Add fields to set Pulp SA labels/annotations

closes: #1079
pulp · Sep 12, 2023 · 9644583 · 9644583
1 parent 25e1892
commit 9644583
Show file tree

Hide file tree

Showing 9 changed files with 97 additions and 11 deletions.
diff --git a/CHANGES/1079.feature b/CHANGES/1079.feature
@@ -0,0 +1 @@
+Added capability to customize annotations of serviceAccount created by operator.
diff --git a/apis/repo-manager.pulpproject.org/v1beta2/pulp_types.go b/apis/repo-manager.pulpproject.org/v1beta2/pulp_types.go
@@ -302,6 +302,16 @@ type PulpSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
 	ImagePullSecrets []string `json:"image_pull_secrets,omitempty"`
 
+	// ServiceAccount.metadata.annotations that will be used in Pulp pods.
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"}
+	SAAnnotations map[string]string `json:"sa_annotations,omitempty"`
+
+	// ServiceAccount.metadata.labels that will be used in Pulp pods.
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"}
+	SALabels map[string]string `json:"sa_labels,omitempty"`
+
 	// Secret where Single Sign-on configuration can be found
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret","urn:alm:descriptor:com.tectonic.ui:advanced"}

diff --git a/apis/repo-manager.pulpproject.org/v1beta2/zz_generated.deepcopy.go b/apis/repo-manager.pulpproject.org/v1beta2/zz_generated.deepcopy.go
diff --git a/bundle/manifests/pulp-operator.clusterserviceversion.yaml b/bundle/manifests/pulp-operator.clusterserviceversion.yaml
@@ -164,7 +164,7 @@ metadata:
     capabilities: Full Lifecycle
     categories: Integration & Delivery
     containerImage: quay.io/pulp/pulp-operator:devel
-    createdAt: "2023-09-08T21:28:56Z"
+    createdAt: "2023-09-12T18:49:15Z"
     description: Pulp is a platform for managing repositories of software packages
       and making them available to a large number of consumers.
     operators.operatorframework.io/builder: operator-sdk-v1.29.0
@@ -950,6 +950,17 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:io.kubernetes:Secret
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
+      - description: ServiceAccount.metadata.annotations that will be used in Pulp
+          pods.
+        displayName: SAAnnotations
+        path: sa_annotations
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: ServiceAccount.metadata.labels that will be used in Pulp pods.
+        displayName: SALabels
+        path: sa_labels
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - description: 'ConfigMap where the signing scripts are stored. Default: <operators''s
           name>-"-signing-scripts"'
         displayName: Signing Scripts Configmap

diff --git a/bundle/manifests/repo-manager.pulpproject.org_pulps.yaml b/bundle/manifests/repo-manager.pulpproject.org_pulps.yaml
@@ -6373,6 +6373,18 @@ spec:
                 description: Name of the secret with the certificates/keys used by
                   route encryption
                 type: string
+              sa_annotations:
+                additionalProperties:
+                  type: string
+                description: ServiceAccount.metadata.annotations that will be used
+                  in Pulp pods.
+                type: object
+              sa_labels:
+                additionalProperties:
+                  type: string
+                description: ServiceAccount.metadata.labels that will be used in Pulp
+                  pods.
+                type: object
               signing_scripts_configmap:
                 description: 'ConfigMap where the signing scripts are stored. Default:
                   <operators''s name>-"-signing-scripts"'

diff --git a/config/crd/bases/repo-manager.pulpproject.org_pulps.yaml b/config/crd/bases/repo-manager.pulpproject.org_pulps.yaml
@@ -6374,6 +6374,18 @@ spec:
                 description: Name of the secret with the certificates/keys used by
                   route encryption
                 type: string
+              sa_annotations:
+                additionalProperties:
+                  type: string
+                description: ServiceAccount.metadata.annotations that will be used
+                  in Pulp pods.
+                type: object
+              sa_labels:
+                additionalProperties:
+                  type: string
+                description: ServiceAccount.metadata.labels that will be used in Pulp
+                  pods.
+                type: object
               signing_scripts_configmap:
                 description: 'ConfigMap where the signing scripts are stored. Default:
                   <operators''s name>-"-signing-scripts"'

diff --git a/config/manifests/bases/pulp-operator.clusterserviceversion.yaml b/config/manifests/bases/pulp-operator.clusterserviceversion.yaml
@@ -950,6 +950,17 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:io.kubernetes:Secret
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
+      - description: ServiceAccount.metadata.annotations that will be used in Pulp
+          pods.
+        displayName: SAAnnotations
+        path: sa_annotations
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: ServiceAccount.metadata.labels that will be used in Pulp pods.
+        displayName: SALabels
+        path: sa_labels
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - description: 'ConfigMap where the signing scripts are stored. Default: <operators''s
           name>-"-signing-scripts"'
         displayName: Signing Scripts Configmap

