Creating service account by operator (#256)

* Creating service account by operator Signed-off-by: anisha.kj <[email protected]> * Adding service account to e2e tests Signed-off-by: anisha.kj <[email protected]> * Added check for non default service accounts Signed-off-by: anisha.kj <[email protected]> * Changed the operator image in e2e test Signed-off-by: anisha.kj <[email protected]> * Increased unit test coverage Signed-off-by: anisha.kj <[email protected]> * addressed review comments Signed-off-by: anisha.kj <[email protected]> * Fixed typo Signed-off-by: anisha.kj <[email protected]>
pravega · Oct 13, 2020 · 1ddb6b1 · 1ddb6b1
1 parent 0c54143
commit 1ddb6b1
Show file tree

Hide file tree

Showing 14 changed files with 97 additions and 166 deletions.
diff --git a/README.md b/README.md
@@ -15,6 +15,7 @@ The project is currently alpha. While no breaking API changes are currently plan
     * [Deploy a sample Zookeeper Cluster to a cluster using Istio](#deploy-a-sample-zookeeper-cluster-with-istio)
     * [Upgrade a Zookeeper Cluster](#upgrade-a-zookeeper-cluster)
     * [Uninstall the Zookeeper Cluster](#uninstall-the-zookeeper-cluster)
+    * [Upgrade the Zookeeper Operator](#upgrade-the-operator)
     * [Uninstall the Operator](#uninstall-the-operator)
  * [Development](#development)
     * [Build the Operator Image](#build-the-operator-image)
@@ -150,7 +151,17 @@ svc/zookeeper-client     ClusterIP   10.31.243.173   <none>        2181/TCP
 svc/zookeeper-headless   ClusterIP   None            <none>        2888/TCP,3888/TCP   2m
 ```
 
->Note: If you want to configure non deafult service accounts to zookeeper pods, refer to [this](doc/rbac.md).
+>Note: If you want to configure non default service accounts to zookeeper pods, set the service account inside pod.This support is added from zookeeper operator version `0.2.9` onwards.
+
+```
+apiVersion: "zookeeper.pravega.io/v1beta1"
+kind: "ZookeeperCluster"
+metadata:
+  name: "example"
+spec:
+  pod:
+    serviceAccountName: "zookeeper"
+```
 
 ### Deploy a sample Zookeeper cluster with Ephemeral storage
 
@@ -270,6 +281,10 @@ Status:
 ```
 >Note: The value of the tag field should not be modified while an upgrade is already in progress.
 
+### Upgrade the Operator
+
+For upgrading the zookeeper operator check the document [operator-upgrade](doc/operator-upgrade.md)
+
 ### Uninstall the Zookeeper cluster
 
 #### Uninstall via helm

diff --git a/charts/zookeeper-operator/templates/clusterrole.yaml b/charts/zookeeper-operator/templates/clusterrole.yaml
@@ -23,6 +23,7 @@ rules:
   - events
   - configmaps
   - secrets
+  - serviceaccounts
   verbs:
   - "*"
 - apiGroups:

