aws-controllers-k8s · ack-bot · Jan 25, 2022 · Jan 19, 2022 · RedbackThomson · Jan 21, 2022
diff --git a/cmd/ack-generate/command/common.go b/cmd/ack-generate/command/common.go
@@ -284,3 +284,13 @@ func getLatestAPIVersion() (string, error) {
 	})
 	return versions[len(versions)-1], nil
 }
+
+// getServiceAccountName gets the service account name from the optional flag passed into ack-generate
+func getServiceAccountName() (string, error) {
+
+	if optServiceAccountName != "" {
+		return optServiceAccountName, nil
+	}
+
+	return "", fmt.Errorf("service account name not set")
+}
diff --git a/cmd/ack-generate/command/controller.go b/cmd/ack-generate/command/controller.go
@@ -63,7 +63,11 @@ func generateController(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-	ts, err := ackgenerate.Controller(m, optTemplateDirs)
+	serviceAccountName, err := getServiceAccountName()
+	if err != nil {
+		return err
+	}
+	ts, err := ackgenerate.Controller(m, optTemplateDirs, serviceAccountName)
 	if err != nil {
 		return err
 	}

diff --git a/cmd/ack-generate/command/release.go b/cmd/ack-generate/command/release.go
@@ -27,9 +27,8 @@ import (
 )
 
 var (
-	optReleaseOutputPath  string
-	optImageRepository    string
-	optServiceAccountName string
+	optReleaseOutputPath string
+	optImageRepository   string
 )
 
 var releaseCmd = &cobra.Command{
@@ -42,9 +41,6 @@ func init() {
 	releaseCmd.PersistentFlags().StringVar(
 		&optImageRepository, "image-repository", "", "the Docker image repository to use in release artifacts. Defaults to 'public.ecr.aws/aws-controllers-k8s/$service-controller'",
 	)
-	releaseCmd.PersistentFlags().StringVar(
-		&optServiceAccountName, "service-account-name", "default", "The name of the ServiceAccount AND ClusterRole used for ACK service controller",
-	)
 	releaseCmd.PersistentFlags().StringVarP(
 		&optReleaseOutputPath, "output", "o", "", "path to root directory to create generated files. Defaults to "+optServicesDir+"/$service",
 	)

diff --git a/cmd/ack-generate/command/root.go b/cmd/ack-generate/command/root.go
@@ -43,6 +43,7 @@ var (
 	optGeneratorConfigPath string
 	optMetadataConfigPath  string
 	optOutputPath          string
+	optServiceAccountName  string
 )
 
 var rootCmd = &cobra.Command{
@@ -121,6 +122,9 @@ func init() {
 	rootCmd.PersistentFlags().StringVar(
 		&optAWSSDKGoVersion, "aws-sdk-go-version", "", "Version of github.com/aws/aws-sdk-go used to generate apis and controllers files",
 	)
+	rootCmd.PersistentFlags().StringVar(
+		&optServiceAccountName, "service-account-name", "", "The name of the ServiceAccount used for ACK service controller",
+	)
 }
 
