Merge pull request #175 from tetrateio/feature/add-config-serviceAccountName

Support serviceAccountName configuration overwrite

Author: alex-arica

api/v1/kubegres_types.go

@@ -62,20 +62,21 @@ type Probe struct {
 }
 
 type KubegresSpec struct {
-	Replicas         *int32                    `json:"replicas,omitempty"`
-	Image            string                    `json:"image,omitempty"`
-	Port             int32                     `json:"port,omitempty"`
-	ImagePullSecrets []v1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
-	CustomConfig     string                    `json:"customConfig,omitempty"`
-	Database         KubegresDatabase          `json:"database,omitempty"`
-	Failover         KubegresFailover          `json:"failover,omitempty"`
-	Backup           KubegresBackUp            `json:"backup,omitempty"`
-	Env              []v1.EnvVar               `json:"env,omitempty"`
-	Scheduler        KubegresScheduler         `json:"scheduler,omitempty"`
-	Resources        v1.ResourceRequirements   `json:"resources,omitempty"`
-	Volume           Volume                    `json:"volume,omitempty"`
-	SecurityContext  *v1.PodSecurityContext    `json:"securityContext,omitempty"`
-	Probe            Probe                     `json:"probe,omitempty"`
+	Replicas           *int32                    `json:"replicas,omitempty"`
+	Image              string                    `json:"image,omitempty"`
+	Port               int32                     `json:"port,omitempty"`
+	ImagePullSecrets   []v1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
+	CustomConfig       string                    `json:"customConfig,omitempty"`
+	Database           KubegresDatabase          `json:"database,omitempty"`
+	Failover           KubegresFailover          `json:"failover,omitempty"`
+	Backup             KubegresBackUp            `json:"backup,omitempty"`
+	Env                []v1.EnvVar               `json:"env,omitempty"`
+	Scheduler          KubegresScheduler         `json:"scheduler,omitempty"`
+	Resources          v1.ResourceRequirements   `json:"resources,omitempty"`
+	Volume             Volume                    `json:"volume,omitempty"`
+	SecurityContext    *v1.PodSecurityContext    `json:"securityContext,omitempty"`
+	Probe              Probe                     `json:"probe,omitempty"`
+	ServiceAccountName string                    `json:"serviceAccountName,omitempty"`
 }
 
 // ----------------------- STATUS -----------------------------------------

config/crd/bases/kubegres.reactive-tech.io_kubegres.yaml

@@ -1619,6 +1619,8 @@ spec:
                         type: string
                     type: object
                 type: object
+              serviceAccountName:
+                type: string
               volume:
                 properties:
                   volumeClaimTemplates:

internal/controller/ctx/KubegresContext.go

@@ -22,12 +22,13 @@ package ctx
 
 import (
 	"context"
+	"strconv"
+	"strings"
+
 	"reactive-tech.io/kubegres/api/v1"
 	"reactive-tech.io/kubegres/internal/controller/ctx/log"
 	"reactive-tech.io/kubegres/internal/controller/ctx/status"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"strconv"
-	"strings"
 )
 
 type KubegresContext struct {
@@ -48,6 +49,7 @@ const (
 	BaseConfigMapName                      = "base-kubegres-config"
 	CronJobNamePrefix                      = "backup-"
 	DefaultContainerPortNumber             = 5432
+	DefaultPodServiceAccountName           = "default"
 	DefaultDatabaseVolumeMount             = "/var/lib/postgresql/data"
 	DefaultDatabaseFolder                  = "pgdata"
 	EnvVarNamePgData                       = "PGDATA"

