprintf("%s/%s/%s", "TaskRun", tr.Namespace, tr.Name)
 }
+
+func (tr *TaskRun) GetServiceAccountName() string {
+	name := tr.Spec.ServiceAccountName
+	if name == "" {
+		name = tr.Spec.DeprecatedServiceAccount
+	}
+	return name
+}
diff --git a/pkg/reconciler/pipelinerun/pipelinerun.go b/pkg/reconciler/pipelinerun/pipelinerun.go
@@ -507,9 +507,9 @@ func (c *Reconciler) createTaskRun(rprt *resources.ResolvedPipelineRunTask, pr *
 			Inputs: v1alpha1.TaskRunInputs{
 				Params: rprt.PipelineTask.Params,
 			},
-			ServiceAccount: getServiceAccount(pr, rprt.PipelineTask.Name),
-			Timeout:        getTaskRunTimeout(pr),
-			PodTemplate:    podTemplate,
+			ServiceAccountName: getServiceAccountName(pr, rprt.PipelineTask.Name),
+			Timeout:            getTaskRunTimeout(pr),
+			PodTemplate:        podTemplate,
 		}}
 
 	resources.WrapSteps(&tr.Spec, rprt.PipelineTask, rprt.ResolvedTaskResources.Inputs, rprt.ResolvedTaskResources.Outputs, storageBasePath)
@@ -579,15 +579,21 @@ func getTaskRunTimeout(pr *v1alpha1.PipelineRun) *metav1.Duration {
 	return taskRunTimeout
 }
 
-func getServiceAccount(pr *v1alpha1.PipelineRun, pipelineTaskName string) string {
+func getServiceAccountName(pr *v1alpha1.PipelineRun, pipelineTaskName string) string {
 	// If service account is configured for a given PipelineTask, override PipelineRun's serviceAccount
-	serviceAccount := pr.Spec.ServiceAccount
+	serviceAccountName := pr.Spec.ServiceAccountName
+	if serviceAccountName == "" {
+		serviceAccountName = pr.Spec.DeprecatedServiceAccount
+	}
 	for _, sa := range pr.Spec.ServiceAccounts {
 		if sa.TaskName == pipelineTaskName {
-			serviceAccount = sa.ServiceAccount
+			serviceAccountName = sa.ServiceAccountName
+			if serviceAccountName == "" {
+				serviceAccountName = sa.DeprecatedServiceAccount
+			}
 		}
 	}
-	return serviceAccount
+	return serviceAccountName
 }
 
 func (c *Reconciler) updateStatus(pr *v1alpha1.PipelineRun) (*v1alpha1.PipelineRun, error) {
@@ -639,8 +645,8 @@ func (c *Reconciler) makeConditionCheckContainer(rprt *resources.ResolvedPipelin
 			Annotations:     getTaskrunAnnotations(pr), // Propagate annotations from PipelineRun to TaskRun.
 		},
 		Spec: v1alpha1.TaskRunSpec{
-			TaskSpec:       taskSpec,
-			ServiceAccount: getServiceAccount(pr, rprt.PipelineTask.Name),
+			TaskSpec:           taskSpec,
+			ServiceAccountName: getServiceAccountName(pr, rprt.PipelineTask.Name),
 			Inputs: v1alpha1.TaskRunInputs{
 				Params:    rcc.PipelineTaskCondition.Params,
 				Resources: rcc.ToTaskResourceBindings(),