From b2e96ae07d2f7090819819d57444e1eda1a27ac7 Mon Sep 17 00:00:00 2001 From: Lukasz Raczylo Date: Thu, 19 Dec 2024 18:49:59 +0000 Subject: [PATCH] Ensure that jobs run with the controller service account if no service account is specified. --- chart/Chart.yaml | 4 ++-- chart/values.yaml | 2 +- .../controller/raczylo.com/clusterimage_controller.go | 3 +-- .../raczylo.com/clusterimageexport_controller.go | 3 +-- internal/shared/jobs.go | 10 ++++++++-- 5 files changed, 13 insertions(+), 9 deletions(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 389ffb9..ea4a089 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -10,9 +10,9 @@ description: | type: application -version: 0.1.33 +version: 0.2.17 -appVersion: "0.1.33" +appVersion: "0.2.17" home: https://github.com/lukaszraczylo/kubernetes-images-sync-operator diff --git a/chart/values.yaml b/chart/values.yaml index a82bdd3..53f5f50 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -12,7 +12,7 @@ sa: - ALL image: repository: ghcr.io/lukaszraczylo/kubernetes-images-sync-operator - tag: 0.1.33 + tag: 0.2.17 resources: limits: cpu: 500m diff --git a/internal/controller/raczylo.com/clusterimage_controller.go b/internal/controller/raczylo.com/clusterimage_controller.go index 4fe3aaf..21eb73c 100644 --- a/internal/controller/raczylo.com/clusterimage_controller.go +++ b/internal/controller/raczylo.com/clusterimage_controller.go @@ -3,7 +3,6 @@ package raczylocom import ( "context" "fmt" - "os" "strings" "time" @@ -259,7 +258,7 @@ func (r *ClusterImageReconciler) createBackupJob(ctx context.Context, clusterIma Image: shared.BACKUP_JOB_IMAGE, Annotations: clusterImage.Spec.JobAnnotations, Commands: defaultCommands, - ServiceAccount: os.Getenv("POD_SERVICE_ACCOUNT"), + ServiceAccount: "", ImagePullSecrets: clusterImage.Spec.ImagePullSecrets, OwnerReferences: []metav1.OwnerReference{ { diff --git a/internal/controller/raczylo.com/clusterimageexport_controller.go b/internal/controller/raczylo.com/clusterimageexport_controller.go index 9e3f5d0..88a3fa5 100644 --- a/internal/controller/raczylo.com/clusterimageexport_controller.go +++ b/internal/controller/raczylo.com/clusterimageexport_controller.go @@ -4,7 +4,6 @@ import ( "context" "crypto/md5" "fmt" - "os" "strings" "time" @@ -286,7 +285,7 @@ func (r *ClusterImageExportReconciler) runCleanupJob(ctx context.Context, cluste Image: shared.BACKUP_JOB_IMAGE, Commands: defaultCommands, Annotations: clusterImageExport.Spec.JobAnnotations, - ServiceAccount: os.Getenv("POD_SERVICE_ACCOUNT"), + ServiceAccount: "", ImagePullSecrets: clusterImageExport.Spec.ImagePullSecrets, } diff --git a/internal/shared/jobs.go b/internal/shared/jobs.go index 1bfed92..cd57f34 100644 --- a/internal/shared/jobs.go +++ b/internal/shared/jobs.go @@ -2,6 +2,7 @@ package shared import ( "fmt" + "os" "strings" raczylocomv1 "github.com/lukaszraczylo/kubernetes-images-sync-operator/api/raczylo.com/v1" @@ -19,7 +20,7 @@ type JobParams struct { Commands []string EnvVars []corev1.EnvVar OwnerReferences []metav1.OwnerReference - ServiceAccount string + ServiceAccount string // Can be empty to use controller's service account ImagePullSecrets []corev1.LocalObjectReference } @@ -45,6 +46,11 @@ func CreateJob[T any](params JobParams, setupFunc func(T) []string) *batchv1.Job } } + serviceAccount := params.ServiceAccount + if serviceAccount == "" { + serviceAccount = os.Getenv("POD_SERVICE_ACCOUNT") + } + j := &batchv1.Job{ ObjectMeta: metav1.ObjectMeta{ Name: params.Name, @@ -65,7 +71,7 @@ func CreateJob[T any](params JobParams, setupFunc func(T) []string) *batchv1.Job }, Spec: corev1.PodSpec{ RestartPolicy: corev1.RestartPolicyOnFailure, - ServiceAccountName: params.ServiceAccount, + ServiceAccountName: serviceAccount, ImagePullSecrets: params.ImagePullSecrets, Volumes: volumes, Containers: []corev1.Container{