 // Execute adds all child commands to the root command and sets flags

diff --git a/pkg/generate/ack/controller.go b/pkg/generate/ack/controller.go
@@ -35,6 +35,7 @@ var (
 		"config/rbac/cluster-role-binding.yaml.tpl",
 		"config/rbac/role-reader.yaml.tpl",
 		"config/rbac/role-writer.yaml.tpl",
+		"config/rbac/service-account.yaml.tpl",
 		"config/rbac/kustomization.yaml.tpl",
 		"config/crd/kustomization.yaml.tpl",
 		"config/overlays/namespaced/kustomization.yaml.tpl",
@@ -164,6 +165,8 @@ var (
 func Controller(
 	m *ackmodel.Model,
 	templateBasePaths []string,
+	// serviceAccountName is the name of the ServiceAccount used in the Helm chart
+	serviceAccountName string,
 ) (*templateset.TemplateSet, error) {
 	crds, err := m.GetCRDs()
 	if err != nil {
@@ -224,6 +227,7 @@ func Controller(
 	configVars := &templateConfigVars{
 		metaVars,
 		m.GetConfig(),
+		serviceAccountName,
 	}
 	if err = ts.Add("pkg/resource/registry.go", "pkg/resource/registry.go.tpl", configVars); err != nil {
 		return nil, err
@@ -250,7 +254,7 @@ func Controller(
 	// Finally, add the configuration YAML file templates
 	for _, path := range controllerConfigTemplatePaths {
 		outPath := strings.TrimSuffix(path, ".tpl")
-		if err = ts.Add(outPath, path, metaVars); err != nil {
+		if err = ts.Add(outPath, path, configVars); err != nil {
 			return nil, err
 		}
 	}
@@ -268,5 +272,6 @@ type templateCmdVars struct {
 // access to the generator configuration definition
 type templateConfigVars struct {
 	templateset.MetaVars
-	GeneratorConfig *ackgenconfig.Config
+	GeneratorConfig    *ackgenconfig.Config
+	ServiceAccountName string
 }
diff --git a/pkg/generate/ack/release.go b/pkg/generate/ack/release.go
@@ -60,8 +60,7 @@ func Release(
 	// imageRepository is the Docker image repository to use when generating
 	// release files
 	imageRepository string,
-	// serviceAccountName is the name of the ServiceAccount and ClusterRole
-	// used in the Helm chart
+	// serviceAccountName is the name of the ServiceAccount used in the Helm chart
 	serviceAccountName string,
 ) (*templateset.TemplateSet, error) {
 	ts := templateset.New(
@@ -100,7 +99,6 @@ type templateReleaseVars struct {
 	// ImageRepository is the Docker image repository to inject into the Helm
 	// values template
 	ImageRepository string
-	// ServiceAccountName is the name of the service account and cluster role
-	// created by the Helm chart
+	// ServiceAccountName is the name of the ServiceAccount used in the Helm chart
 	ServiceAccountName string
 }
diff --git a/scripts/build-controller-release.sh b/scripts/build-controller-release.sh
@@ -34,6 +34,7 @@ ACK_GENERATE_API_VERSION=${ACK_GENERATE_API_VERSION:-"v1alpha1"}
 ACK_GENERATE_CONFIG_PATH=${ACK_GENERATE_CONFIG_PATH:-""}
 ACK_METADATA_CONFIG_PATH=${ACK_METADATA_CONFIG_PATH:-""}
 AWS_SDK_GO_VERSION=${AWS_SDK_GO_VERSION:-""}
+ACK_GENERATE_SERVICE_ACCOUNT_NAME=${ACK_GENERATE_SERVICE_ACCOUNT_NAME:-"ack-$SERVICE-controller"}
 
 DEFAULT_TEMPLATES_DIR="$ROOT_DIR/../../aws-controllers-k8s/code-generator/templates"
 TEMPLATES_DIR=${TEMPLATES_DIR:-$DEFAULT_TEMPLATES_DIR}
@@ -42,6 +43,7 @@ DEFAULT_RUNTIME_DIR="$ROOT_DIR/../runtime"
 RUNTIME_DIR=${RUNTIME_DIR:-$DEFAULT_RUNTIME_DIR}
 RUNTIME_API_VERSION=${RUNTIME_API_VERSION:-"v1alpha1"}
 NON_RELEASE_VERSION="v0.0.0-non-release-version"
+K8S_RBAC_ROLE_NAME=${K8S_RBAC_ROLE_NAME:-"ack-$SERVICE-controller"}
 
 USAGE="
 Usage:
@@ -157,9 +159,6 @@ if [[ $RELEASE_VERSION != $NON_RELEASE_VERSION ]]; then
   fi
 fi
 
