Add parameter for service account name to all ackgenerate methods #270
Conversation
ack-bot
added
the
needs-ok-to-test
|
Hi @acornett21. Thanks for your PR. I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
ack-bot
added
ok-to-test
RedbackThomson
left a comment
RedbackThomson
left a comment
There was a problem hiding this comment.
Nice catch. Please see my inline comment for default service account name variables.
| drop: | ||
| - ALL | ||
| terminationGracePeriodSeconds: 10 | ||
| serviceAccountName: ack-{{ .ServicePackageName }}-service-account |
There was a problem hiding this comment.
The Helm templates use {{ .ServiceAccountName }} here - https://github.com/aws-controllers-k8s/code-generator/blob/main/templates/helm/values.yaml.tpl#L75 . This references an optional parameter in the generator, which defaults to "default" -
Ideally we would use that same variable here, and update the default value for that optional parameter to be ack-<service>-service-account.
There was a problem hiding this comment.
@RedbackThomson Thanks for pointing this out, I wasn't sure how this was getting picked up in helm. I have refactored to pass the same var to all necessary processes/flows. Let me know what you think, I had to add this to the API's process too, since a variable there is shared with the controller process.
acornett21
force-pushed
the
add_service_account
branch
2 times, most recently
from
342c8f9 to
180195d
Compare
acornett21
changed the title
RedbackThomson
left a comment
RedbackThomson
left a comment
There was a problem hiding this comment.
Great. This is a big upgrade for the Kustomization users. Thanks Adam!
It changes it from
ack-$SERVICE-controllertoack-$SERVICE-service-account
I prefer ack-$SERVICE-controller, since it's redundant to add service-account to the name of a service account. Especially since we are using the same values for the ClusterRole name.
cmd/ack-generate/command/root.go
Outdated
| &optAWSSDKGoVersion, "aws-sdk-go-version", "", "Version of github.com/aws/aws-sdk-go used to generate apis and controllers files", | ||
| ) | ||
| rootCmd.PersistentFlags().StringVar( | ||
| &optServiceAccountName, "service-account-name", optServiceAccountName, "The name of the ServiceAccount AND ClusterRole used for ACK service controller", |
There was a problem hiding this comment.
I would initialize the default service account name in this flag as "", and then have a common method in common.go (like getSDKVersion) that you use as the getter, which returns the proper default value of ack-$SERVICE-controller.
There was a problem hiding this comment.
Hmmm I also don't really like that we are using this value for the ClusterRole name, as well. Perhaps I will open an issue and add another flag, and move that stuff into its own variable later. For this PR it's cool with me, though.
There was a problem hiding this comment.
This comment is misleading, its not the name of the ClusterRole it's just referenced in the ClusterRole. I'll update comments accordingly.
pkg/generate/ack/apis.go
Outdated
| CRD *ackmodel.CRD | ||
| SDKAPI *ackmodel.SDKAPI | ||
| CRD *ackmodel.CRD | ||
| ServiceAccountName string |
There was a problem hiding this comment.
I don't believe we are using the ServiceAccountName variable in any of the templates used by the API command. I think we are free to strip it from this var struct, and from the API method declaration.
There was a problem hiding this comment.
I'll revert the API changes, even though this struct is shared between the controller and the api code, the controller code does not need ServiceAccountName
| for _, path := range controllerConfigTemplatePaths { | ||
| outPath := strings.TrimSuffix(path, ".tpl") | ||
| if err = ts.Add(outPath, path, metaVars); err != nil { | ||
| if err = ts.Add(outPath, path, configVars); err != nil { |
There was a problem hiding this comment.
Oh interesting, this almost looks like a bug you found? Nice
There was a problem hiding this comment.
Maybe a bug, but I don't think anything outside of metaVars was used in the templates, but now we need more then just metaVars
| drop: | ||
| - ALL | ||
| terminationGracePeriodSeconds: 10 | ||
| serviceAccountName: {{ .ServiceAccountName }} |
There was a problem hiding this comment.
++ Nice forethought
I went with |
acornett21
force-pushed
the
add_service_account
branch
from
180195d to
27e6276
Compare
…rate controller process as well as ack-generate release process. Also adding in a service-account.yaml.tpl to be referenced in deployment.yaml.tpl and cluster-role-binding.yaml.tpl Signed-off-by: Adam D. Cornett <adc@redhat.com>
acornett21
force-pushed
the
add_service_account
branch
from
27e6276 to
162e61b
Compare
Issue #, if available: - Relates: aws-controllers-k8s/community#777 Description of changes: This pull request is needed to get tests to pass for - aws-controllers-k8s/code-generator#270 It also removes `sha` information from k8's versions, since this `sha` version is not static. Meaning that k8s can and does update a sha for a given version to fix security updates and some of these `shas` can no longer be pulled locally. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. Signed-off-by: Adam D. Cornett <adc@redhat.com>
|
Let's try these again with the new tests |
|
/retest |
RedbackThomson
changed the title
RedbackThomson
left a comment
RedbackThomson
left a comment
There was a problem hiding this comment.
Great. Let's send it!
/lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: acornett21, RedbackThomson The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
3 participants
Issue #, if available:
defaultin generated kustomize manifests community#777Description of changes:
The goal of this is to move away from using the default service account. It seems this might have been done with the helm charts/templates, but was not ported to the Kustomization files. This means each operator/controller would have its own service account. Things that changed are below:
/rbac/service-account.yaml.tplto create a service account, and then referece this account in theDeploymentandClusterRoleBindingshfiles to add inACK_GENERATE_SERVICE_ACCOUNT_NAMEto be used in both build and release processshfiles so that if there is an error in the build/release process theDefaultvalues are actually presented to the user (currently they show up as blank since the variables are not initilaized before theUSAGEvariable)helmprocess as well. It changes it fromack-$SERVICE-controllertoack-$SERVICE-service-account. I am not sure if this is backwards compatible for when a controller is installed/updated via a helm deployment.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Signed-off-by: Adam D. Cornett adc@redhat.com