Skip to content

Commit

Permalink
Disable ServiceAccount automount when --disable-etcd-serviceaccount…
Browse files Browse the repository at this point in the history 
…-automount=true`
  • Loading branch information
@rfranzke
rfranzke committed Dec 17, 2021
1 parent 3367d11 commit c373d28
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 51 deletions.
5 changes: 4 additions & 1 deletion charts/etcd/templates/etcd-serviceaccount.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,7 @@ metadata:
instance: {{ .Values.name }}
{{- if .Values.labels }}
{{ toYaml .Values.labels | indent 4 }}
{{- end }}
{{- end }}
{{- if .Values.disableEtcdServiceAccountAutomount }}
automountServiceAccountToken: false
{{- end }}
2 changes: 2 additions & 0 deletions charts/etcd/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ uid: uuid-of-etcd-resource
serviceName: test
configMapName: test
jobName: test
serviceAccountName: test
disableEtcdServiceAccountAutomount: false

replicas: 1
#priorityClassName: foo
Expand Down
2 changes: 1 addition & 1 deletion controllers/controllers_suite_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ var _ = BeforeSuite(func(done Done) {
})
Expect(err).NotTo(HaveOccurred())

er, err := NewEtcdReconcilerWithImageVector(mgr)
er, err := NewEtcdReconcilerWithImageVector(mgr, false)
Expect(err).NotTo(HaveOccurred())

err = er.SetupWithManager(mgr, 1, true)
Expand Down
71 changes: 37 additions & 34 deletions controllers/etcd_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,35 +98,37 @@ var (
// EtcdReconciler reconciles a Etcd object
type EtcdReconciler struct {
client.Client
Scheme *runtime.Scheme
chartApplier kubernetes.ChartApplier
Config *rest.Config
ImageVector imagevector.ImageVector
logger logr.Logger
Scheme *runtime.Scheme
chartApplier kubernetes.ChartApplier
Config *rest.Config
ImageVector imagevector.ImageVector
logger logr.Logger
disableEtcdServiceAccountAutomount bool
}

// NewReconcilerWithImageVector creates a new EtcdReconciler object with an image vector
func NewReconcilerWithImageVector(mgr manager.Manager) (*EtcdReconciler, error) {
etcdReconciler, err := NewEtcdReconciler(mgr)
func NewReconcilerWithImageVector(mgr manager.Manager, disableEtcdServiceAccountAutomount bool) (*EtcdReconciler, error) {
etcdReconciler, err := NewEtcdReconciler(mgr, disableEtcdServiceAccountAutomount)
if err != nil {
return nil, err
}
return etcdReconciler.InitializeControllerWithImageVector()
}

// NewEtcdReconciler creates a new EtcdReconciler object
func NewEtcdReconciler(mgr manager.Manager) (*EtcdReconciler, error) {
func NewEtcdReconciler(mgr manager.Manager, disableEtcdServiceAccountAutomount bool) (*EtcdReconciler, error) {
return (&EtcdReconciler{
Client: mgr.GetClient(),
Config: mgr.GetConfig(),
Scheme: mgr.GetScheme(),
logger: log.Log.WithName("etcd-controller"),
Client: mgr.GetClient(),
Config: mgr.GetConfig(),
Scheme: mgr.GetScheme(),
logger: log.Log.WithName("etcd-controller"),
disableEtcdServiceAccountAutomount: disableEtcdServiceAccountAutomount,
}).InitializeControllerWithChartApplier()
}

// NewEtcdReconcilerWithImageVector creates a new EtcdReconciler object
func NewEtcdReconcilerWithImageVector(mgr manager.Manager) (*EtcdReconciler, error) {
ec, err := NewEtcdReconciler(mgr)
func NewEtcdReconcilerWithImageVector(mgr manager.Manager, disableEtcdServiceAccountAutomount bool) (*EtcdReconciler, error) {
ec, err := NewEtcdReconciler(mgr, disableEtcdServiceAccountAutomount)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -1142,7 +1144,7 @@ func (r *EtcdReconciler) reconcileRoleBinding(ctx context.Context, logger logr.L
}

func (r *EtcdReconciler) reconcileEtcd(ctx context.Context, logger logr.Logger, etcd *druidv1alpha1.Etcd) (*corev1.Service, *appsv1.StatefulSet, error) {
values, err := getMapFromEtcd(r.ImageVector, etcd)
values, err := getMapFromEtcd(r.ImageVector, etcd, r.disableEtcdServiceAccountAutomount)
if err != nil {
return nil, nil, err
}
Expand Down Expand Up @@ -1225,7 +1227,7 @@ func checkEtcdAnnotations(annotations map[string]string, etcd metav1.Object) boo

