public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Move service account to Controller

This commit is contained in:
Sergey Dudoladov 2018-04-24 15:13:08 +02:00
parent c31c76281c
commit 485ec4b8ea
4 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pkg/cluster/cluster.go
View File

@ -42,6 +42,7 @@ type Config struct {
OpConfig config.Config OpConfig config.Config
RestConfig *rest.Config RestConfig *rest.Config
InfrastructureRoles map[string]spec.PgUser // inherited from the controller InfrastructureRoles map[string]spec.PgUser // inherited from the controller
PodServiceAccount *v1.ServiceAccount
} }
type kubeResources struct { type kubeResources struct {
@ -209,11 +210,12 @@ func (c *Cluster) createPodServiceAccounts() error {
if err != nil { if err != nil {
c.logger.Warnf("the pod service account %q cannot be retrieved in the namespace %q. Stateful sets in the namespace may be unable to create pods. Error: %v", podServiceAccountName, c.Namespace, err) c.logger.Warnf("the pod service account %q cannot be retrieved in the namespace %q. Stateful sets in the namespace may be unable to create pods. Error: %v", podServiceAccountName, c.Namespace, err)
// when created, each Cluster struct gets a separate copy of OpConfig // get a separate copy of service account
// including the nested PodServiceAccount struct, so no race condition here // to prevent a race condition when setting a namespace for many clusters
c.OpConfig.PodServiceAccount.SetNamespace(c.Namespace) sa := *c.PodServiceAccount
sa.SetNamespace(c.Namespace)
_, err = c.KubeClient.ServiceAccounts(c.Namespace).Create(&c.OpConfig.PodServiceAccount) _, err = c.KubeClient.ServiceAccounts(c.Namespace).Create(&sa)
if err != nil { if err != nil {
return fmt.Errorf("cannot deploy the pod service account %q defined in the config map to the %q namespace: %v", podServiceAccountName, c.Namespace, err) return fmt.Errorf("cannot deploy the pod service account %q defined in the config map to the %q namespace: %v", podServiceAccountName, c.Namespace, err)
} }

6
pkg/controller/controller.go
View File

@ -51,6 +51,8 @@ type Controller struct {
lastClusterSyncTime int64 lastClusterSyncTime int64
workerLogs map[uint32]ringlog.RingLogger workerLogs map[uint32]ringlog.RingLogger
PodServiceAccount *v1.ServiceAccount
} }
// NewController creates a new controller // NewController creates a new controller
@ -128,9 +130,9 @@ func (c *Controller) initPodServiceAccount() {
case groupVersionKind.Kind != "ServiceAccount": case groupVersionKind.Kind != "ServiceAccount":
panic(fmt.Errorf("pod service account definiton in the operator config map defines another type of resource: %v", groupVersionKind.Kind)) panic(fmt.Errorf("pod service account definiton in the operator config map defines another type of resource: %v", groupVersionKind.Kind))
default: default:
c.opConfig.PodServiceAccount = *obj.(*v1.ServiceAccount) c.PodServiceAccount = obj.(*v1.ServiceAccount)
// ensure consistent naming of the account // ensure consistent naming of the account
c.opConfig.PodServiceAccount.Name = c.opConfig.PodServiceAccountName c.PodServiceAccount.Name = c.opConfig.PodServiceAccountName
} }
// actual service accounts are deployed at the time of Postgres/Spilo cluster creation // actual service accounts are deployed at the time of Postgres/Spilo cluster creation

1
pkg/controller/util.go
View File

@ -26,6 +26,7 @@ func (c *Controller) makeClusterConfig() cluster.Config {
RestConfig: c.config.RestConfig, RestConfig: c.config.RestConfig,
OpConfig: config.Copy(c.opConfig), OpConfig: config.Copy(c.opConfig),
InfrastructureRoles: infrastructureRoles, InfrastructureRoles: infrastructureRoles,
PodServiceAccount: c.PodServiceAccount,
} }
} }

9
pkg/util/config/config.go
View File

@ -8,7 +8,6 @@ import (
"fmt" "fmt"
"github.com/zalando-incubator/postgres-operator/pkg/spec" "github.com/zalando-incubator/postgres-operator/pkg/spec"
"k8s.io/client-go/pkg/api/v1"
) )
// CRD describes CustomResourceDefinition specific configuration parameters // CRD describes CustomResourceDefinition specific configuration parameters
@ -68,10 +67,10 @@ type Config struct {
Resources Resources
Auth Auth
Scalyr Scalyr
PodServiceAccount v1.ServiceAccount // has to be struct value, not a pointer
WatchedNamespace string `name:"watched_namespace"` // special values: "*" means 'watch all namespaces', the empty string "" means 'watch a namespace where operator is deployed to' WatchedNamespace string `name:"watched_namespace"` // special values: "*" means 'watch all namespaces', the empty string "" means 'watch a namespace where operator is deployed to'
EtcdHost string `name:"etcd_host" default:"etcd-client.default.svc.cluster.local:2379"` EtcdHost string `name:"etcd_host" default:"etcd-client.default.svc.cluster.local:2379"`
DockerImage string `name:"docker_image" default:"registry.opensource.zalan.do/acid/spiloprivate-9.6:1.2-p4"` DockerImage string `name:"docker_image" default:"registry.opensource.zalan.do/acid/spiloprivate-9.6:1.2-p4"`
// re-use one account for both Spilo pods and the operator; this grants extra privileges to pods // re-use one account for both Spilo pods and the operator; this grants extra privileges to pods
PodServiceAccountName string `name:"pod_service_account_name" default:"operator"` PodServiceAccountName string `name:"pod_service_account_name" default:"operator"`
PodServiceAccountDefinition string `name:"pod_service_account_definition" default:"apiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: operator\n"` PodServiceAccountDefinition string `name:"pod_service_account_definition" default:"apiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: operator\n"`