Ensure that jobs run with the controller service account if no service account is specified.

chart/Chart.yaml

@@ -10,9 +10,9 @@ description: |
 
 type: application
 
-version: 0.1.33
+version: 0.2.17
 
-appVersion: "0.1.33"
+appVersion: "0.2.17"
 
 home: https://github.com/lukaszraczylo/kubernetes-images-sync-operator
 

chart/values.yaml

@@ -12,7 +12,7 @@ sa:
         - ALL
     image:
       repository: ghcr.io/lukaszraczylo/kubernetes-images-sync-operator
-      tag: 0.1.33
+      tag: 0.2.17
     resources:
       limits:
         cpu: 500m

internal/controller/raczylo.com/clusterimage_controller.go

@@ -3,7 +3,6 @@ package raczylocom
 import (
 	"context"
 	"fmt"
-	"os"
 	"strings"
 	"time"
 
@@ -259,7 +258,7 @@ func (r *ClusterImageReconciler) createBackupJob(ctx context.Context, clusterIma
 		Image:            shared.BACKUP_JOB_IMAGE,
 		Annotations:      clusterImage.Spec.JobAnnotations,
 		Commands:         defaultCommands,
-		ServiceAccount:   os.Getenv("POD_SERVICE_ACCOUNT"),
+		ServiceAccount:   "",
 		ImagePullSecrets: clusterImage.Spec.ImagePullSecrets,
 		OwnerReferences: []metav1.OwnerReference{
 			{

internal/controller/raczylo.com/clusterimageexport_controller.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/md5"
 	"fmt"
-	"os"
 	"strings"
 	"time"
 
@@ -286,7 +285,7 @@ func (r *ClusterImageExportReconciler) runCleanupJob(ctx context.Context, cluste
 		Image:            shared.BACKUP_JOB_IMAGE,
 		Commands:         defaultCommands,
 		Annotations:      clusterImageExport.Spec.JobAnnotations,
-		ServiceAccount:   os.Getenv("POD_SERVICE_ACCOUNT"),
+		ServiceAccount:   "",
 		ImagePullSecrets: clusterImageExport.Spec.ImagePullSecrets,
 	}
 

internal/shared/jobs.go

@@ -2,6 +2,7 @@ package shared
 
 import (
 	"fmt"
+	"os"
 	"strings"
 
 	raczylocomv1 "github.com/lukaszraczylo/kubernetes-images-sync-operator/api/raczylo.com/v1"
@@ -19,7 +20,7 @@ type JobParams struct {
 	Commands         []string
 	EnvVars          []corev1.EnvVar
 	OwnerReferences  []metav1.OwnerReference
-	ServiceAccount   string
+	ServiceAccount   string // Can be empty to use controller's service account
 	ImagePullSecrets []corev1.LocalObjectReference
 }
 
@@ -45,6 +46,11 @@ func CreateJob[T any](params JobParams, setupFunc func(T) []string) *batchv1.Job
 		}
 	}
 
+	serviceAccount := params.ServiceAccount
+	if serviceAccount == "" {
+		serviceAccount = os.Getenv("POD_SERVICE_ACCOUNT")
+	}
+
 	j := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            params.Name,
@@ -65,7 +71,7 @@ func CreateJob[T any](params JobParams, setupFunc func(T) []string) *batchv1.Job
 				},
 				Spec: corev1.PodSpec{
 					RestartPolicy:      corev1.RestartPolicyOnFailure,
-					ServiceAccountName: params.ServiceAccount,
+					ServiceAccountName: serviceAccount,
 					ImagePullSecrets:   params.ImagePullSecrets,
 					Volumes:            volumes,
 					Containers: []corev1.Container{