-K8S_RBAC_ROLE_NAME=${K8S_RBAC_ROLE_NAME:-"ack-$SERVICE-controller"}
-ACK_GENERATE_SERVICE_ACCOUNT_NAME=${ACK_GENERATE_SERVICE_ACCOUNT_NAME:-"ack-$SERVICE-controller"}
-
 if [ -z "$AWS_SDK_GO_VERSION" ]; then
     AWS_SDK_GO_VERSION=$(go list -m -f '{{ .Version }}' -modfile $SERVICE_CONTROLLER_SOURCE_PATH/go.mod github.com/aws/aws-sdk-go)
 fi

diff --git a/scripts/build-controller.sh b/scripts/build-controller.sh
@@ -26,9 +26,11 @@ ACK_GENERATE_BIN_PATH=${ACK_GENERATE_BIN_PATH:-$DEFAULT_ACK_GENERATE_BIN_PATH}
 ACK_GENERATE_API_VERSION=${ACK_GENERATE_API_VERSION:-"v1alpha1"}
 ACK_GENERATE_CONFIG_PATH=${ACK_GENERATE_CONFIG_PATH:-""}
 ACK_METADATA_CONFIG_PATH=${ACK_METADATA_CONFIG_PATH:-""}
+ACK_GENERATE_SERVICE_ACCOUNT_NAME=${ACK_GENERATE_SERVICE_ACCOUNT_NAME:-"ack-$SERVICE-controller"}
 AWS_SDK_GO_VERSION=${AWS_SDK_GO_VERSION:-""}
 DEFAULT_RUNTIME_CRD_DIR="$ROOT_DIR/../../aws-controllers-k8s/runtime/config"
 RUNTIME_CRD_DIR=${RUNTIME_CRD_DIR:-$DEFAULT_RUNTIME_CRD_DIR}
+K8S_RBAC_ROLE_NAME=${K8S_RBAC_ROLE_NAME:-"ack-$SERVICE-controller"}
 
 USAGE="
 Usage:
@@ -38,32 +40,35 @@ Usage:
 's3' 'sns' or 'sqs'
 
 Environment variables:
-  ACK_GENERATE_CACHE_DIR:   Overrides the directory used for caching AWS API
-                            models used by the ack-generate tool.
-                            Default: $ACK_GENERATE_CACHE_DIR
-  ACK_GENERATE_BIN_PATH:    Overrides the path to the the ack-generate binary.
-                            Default: $ACK_GENERATE_BIN_PATH
-  ACK_GENERATE_API_VERSION: Overrides the version of the Kubernetes API objects
-                            generated by the ack-generate apis command. If not
-                            specified, and the service controller has been
-                            previously generated, the latest generated API
-                            version is used. If the service controller has yet
-                            to be generated, 'v1alpha1' is used.
-  ACK_GENERATE_CONFIG_PATH: Specify a path to the generator config YAML file to
-                            instruct the code generator for the service.
-                            Default: generator.yaml
-  ACK_METADATA_CONFIG_PATH: Specify a path to the metadata config YAML file to 
-                            instruct the code generator for the service.
-                            Default: metadata.yaml
-  AWS_SDK_GO_VERSION:       Overrides the version of github.com/aws/aws-sdk-go used
-                            by 'ack-generate' to fetch the service API Specifications.
-                            Default: Version of aws/aws-sdk-go in service go.mod
-  TEMPLATES_DIR:            Overrides the directory containg ack-generate templates
-                            Default: $TEMPLATES_DIR
-  K8S_RBAC_ROLE_NAME:       Name of the Kubernetes Role to use when generating
-                            the RBAC manifests for the custom resource
-                            definitions.
-                            Default: $K8S_RBAC_ROLE_NAME
+  ACK_GENERATE_CACHE_DIR:               Overrides the directory used for caching AWS API
+                                        models used by the ack-generate tool.
+                                        Default: $ACK_GENERATE_CACHE_DIR
+  ACK_GENERATE_BIN_PATH:                Overrides the path to the the ack-generate binary.
+                                        Default: $ACK_GENERATE_BIN_PATH
+  ACK_GENERATE_API_VERSION:             Overrides the version of the Kubernetes API objects
+                                        generated by the ack-generate apis command. If not
+                                        specified, and the service controller has been
+                                        previously generated, the latest generated API
+                                        version is used. If the service controller has yet
+                                        to be generated, 'v1alpha1' is used.
+  ACK_GENERATE_CONFIG_PATH:             Specify a path to the generator config YAML file to
+                                        instruct the code generator for the service.
+                                        Default: generator.yaml
+  ACK_METADATA_CONFIG_PATH:             Specify a path to the metadata config YAML file to
+                                        instruct the code generator for the service.
+                                        Default: metadata.yaml
+  ACK_GENERATE_SERVICE_ACCOUNT_NAME:    Name of the Kubernetes Service Account and
+                                        Cluster Role to use in Helm chart.
+                                        Default: $ACK_GENERATE_SERVICE_ACCOUNT_NAME
+  AWS_SDK_GO_VERSION:                   Overrides the version of github.com/aws/aws-sdk-go used
+                                        by 'ack-generate' to fetch the service API Specifications.
+                                        Default: Version of aws/aws-sdk-go in service go.mod
+  TEMPLATES_DIR:                        Overrides the directory containg ack-generate templates
+                                        Default: $TEMPLATES_DIR
+  K8S_RBAC_ROLE_NAME:                   Name of the Kubernetes Role to use when generating
+                                        the RBAC manifests for the custom resource
+                                        definitions.
+                                        Default: $K8S_RBAC_ROLE_NAME
 "
 
