CSPL-720: Adding support to configure a custom serviceaccount per CRD

deploy/crds/enterprise.splunk.com_clustermasters_crd.yaml

@@ -752,6 +752,11 @@ spec:
               description: Name of Scheduler to use for pod placement (defaults to
                 “default-scheduler”)
               type: string
+            serviceAccount:
+              description: ServiceAccount is the service account used by the pods
+                deployed by the CRD. If not specified uses the default serviceAccount
+                for the namespace as per https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+              type: string
             serviceTemplate:
               description: ServiceTemplate is a template used to create Kubernetes
                 services

deploy/crds/enterprise.splunk.com_indexerclusters_crd.yaml

@@ -779,6 +779,11 @@ spec:
               description: Name of Scheduler to use for pod placement (defaults to
                 “default-scheduler”)
               type: string
+            serviceAccount:
+              description: ServiceAccount is the service account used by the pods
+                deployed by the CRD. If not specified uses the default serviceAccount
+                for the namespace as per https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+              type: string
             serviceTemplate:
               description: ServiceTemplate is a template used to create Kubernetes
                 services

deploy/crds/enterprise.splunk.com_licensemasters_crd.yaml

@@ -757,6 +757,11 @@ spec:
               description: Name of Scheduler to use for pod placement (defaults to
                 “default-scheduler”)
               type: string
+            serviceAccount:
+              description: ServiceAccount is the service account used by the pods
+                deployed by the CRD. If not specified uses the default serviceAccount
+                for the namespace as per https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+              type: string
             serviceTemplate:
               description: ServiceTemplate is a template used to create Kubernetes
                 services

deploy/crds/enterprise.splunk.com_searchheadclusters_crd.yaml

@@ -779,6 +779,11 @@ spec:
               description: Name of Scheduler to use for pod placement (defaults to
                 “default-scheduler”)
               type: string
+            serviceAccount:
+              description: ServiceAccount is the service account used by the pods
+                deployed by the CRD. If not specified uses the default serviceAccount
+                for the namespace as per https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+              type: string
             serviceTemplate:
               description: ServiceTemplate is a template used to create Kubernetes
                 services

deploy/crds/enterprise.splunk.com_standalones_crd.yaml

@@ -773,6 +773,11 @@ spec:
               description: Name of Scheduler to use for pod placement (defaults to
                 “default-scheduler”)
               type: string
+            serviceAccount:
+              description: ServiceAccount is the service account used by the pods
+                deployed by the CRD. If not specified uses the default serviceAccount
+                for the namespace as per https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+              type: string
             serviceTemplate:
               description: ServiceTemplate is a template used to create Kubernetes
                 services

deploy/olm-catalog/splunk/0.2.1/enterprise.splunk.com_clustermasters_crd.yaml

@@ -752,6 +752,11 @@ spec:
               description: Name of Scheduler to use for pod placement (defaults to
                 “default-scheduler”)
               type: string
+            serviceAccount:
+              description: ServiceAccount is the service account used by the pods
+                deployed by the CRD. If not specified uses the default serviceAccount
+                for the namespace as per https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+              type: string
             serviceTemplate:
               description: ServiceTemplate is a template used to create Kubernetes
                 services

deploy/olm-catalog/splunk/0.2.1/enterprise.splunk.com_indexerclusters_crd.yaml

@@ -779,6 +779,11 @@ spec:
               description: Name of Scheduler to use for pod placement (defaults to
                 “default-scheduler”)
               type: string
+            serviceAccount:
+              description: ServiceAccount is the service account used by the pods
+                deployed by the CRD. If not specified uses the default serviceAccount
+                for the namespace as per https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+              type: string
             serviceTemplate:
               description: ServiceTemplate is a template used to create Kubernetes
                 services

deploy/olm-catalog/splunk/0.2.1/enterprise.splunk.com_licensemasters_crd.yaml

@@ -757,6 +757,11 @@ spec:
               description: Name of Scheduler to use for pod placement (defaults to
                 “default-scheduler”)
               type: string
+            serviceAccount:
+              description: ServiceAccount is the service account used by the pods
+                deployed by the CRD. If not specified uses the default serviceAccount
+                for the namespace as per https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+              type: string
             serviceTemplate:
               description: ServiceTemplate is a template used to create Kubernetes
                 services

deploy/olm-catalog/splunk/0.2.1/enterprise.splunk.com_searchheadclusters_crd.yaml