internal/controller/ctx/resources/ResourcesContext.go

@@ -22,6 +22,7 @@ package resources
 
 import (
 	"context"
+
 	ctx2 "reactive-tech.io/kubegres/internal/controller/ctx"
 	"reactive-tech.io/kubegres/internal/controller/ctx/log"
 	"reactive-tech.io/kubegres/internal/controller/ctx/status"
@@ -166,6 +167,7 @@ func addStatefulSetSpecEnforcers(rc *ResourcesContext) {
 	securityContextSpecEnforcer := statefulset_spec2.CreateSecurityContextSpecEnforcer(rc.KubegresContext)
 	livenessProbeSpecEnforcer := statefulset_spec2.CreateLivenessProbeSpecEnforcer(rc.KubegresContext)
 	readinessProbeSpecEnforcer := statefulset_spec2.CreateReadinessProbeSpecEnforcer(rc.KubegresContext)
+	serviAccountNameSpecEnforcer := statefulset_spec2.CreateServiceAccountNameSpecEnforcer(rc.KubegresContext)
 
 	rc.StatefulSetsSpecsEnforcer = statefulset_spec2.CreateStatefulSetsSpecsEnforcer(rc.KubegresContext)
 	rc.StatefulSetsSpecsEnforcer.AddSpecEnforcer(&imageSpecEnforcer)
@@ -179,6 +181,7 @@ func addStatefulSetSpecEnforcers(rc *ResourcesContext) {
 	rc.StatefulSetsSpecsEnforcer.AddSpecEnforcer(&securityContextSpecEnforcer)
 	rc.StatefulSetsSpecsEnforcer.AddSpecEnforcer(&livenessProbeSpecEnforcer)
 	rc.StatefulSetsSpecsEnforcer.AddSpecEnforcer(&readinessProbeSpecEnforcer)
+	rc.StatefulSetsSpecsEnforcer.AddSpecEnforcer(&serviAccountNameSpecEnforcer)
 
 	rc.AllStatefulSetsSpecEnforcer = statefulset_spec2.CreateAllStatefulSetsSpecEnforcer(rc.KubegresContext, rc.ResourcesStates, rc.BlockingOperation, rc.StatefulSetsSpecsEnforcer)
 }

internal/controller/spec/enforcer/statefulset_spec/ServiceAccountNameSpecEnforcer.go

@@ -0,0 +1,63 @@
+/*
+Copyright 2023 Reactive Tech Limited.
+"Reactive Tech Limited" is a company located in England, United Kingdom.
+https://www.reactive-tech.io
+
+Lead Developer: Alex Arica
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package statefulset_spec
+
+import (
+	apps "k8s.io/api/apps/v1"
+	"reactive-tech.io/kubegres/internal/controller/ctx"
+)
+
+type ServiceAccountNameSpecEnforcer struct {
+	kubegresContext ctx.KubegresContext
+}
+
+func CreateServiceAccountNameSpecEnforcer(kubegresContext ctx.KubegresContext) ServiceAccountNameSpecEnforcer {
+	return ServiceAccountNameSpecEnforcer{kubegresContext: kubegresContext}
+}
+
+func (r *ServiceAccountNameSpecEnforcer) GetSpecName() string {
+	return "ServiceAccountName"
+}
+
+func (r *ServiceAccountNameSpecEnforcer) CheckForSpecDifference(statefulSet *apps.StatefulSet) StatefulSetSpecDifference {
+
+	current := statefulSet.Spec.Template.Spec.ServiceAccountName
+	expected := r.kubegresContext.Kubegres.Spec.ServiceAccountName
+
+	if current != expected {
+		return StatefulSetSpecDifference{
+			SpecName: r.GetSpecName(),
+			Current:  current,
+			Expected: expected,
+		}
+	}
+
+	return StatefulSetSpecDifference{}
+}
+
+func (r *ServiceAccountNameSpecEnforcer) EnforceSpec(statefulSet *apps.StatefulSet) (wasSpecUpdated bool, err error) {
+	statefulSet.Spec.Template.Spec.ServiceAccountName = r.kubegresContext.Kubegres.Spec.ServiceAccountName
+	return true, nil
+}
+
+func (r *ServiceAccountNameSpecEnforcer) OnSpecEnforcedSuccessfully(_ *apps.StatefulSet) error {
+	return nil
+}

internal/controller/spec/template/ResourcesCreatorFromTemplate.go

@@ -21,9 +21,10 @@ limitations under the License.
 package template
 
 import (
-	"reactive-tech.io/kubegres/internal/controller/ctx"
 	"strconv"
 