 if [ $# -ne 1 ]; then
@@ -119,9 +124,8 @@ if [[ -d "$SERVICE_CONTROLLER_SOURCE_PATH/templates" ]]; then
         BOILERPLATE_TXT_PATH="$SERVICE_CONTROLLER_SOURCE_PATH/templates/boilerplate.txt"
     fi
 fi
-TEMPLATE_DIRS=${TEMPLATE_DIRS:-$DEFAULT_TEMPLATE_DIRS}
 
-K8S_RBAC_ROLE_NAME=${K8S_RBAC_ROLE_NAME:-"ack-$SERVICE-controller"}
+TEMPLATE_DIRS=${TEMPLATE_DIRS:-$DEFAULT_TEMPLATE_DIRS}
 
 config_output_dir="$SERVICE_CONTROLLER_SOURCE_PATH/config/"
 
@@ -174,6 +178,10 @@ if [ -n "$AWS_SDK_GO_VERSION" ]; then
     apis_args="$apis_args --aws-sdk-go-version $AWS_SDK_GO_VERSION"
 fi
 
+if [ -n "$ACK_GENERATE_SERVICE_ACCOUNT_NAME" ]; then
+    ag_args="$ag_args --service-account-name $ACK_GENERATE_SERVICE_ACCOUNT_NAME"
+fi
+
 echo "Building Kubernetes API objects for $SERVICE"
 $ACK_GENERATE_BIN_PATH $apis_args
 if [ $? -ne 0 ]; then

diff --git a/templates/config/controller/deployment.yaml.tpl b/templates/config/controller/deployment.yaml.tpl
@@ -61,6 +61,7 @@ spec:
             drop:
               - ALL
       terminationGracePeriodSeconds: 10
+      serviceAccountName: {{ .ServiceAccountName }}
       hostIPC: false
       hostNetwork: false
       hostPID: false
diff --git a/templates/config/rbac/cluster-role-binding.yaml.tpl b/templates/config/rbac/cluster-role-binding.yaml.tpl
@@ -8,5 +8,5 @@ roleRef:
   name: ack-{{ .ServicePackageName }}-controller
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .ServiceAccountName }}
   namespace: ack-system
diff --git a/templates/config/rbac/kustomization.yaml.tpl b/templates/config/rbac/kustomization.yaml.tpl
@@ -3,3 +3,5 @@ resources:
 - cluster-role-controller.yaml
 - role-reader.yaml
 - role-writer.yaml
+- service-account.yaml
+
diff --git a/templates/config/rbac/service-account.yaml.tpl b/templates/config/rbac/service-account.yaml.tpl
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .ServiceAccountName }}
+  namespace: ack-system