diff --git a/controllers/repo_manager/README.md b/controllers/repo_manager/README.md
@@ -219,6 +219,8 @@ PulpSpec defines the desired state of Pulp
 | image_web_version | The image version for the pulp webserver image. Default: \"stable\" | string | false |
 | admin_password_secret | Secret where the administrator password can be found. Default: <operator's name> + \"-admin-password\" | string | false |
 | image_pull_secrets | Image pull secrets for container images. Default: [] | []string | false |
+| sa_annotations | ServiceAccount.metadata.annotations that will be used in Pulp pods. | map[string]string | false |
+| sa_labels | ServiceAccount.metadata.labels that will be used in Pulp pods. | map[string]string | false |
 | sso_secret | Secret where Single Sign-on configuration can be found | string | false |
 | mount_trusted_ca | Define if the operator should or should not mount the custom CA certificates added to the cluster via cluster-wide proxy config. Default: false | bool | false |
 | deploy_ee_defaults | Define if the operator should or should not deploy the default Execution Environments. Default: false | bool | false |

diff --git a/controllers/repo_manager/rbac.go b/controllers/repo_manager/rbac.go
@@ -63,12 +63,12 @@ func (r *RepoManagerReconciler) CreateServiceAccount(ctx context.Context, pulp *
 		expectedSA.ImagePullSecrets = append([]corev1.LocalObjectReference{{Name: internalRegistrySecret}}, expectedSA.ImagePullSecrets...)
 	}
 
-	// Check and reconcile pulp-sa imagePullSecrets
-	if !reflect.DeepEqual(sa.ImagePullSecrets, expectedSA.ImagePullSecrets) {
-		log.Info("The imagePullSecrets from SA has been modified! Reconciling ...")
+	// Check and reconcile pulp-sa
+	if saModified(sa, expectedSA) {
+		log.Info("The " + sa.Name + " SA has been modified! Reconciling ...")
 		err = r.Update(ctx, expectedSA)
 		if err != nil {
-			log.Error(err, "Error trying to update the imagePullSecrets from SA object ... ")
+			log.Error(err, "Error trying to update "+sa.Name+" SA!")
 			return ctrl.Result{}, err
 		}
 		return ctrl.Result{Requeue: true}, nil
@@ -136,14 +136,20 @@ func (r *RepoManagerReconciler) pulpSA(m *repomanagerpulpprojectorgv1beta2.Pulp)
 		imagePullSecrets = append(imagePullSecrets, corev1.LocalObjectReference{Name: pullSecret})
 	}
 
+	annotations := m.Spec.SAAnnotations
+	labels := m.Spec.SALabels
+	if labels == nil {
+		labels = make(map[string]string)
+	}
+	labels["app.kubernetes.io/name"] = m.Name + "-sa"
+	labels["app.kubernetes.io/part-of"] = m.Spec.DeploymentType
+
 	sa := &corev1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      m.Name,
-			Namespace: m.Namespace,
-			Labels: map[string]string{
-				"app.kubernetes.io/name":    m.Name + "-sa",
-				"app.kubernetes.io/part-of": m.Spec.DeploymentType,
-			},
+			Name:        m.Name,
+			Namespace:   m.Namespace,
+			Labels:      labels,
+			Annotations: annotations,
 		},
 		ImagePullSecrets: imagePullSecrets,
 	}
@@ -227,3 +233,10 @@ func (r *RepoManagerReconciler) pulpRoleBinding(m *repomanagerpulpprojectorgv1be
 func getApiConditionType(m *repomanagerpulpprojectorgv1beta2.Pulp) string {
 	return cases.Title(language.English, cases.Compact).String(m.Spec.DeploymentType) + "-API-Ready"
 }
+
+// saModified returns true if some specific fields from a SA differs from the expected
+func saModified(currentSA, expectedSA *corev1.ServiceAccount) bool {
+	return !reflect.DeepEqual(currentSA.ImagePullSecrets, expectedSA.ImagePullSecrets) ||
+		!reflect.DeepEqual(currentSA.ObjectMeta.Annotations, expectedSA.ObjectMeta.Annotations) ||
+		!reflect.DeepEqual(currentSA.ObjectMeta.Labels, expectedSA.ObjectMeta.Labels)
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Added capability to customize annotations of serviceAccount created by operator.