+	"reactive-tech.io/kubegres/internal/controller/ctx"
+
 	apps "k8s.io/api/apps/v1"
 	batch "k8s.io/api/batch/v1"
 	core "k8s.io/api/core/v1"
@@ -264,6 +265,10 @@ func (r *ResourcesCreatorFromTemplate) initStatefulSet(
 	if postgresSpec.Probe.ReadinessProbe != nil {
 		statefulSetTemplate.Spec.Template.Spec.Containers[0].ReadinessProbe = postgresSpec.Probe.ReadinessProbe
 	}
+
+	if postgresSpec.ServiceAccountName != "" {
+		statefulSetTemplate.Spec.Template.Spec.ServiceAccountName = postgresSpec.ServiceAccountName
+	}
 }
 
 // Extract annotations set in Kubegres YAML by

internal/controller/spec/template/yaml/Templates.go

@@ -152,12 +152,10 @@ data:
     #echo "$dt - Running: psql -v ON_ERROR_STOP=1 --username $POSTGRES_USER --dbname $POSTGRES_DB ...";
 
     #psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-      #CREATE DATABASE $customDatabaseName;
-      #\connect $customDatabaseName;
-      #CREATE USER $customUserName WITH PASSWORD '$POSTGRES_MYAPP_PASSWORD';
-      #GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER ON ALL TABLES IN SCHEMA public TO $customUserName;
-      #GRANT USAGE, SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA public TO $customUserName;
-      #GRANT USAGE, CREATE ON SCHEMA public TO $customUserName;
+    #CREATE USER $customUserName WITH PASSWORD '$POSTGRES_MYAPP_PASSWORD';
+    #CREATE DATABASE $customDatabaseName;
+    #\connect $customDatabaseName;
+    #GRANT ALL ON SCHEMA public TO $customUserName;
     #EOSQL
 
     #echo "$dt - Init script is completed";

internal/test/resourceConfigs/ConfigForTest.go

@@ -40,6 +40,9 @@ const (
 	SecretYamlFile     = "resourceConfigs/secret.yaml"
 	SecretResourceName = "my-kubegres-secret"
 
+	ServiceAccountYamlFile     = "resourceConfigs/serviceAccount.yaml"
+	ServiceAccountResourceName = "my-kubegres"
+
 	ServiceToSqlQueryPrimaryDbYamlFile     = "resourceConfigs/primaryService.yaml"
 	ServiceToSqlQueryPrimaryDbResourceName = "test-kubegres-primary"
 	ServiceToSqlQueryPrimaryDbNodePort     = 30007

internal/test/resourceConfigs/LoadTestYaml.go

@@ -22,10 +22,11 @@ package resourceConfigs
 
 import (
 	"io/ioutil"
+	"log"
+
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/scheme"
-	"log"
 	kubegresv1 "reactive-tech.io/kubegres/api/v1"
 )
 
@@ -53,6 +54,12 @@ func LoadSecretYaml() v1.Secret {
 	return *obj.(*v1.Secret)
 }
 
+func LoadServiceAccountYaml() v1.ServiceAccount {
+	fileContents := getFileContents(ServiceAccountYamlFile)
+	obj := decodeYaml(fileContents)
+	return *obj.(*v1.ServiceAccount)
+}
+
 func LoadYamlServiceToSqlQueryPrimaryDb() v1.Service {
 	fileContents := getFileContents(ServiceToSqlQueryPrimaryDbYamlFile)
 	obj := decodeYaml(fileContents)

internal/test/resourceConfigs/serviceAccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: my-kubegres
+  namespace: default