From c373d2880ce95363a3bf0b9815828520ed742e17 Mon Sep 17 00:00:00 2001 From: Rafael Franzke Date: Fri, 17 Dec 2021 17:10:49 +0100 Subject: [PATCH] Disable `ServiceAccount automount when `--disable-etcd-serviceaccount-automount=true` --- .../etcd/templates/etcd-serviceaccount.yaml | 5 +- charts/etcd/values.yaml | 2 + controllers/controllers_suite_test.go | 2 +- controllers/etcd_controller.go | 71 ++++++++++--------- main.go | 32 +++++---- 5 files changed, 61 insertions(+), 51 deletions(-) diff --git a/charts/etcd/templates/etcd-serviceaccount.yaml b/charts/etcd/templates/etcd-serviceaccount.yaml index c33e163e2..e6d6e46a7 100644 --- a/charts/etcd/templates/etcd-serviceaccount.yaml +++ b/charts/etcd/templates/etcd-serviceaccount.yaml @@ -15,4 +15,7 @@ metadata: instance: {{ .Values.name }} {{- if .Values.labels }} {{ toYaml .Values.labels | indent 4 }} -{{- end }} \ No newline at end of file +{{- end }} +{{- if .Values.disableEtcdServiceAccountAutomount }} +automountServiceAccountToken: false +{{- end }} diff --git a/charts/etcd/values.yaml b/charts/etcd/values.yaml index cb4f3d92b..683070032 100644 --- a/charts/etcd/values.yaml +++ b/charts/etcd/values.yaml @@ -3,6 +3,8 @@ uid: uuid-of-etcd-resource serviceName: test configMapName: test jobName: test +serviceAccountName: test +disableEtcdServiceAccountAutomount: false replicas: 1 #priorityClassName: foo diff --git a/controllers/controllers_suite_test.go b/controllers/controllers_suite_test.go index e62c797d6..15ce6faf9 100644 --- a/controllers/controllers_suite_test.go +++ b/controllers/controllers_suite_test.go @@ -102,7 +102,7 @@ var _ = BeforeSuite(func(done Done) { }) Expect(err).NotTo(HaveOccurred()) - er, err := NewEtcdReconcilerWithImageVector(mgr) + er, err := NewEtcdReconcilerWithImageVector(mgr, false) Expect(err).NotTo(HaveOccurred()) err = er.SetupWithManager(mgr, 1, true) diff --git a/controllers/etcd_controller.go b/controllers/etcd_controller.go index 83851f1d2..176ca8202 100644 --- a/controllers/etcd_controller.go +++ b/controllers/etcd_controller.go @@ -98,16 +98,17 @@ var ( // EtcdReconciler reconciles a Etcd object type EtcdReconciler struct { client.Client - Scheme *runtime.Scheme - chartApplier kubernetes.ChartApplier - Config *rest.Config - ImageVector imagevector.ImageVector - logger logr.Logger + Scheme *runtime.Scheme + chartApplier kubernetes.ChartApplier + Config *rest.Config + ImageVector imagevector.ImageVector + logger logr.Logger + disableEtcdServiceAccountAutomount bool } // NewReconcilerWithImageVector creates a new EtcdReconciler object with an image vector -func NewReconcilerWithImageVector(mgr manager.Manager) (*EtcdReconciler, error) { - etcdReconciler, err := NewEtcdReconciler(mgr) +func NewReconcilerWithImageVector(mgr manager.Manager, disableEtcdServiceAccountAutomount bool) (*EtcdReconciler, error) { + etcdReconciler, err := NewEtcdReconciler(mgr, disableEtcdServiceAccountAutomount) if err != nil { return nil, err } @@ -115,18 +116,19 @@ func NewReconcilerWithImageVector(mgr manager.Manager) (*EtcdReconciler, error) } // NewEtcdReconciler creates a new EtcdReconciler object -func NewEtcdReconciler(mgr manager.Manager) (*EtcdReconciler, error) { +func NewEtcdReconciler(mgr manager.Manager, disableEtcdServiceAccountAutomount bool) (*EtcdReconciler, error) { return (&EtcdReconciler{ - Client: mgr.GetClient(), - Config: mgr.GetConfig(), - Scheme: mgr.GetScheme(), - logger: log.Log.WithName("etcd-controller"), + Client: mgr.GetClient(), + Config: mgr.GetConfig(), + Scheme: mgr.GetScheme(), + logger: log.Log.WithName("etcd-controller"), + disableEtcdServiceAccountAutomount: disableEtcdServiceAccountAutomount, }).InitializeControllerWithChartApplier() } // NewEtcdReconcilerWithImageVector creates a new EtcdReconciler object -func NewEtcdReconcilerWithImageVector(mgr manager.Manager) (*EtcdReconciler, error) { - ec, err := NewEtcdReconciler(mgr) +func NewEtcdReconcilerWithImageVector(mgr manager.Manager, disableEtcdServiceAccountAutomount bool) (*EtcdReconciler, error) { + ec, err := NewEtcdReconciler(mgr, disableEtcdServiceAccountAutomount) if err != nil { return nil, err } @@ -1142,7 +1144,7 @@ func (r *EtcdReconciler) reconcileRoleBinding(ctx context.Context, logger logr.L } func (r *EtcdReconciler) reconcileEtcd(ctx context.Context, logger logr.Logger, etcd *druidv1alpha1.Etcd) (*corev1.Service, *appsv1.StatefulSet, error) { - values, err := getMapFromEtcd(r.ImageVector, etcd) + values, err := getMapFromEtcd(r.ImageVector, etcd, r.disableEtcdServiceAccountAutomount) if err != nil { return nil, nil, err } @@ -1225,7 +1227,7 @@ func checkEtcdAnnotations(annotations map[string]string, etcd metav1.Object) boo } -func getMapFromEtcd(im imagevector.ImageVector, etcd *druidv1alpha1.Etcd) (map[string]interface{}, error) { +func getMapFromEtcd(im imagevector.ImageVector, etcd *druidv1alpha1.Etcd, disableEtcdServiceAccountAutomount bool) (map[string]interface{}, error) { var statefulsetReplicas int if etcd.Spec.Replicas != 0 { statefulsetReplicas = 1 @@ -1385,24 +1387,25 @@ func getMapFromEtcd(im imagevector.ImageVector, etcd *druidv1alpha1.Etcd) (map[s } values := map[string]interface{}{ - "name": etcd.Name, - "uid": etcd.UID, - "selector": etcd.Spec.Selector, - "labels": etcd.Spec.Labels, - "annotations": etcd.Spec.Annotations, - "etcd": etcdValues, - "backup": backupValues, - "sharedConfig": sharedConfigValues, - "replicas": etcd.Spec.Replicas, - "statefulsetReplicas": statefulsetReplicas, - "serviceName": fmt.Sprintf("%s-client", etcd.Name), - "configMapName": fmt.Sprintf("etcd-bootstrap-%s", string(etcd.UID[:6])), - "jobName": getJobName(etcd), - "pdbMinAvailable": pdbMinAvailable, - "volumeClaimTemplateName": volumeClaimTemplateName, - "serviceAccountName": getServiceAccountName(etcd), - "roleName": fmt.Sprintf("druid.gardener.cloud:etcd:%s", etcd.Name), - "roleBindingName": fmt.Sprintf("druid.gardener.cloud:etcd:%s", etcd.Name), + "name": etcd.Name, + "uid": etcd.UID, + "selector": etcd.Spec.Selector, + "labels": etcd.Spec.Labels, + "annotations": etcd.Spec.Annotations, + "etcd": etcdValues, + "backup": backupValues, + "sharedConfig": sharedConfigValues, + "replicas": etcd.Spec.Replicas, + "statefulsetReplicas": statefulsetReplicas, + "serviceName": fmt.Sprintf("%s-client", etcd.Name), + "configMapName": fmt.Sprintf("etcd-bootstrap-%s", string(etcd.UID[:6])), + "jobName": getJobName(etcd), + "pdbMinAvailable": pdbMinAvailable, + "volumeClaimTemplateName": volumeClaimTemplateName, + "serviceAccountName": getServiceAccountName(etcd), + "disableEtcdServiceAccountAutomount": disableEtcdServiceAccountAutomount, + "roleName": fmt.Sprintf("druid.gardener.cloud:etcd:%s", etcd.Name), + "roleBindingName": fmt.Sprintf("druid.gardener.cloud:etcd:%s", etcd.Name), } if etcd.Spec.StorageCapacity != nil { diff --git a/main.go b/main.go index 2fed17d51..2bbe20d6c 100644 --- a/main.go +++ b/main.go @@ -50,20 +50,21 @@ func init() { func main() { var ( - metricsAddr string - enableLeaderElection bool - enableBackupCompaction bool - leaderElectionID string - leaderElectionResourceLock string - etcdWorkers int - custodianWorkers int - etcdCopyBackupsTaskWorkers int - custodianSyncPeriod time.Duration - disableLeaseCache bool - compactionWorkers int - eventsThreshold int64 - activeDeadlineDuration time.Duration - ignoreOperationAnnotation bool + metricsAddr string + enableLeaderElection bool + enableBackupCompaction bool + leaderElectionID string + leaderElectionResourceLock string + etcdWorkers int + custodianWorkers int + etcdCopyBackupsTaskWorkers int + custodianSyncPeriod time.Duration + disableLeaseCache bool + compactionWorkers int + eventsThreshold int64 + activeDeadlineDuration time.Duration + ignoreOperationAnnotation bool + disableEtcdServiceAccountAutomount bool etcdMemberNotReadyThreshold time.Duration @@ -91,6 +92,7 @@ func main() { flag.BoolVar(&disableLeaseCache, "disable-lease-cache", false, "Disable cache for lease.coordination.k8s.io resources.") flag.BoolVar(&ignoreOperationAnnotation, "ignore-operation-annotation", true, "Ignore the operation annotation or not.") flag.DurationVar(&etcdMemberNotReadyThreshold, "etcd-member-notready-threshold", 5*time.Minute, "Threshold after which an etcd member is considered not ready if the status was unknown before.") + flag.BoolVar(&disableEtcdServiceAccountAutomount, "disable-etcd-serviceaccount-automount", false, "If true then .automountServiceAccountToken will be set to false for the ServiceAccount created for etcd statefulsets.") flag.Parse() @@ -117,7 +119,7 @@ func main() { os.Exit(1) } - etcd, err := controllers.NewEtcdReconcilerWithImageVector(mgr) + etcd, err := controllers.NewEtcdReconcilerWithImageVector(mgr, disableEtcdServiceAccountAutomount) if err != nil { setupLog.Error(err, "Unable to initialize etcd controller with image vector") os.Exit(1)