diff --git a/charts/zookeeper/templates/clusterrole.yaml b/charts/zookeeper/templates/clusterrole.yaml
diff --git a/charts/zookeeper/templates/clusterrolebinding.yaml b/charts/zookeeper/templates/clusterrolebinding.yaml
diff --git a/charts/zookeeper/templates/role.yaml b/charts/zookeeper/templates/role.yaml
diff --git a/charts/zookeeper/templates/rolebinding.yaml b/charts/zookeeper/templates/rolebinding.yaml
diff --git a/charts/zookeeper/templates/service_account.yaml b/charts/zookeeper/templates/service_account.yaml
diff --git a/doc/operator-upgrade.md b/doc/operator-upgrade.md
@@ -0,0 +1,27 @@
+# Upgrading Operator
+zookeeperoperator can be upgraded to a version **[VERSION]** via helm using the following command
+
+```
+$ helm upgrade [ZOOKEEPER_OPERATOR_RELEASE_NAME] pravega/zookeeper-operator --version=[VERSION]
+```
+The zookeeper operator with deployment name **[DEPLOYMENT_NAME]** can also be upgraded manually by modifying the image tag using kubectl edit, patch or apply
+```
+$ kubectl edit deploy [DEPLOYMENT_NAME]
+```
+> Note: If you are upgrading zookeeper operator version to 0.2.9 or above manually, clusterrole has to be updated to include serviceaccounts. After updating clusterroles, zookeeper operator pod has to be restarted for the changes to take effect.
+
+```
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  - serviceaccounts
+  verbs:
+  - "*"
+```
diff --git a/doc/rbac.md b/doc/rbac.md
diff --git a/pkg/controller/zookeepercluster/zookeepercluster_controller.go b/pkg/controller/zookeepercluster/zookeepercluster_controller.go
@@ -169,7 +169,24 @@ func (r *ReconcileZookeeperCluster) reconcileStatefulSet(instance *zookeeperv1be
 	if instance.Status.IsClusterInUpgradeFailedState() {
 		return nil
 	}
-
+	if instance.Spec.Pod.ServiceAccountName != "default" {
+		serviceAccount := zk.MakeServiceAccount(instance)
+		if err = controllerutil.SetControllerReference(instance, serviceAccount, r.scheme); err != nil {
+			return err
+		}
+		// Check if this ServiceAccount already exists
+		foundServiceAccount := &corev1.ServiceAccount{}
+		err = r.client.Get(context.TODO(), types.NamespacedName{Name: serviceAccount.Name, Namespace: serviceAccount.Namespace}, foundServiceAccount)
+		if err != nil && errors.IsNotFound(err) {
+			r.log.Info("Creating a new ServiceAccount", "ServiceAccount.Namespace", serviceAccount.Namespace, "ServiceAccount.Name", serviceAccount.Name)
+			err = r.client.Create(context.TODO(), serviceAccount)
+			if err != nil {
+				return err
+			}
+		} else if err != nil {
+			return err
+		}
+	}
 	sts := zk.MakeStatefulSet(instance)
 	if err = controllerutil.SetControllerReference(instance, sts, r.scheme); err != nil {
 		return err

diff --git a/pkg/controller/zookeepercluster/zookeepercluster_controller_test.go b/pkg/controller/zookeepercluster/zookeepercluster_controller_test.go
@@ -200,6 +200,7 @@ var _ = Describe("ZookeeperCluster Controller", func() {
 
 			BeforeEach(func() {
 				z.WithDefaults()
+				z.Spec.Pod.ServiceAccountName = "zookeeper"
 				z.Status.Init()
 				next := z.DeepCopy()
 				st := zk.MakeStatefulSet(z)

diff --git a/pkg/zk/generators.go b/pkg/zk/generators.go
@@ -318,3 +318,13 @@ func MakePodDisruptionBudget(z *v1beta1.ZookeeperCluster) *policyv1beta1.PodDisr
 		},
 	}
 }
+
+//MakeServiceAccount returns the service account for zookeeper Cluster
+func MakeServiceAccount(z *v1beta1.ZookeeperCluster) *v1.ServiceAccount {
+	return &v1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      z.Spec.Pod.ServiceAccountName,
+			Namespace: z.Namespace,
+		},
+	}
+}
diff --git a/pkg/zk/generators_test.go b/pkg/zk/generators_test.go
@@ -176,6 +176,29 @@ var _ = Describe("Generators Spec", func() {
 			})
 		})
 	})
+	Context("#MakeStatefulSet with non default service account", func() {
+		var sts *appsv1.StatefulSet
+
+		Context("with defaults", func() {
+
+			BeforeEach(func() {
+				z := &v1beta1.ZookeeperCluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "example",
+						Namespace: "default",
+					},
+					Spec: v1beta1.ZookeeperClusterSpec{},
+				}
+				z.Spec.Pod.ServiceAccountName = "zookeeper"
+				z.WithDefaults()
+				zk.MakeServiceAccount(z)
+				sts = zk.MakeStatefulSet(z)
+			})
+			It("Checking the sts service account", func() {
+				Ω(sts.Spec.Template.Spec.ServiceAccountName).To(Equal("zookeeper"))
+			})
+		})
+	})
 
 	Context("#MakeClientService", func() {
 		var s *v1.Service

diff --git a/test/e2e/resources/rbac-operator.yaml b/test/e2e/resources/rbac-operator.yaml
@@ -28,6 +28,7 @@ rules:
   - events
   - configmaps
   - secrets
+  - serviceaccounts
   verbs:
   - "*"
 - apiGroups:
-Original file line number
+Diff line change
@@ Expand Up / @@ -23,6 +23,7 @@ rules: @@
       - events
       - configmaps
       - secrets
+      - serviceaccounts
       verbs:
       - "*"
     - apiGroups:
@@ Expand Down @@