@@ -779,6 +779,11 @@ spec:
               description: Name of Scheduler to use for pod placement (defaults to
                 “default-scheduler”)
               type: string
+            serviceAccount:
+              description: ServiceAccount is the service account used by the pods
+                deployed by the CRD. If not specified uses the default serviceAccount
+                for the namespace as per https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+              type: string
             serviceTemplate:
               description: ServiceTemplate is a template used to create Kubernetes
                 services

deploy/olm-catalog/splunk/0.2.1/enterprise.splunk.com_standalones_crd.yaml

@@ -773,6 +773,11 @@ spec:
               description: Name of Scheduler to use for pod placement (defaults to
                 “default-scheduler”)
               type: string
+            serviceAccount:
+              description: ServiceAccount is the service account used by the pods
+                deployed by the CRD. If not specified uses the default serviceAccount
+                for the namespace as per https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+              type: string
             serviceTemplate:
               description: ServiceTemplate is a template used to create Kubernetes
                 services

deploy/role.yaml

@@ -14,6 +14,7 @@ rules:
   - secrets
   - pods
   - pods/exec
+  - serviceaccounts
   verbs:
   - create
   - delete

docs/CustomResources.md

@@ -79,7 +79,6 @@ configuration parameters:
 | resources             | [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#resourcerequirements-v1-core) | CPU and memory [compute resource requirements](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) to use for each pod instance (defaults shown in example above) |
 | serviceTemplate       | [Service](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#service-v1-core) | Template used to create Kubernetes [Services](https://kubernetes.io/docs/concepts/services-networking/service/) |
 
-
 ## Common Spec Parameters for Splunk Enterprise Resources
 
 ```yaml
@@ -102,6 +101,7 @@ spec:
     name: example
   clusterMasterRef:
     name: example
+  serviceAccount: custom-serviceaccount
 ```
 
 The following additional configuration parameters may be used for all Splunk
@@ -118,7 +118,7 @@ Enterprise resources, including: `Standalone`, `LicenseMaster`,
 | licenseUrl         | string  | Full path or URL for a Splunk Enterprise license file                         |
 | licenseMasterRef   | [ObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectreference-v1-core) | Reference to a Splunk Operator managed `LicenseMaster` instance (via `name` and optionally `namespace`) to use for licensing |
 | clusterMasterRef  | [ObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectreference-v1-core) | Reference to a Splunk Operator managed `ClusterMaster` instance (via `name` and optionally `namespace`) to use for indexing |
-
+| serviceAccount | [ServiceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) | Represents the service account used by the pods deployed by the CRD |
 
 ## Spark Resource Spec Parameters
 

pkg/apis/enterprise/v1beta1/common_types.go

@@ -69,6 +69,11 @@ type CommonSplunkSpec struct {
 
 	// Mock to differentiate between UTs and actual reconcile
 	Mock bool `json:"Mock"`
+
+	// ServiceAccount is the service account used by the pods deployed by the CRD.
+	// If not specified uses the default serviceAccount for the namespace as per
+	// https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+	ServiceAccount string `json:"serviceAccount"`
 }
 