}

func getMapFromEtcd(im imagevector.ImageVector, etcd *druidv1alpha1.Etcd) (map[string]interface{}, error) {
func getMapFromEtcd(im imagevector.ImageVector, etcd *druidv1alpha1.Etcd, disableEtcdServiceAccountAutomount bool) (map[string]interface{}, error) {
var statefulsetReplicas int
if etcd.Spec.Replicas != 0 {
statefulsetReplicas = 1
Expand Down Expand Up @@ -1385,24 +1387,25 @@ func getMapFromEtcd(im imagevector.ImageVector, etcd *druidv1alpha1.Etcd) (map[s
}

values := map[string]interface{}{
"name": etcd.Name,
"uid": etcd.UID,
"selector": etcd.Spec.Selector,
"labels": etcd.Spec.Labels,
"annotations": etcd.Spec.Annotations,
"etcd": etcdValues,
"backup": backupValues,
"sharedConfig": sharedConfigValues,
"replicas": etcd.Spec.Replicas,
"statefulsetReplicas": statefulsetReplicas,
"serviceName": fmt.Sprintf("%s-client", etcd.Name),
"configMapName": fmt.Sprintf("etcd-bootstrap-%s", string(etcd.UID[:6])),
"jobName": getJobName(etcd),
"pdbMinAvailable": pdbMinAvailable,
"volumeClaimTemplateName": volumeClaimTemplateName,
"serviceAccountName": getServiceAccountName(etcd),
"roleName": fmt.Sprintf("druid.gardener.cloud:etcd:%s", etcd.Name),
"roleBindingName": fmt.Sprintf("druid.gardener.cloud:etcd:%s", etcd.Name),
"name": etcd.Name,
"uid": etcd.UID,
"selector": etcd.Spec.Selector,
"labels": etcd.Spec.Labels,
"annotations": etcd.Spec.Annotations,
"etcd": etcdValues,
"backup": backupValues,
"sharedConfig": sharedConfigValues,
"replicas": etcd.Spec.Replicas,
"statefulsetReplicas": statefulsetReplicas,
"serviceName": fmt.Sprintf("%s-client", etcd.Name),
"configMapName": fmt.Sprintf("etcd-bootstrap-%s", string(etcd.UID[:6])),
"jobName": getJobName(etcd),
"pdbMinAvailable": pdbMinAvailable,
"volumeClaimTemplateName": volumeClaimTemplateName,
"serviceAccountName": getServiceAccountName(etcd),
"disableEtcdServiceAccountAutomount": disableEtcdServiceAccountAutomount,
"roleName": fmt.Sprintf("druid.gardener.cloud:etcd:%s", etcd.Name),
"roleBindingName": fmt.Sprintf("druid.gardener.cloud:etcd:%s", etcd.Name),
}

if etcd.Spec.StorageCapacity != nil {
Expand Down
32 changes: 17 additions & 15 deletions main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,20 +50,21 @@ func init() {

func main() {
var (
metricsAddr string
enableLeaderElection bool
enableBackupCompaction bool
leaderElectionID string
leaderElectionResourceLock string
etcdWorkers int
custodianWorkers int
etcdCopyBackupsTaskWorkers int
custodianSyncPeriod time.Duration
disableLeaseCache bool
compactionWorkers int
eventsThreshold int64
activeDeadlineDuration time.Duration
ignoreOperationAnnotation bool
metricsAddr string
enableLeaderElection bool
enableBackupCompaction bool
leaderElectionID string
leaderElectionResourceLock string
etcdWorkers int
custodianWorkers int
etcdCopyBackupsTaskWorkers int
custodianSyncPeriod time.Duration
disableLeaseCache bool
compactionWorkers int
eventsThreshold int64
activeDeadlineDuration time.Duration
ignoreOperationAnnotation bool
disableEtcdServiceAccountAutomount bool

etcdMemberNotReadyThreshold time.Duration

Expand Down Expand Up @@ -91,6 +92,7 @@ func main() {
flag.BoolVar(&disableLeaseCache, "disable-lease-cache", false, "Disable cache for lease.coordination.k8s.io resources.")
flag.BoolVar(&ignoreOperationAnnotation, "ignore-operation-annotation", true, "Ignore the operation annotation or not.")
flag.DurationVar(&etcdMemberNotReadyThreshold, "etcd-member-notready-threshold", 5*time.Minute, "Threshold after which an etcd member is considered not ready if the status was unknown before.")
flag.BoolVar(&disableEtcdServiceAccountAutomount, "disable-etcd-serviceaccount-automount", false, "If true then .automountServiceAccountToken will be set to false for the ServiceAccount created for etcd statefulsets.")

flag.Parse()

Expand All @@ -117,7 +119,7 @@ func main() {
os.Exit(1)
}

etcd, err := controllers.NewEtcdReconcilerWithImageVector(mgr)
etcd, err := controllers.NewEtcdReconcilerWithImageVector(mgr, disableEtcdServiceAccountAutomount)
if err != nil {
setupLog.Error(err, "Unable to initialize etcd controller with image vector")
os.Exit(1)
Expand Down

0 comments on commit c373d28

Please sign in to comment.