 // StorageClassSpec defines storage class configuration

pkg/splunk/controller/serviceaccount.go

@@ -0,0 +1,61 @@
+// Copyright (c) 2018-2020 Splunk Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// 	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controller
+
+import (
+	"context"
+	"reflect"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	splcommon "github.com/splunk/splunk-operator/pkg/splunk/common"
+	splutil "github.com/splunk/splunk-operator/pkg/splunk/util"
+)
+
+// ApplyServiceAccount creates or updates a Kubernetes serviceAccount
+func ApplyServiceAccount(client splcommon.ControllerClient, serviceAccount *corev1.ServiceAccount) error {
+	scopedLog := log.WithName("ApplyServiceAccount").WithValues("serviceAccount", serviceAccount.GetName(),
+		"namespace", serviceAccount.GetNamespace())
+
+	namespacedName := types.NamespacedName{Namespace: serviceAccount.GetNamespace(), Name: serviceAccount.GetName()}
+	var current corev1.ServiceAccount
+
+	err := client.Get(context.TODO(), namespacedName, &current)
+	if err == nil {
+		if !reflect.DeepEqual(serviceAccount, &current) {
+			scopedLog.Info("Updating service account")
+			current = *serviceAccount
+			err = splutil.UpdateResource(client, &current)
+		}
+	} else {
+		err = splutil.CreateResource(client, serviceAccount)
+	}
+
+	return err
+}
+
+// GetServiceAccount gets the serviceAccount resource in a given namespace
+func GetServiceAccount(client splcommon.ControllerClient, namespacedName types.NamespacedName) (*corev1.ServiceAccount, error) {
+	var serviceAccount corev1.ServiceAccount
+	err := client.Get(context.TODO(), namespacedName, &serviceAccount)
+	if err != nil {
+		scopedLog := log.WithName("GetServiceAccount").WithValues("serviceAccount", namespacedName.Name,
+			"namespace", namespacedName.Namespace, "error", err)
+		scopedLog.Info("ServiceAccount not found")
+		return nil, err
+	}
+	return &serviceAccount, nil
+}

pkg/splunk/controller/serviceaccount_test.go

@@ -0,0 +1,94 @@
+// Copyright (c) 2018-2020 Splunk Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// 	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controller
+
+import (
+	"testing"
+
+	spltest "github.com/splunk/splunk-operator/pkg/splunk/test"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+func TestApplyServiceAccount(t *testing.T) {
+	funcCalls := []spltest.MockFuncCall{{MetaName: "*v1.ServiceAccount-test-defaults"}}
+	createCalls := map[string][]spltest.MockFuncCall{"Get": funcCalls, "Create": funcCalls}
+	updateCalls := map[string][]spltest.MockFuncCall{"Get": funcCalls, "Update": funcCalls}
+	current := corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "defaults",
+			Namespace: "test",
+		},
+	}
+	revised := current.DeepCopy()
+	revised.ResourceVersion = "dummy"
+	reconcile := func(c *spltest.MockClient, cr interface{}) error {
+		err := ApplyServiceAccount(c, cr.(*corev1.ServiceAccount))
+		return err
+	}
+	spltest.ReconcileTester(t, "TestApplyServiceAccount", &current, revised, createCalls, updateCalls, reconcile, false)
+}
+
+func TestGetServiceAccount(t *testing.T) {
+	current := corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "defaults",
+			Namespace: "test",
+		},
+	}
+
+	client := spltest.NewMockClient()
+	namespacedName := types.NamespacedName{Namespace: current.GetNamespace(), Name: current.GetName()}
+
+	// serviceAccount doesn't exist
+	_, err := GetServiceAccount(client, namespacedName)
+	if err == nil {
+		t.Errorf("Should return an error, when the serviceAccount doesn't exist")
+	}
+
+	// Create serviceAccount
+	err = ApplyServiceAccount(client, &current)
+	if err != nil {
+		t.Errorf("Failed to create the serviceAccount. Error: %s", err.Error())
+	}
+
+	// Make sure serviceAccount exists
+	got, err := GetServiceAccount(client, namespacedName)
+	if err != nil {
+		if got.GetName() != current.GetName() {
+			t.Errorf("Incorrect service account retrieved got %s want %s", got.GetName(), current.GetName())
+		}
+		t.Errorf("Should not return an error, when the serviceAccount exists")
+	}
+
+	var dummySaName string = "dummy_sa"
+
+	current.Name = dummySaName
+	// Update serviceAccount
+	err = ApplyServiceAccount(client, &current)
+	if err != nil {
+		t.Errorf("Failed to create the serviceAccount. Error: %s", err.Error())
+	}
+
+	// Make sure serviceAccount is updated
+	got, err = GetServiceAccount(client, namespacedName)
+	if err != nil {
+		if got.GetName() != dummySaName {
+			t.Errorf("Incorrect service account retrieved got %s want %s", got.GetName(), current.GetName())
+		}
+		t.Errorf("Should not return an error, when the serviceAccount exists")
+	}
+}