Move service account to Controller

2018-04-24 15:13:08 +02:00 · 2018-04-24 15:13:08 +02:00 · 485ec4b8ea
parent c31c76281c
commit 485ec4b8ea
4 changed files with 15 additions and 11 deletions
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@ -42,6 +42,7 @@ type Config struct {
 	OpConfig            config.Config
 	RestConfig          *rest.Config
 	InfrastructureRoles map[string]spec.PgUser // inherited from the controller
+	PodServiceAccount   *v1.ServiceAccount
 }

 type kubeResources struct {
@ -209,11 +210,12 @@ func (c *Cluster) createPodServiceAccounts() error {
 	if err != nil {
 		c.logger.Warnf("the pod service account %q cannot be retrieved in the namespace %q. Stateful sets in the namespace may be unable to create pods. Error: %v", podServiceAccountName, c.Namespace, err)

-		// when created, each Cluster struct gets a separate copy of OpConfig
-		// including the nested PodServiceAccount struct, so no race condition here
-		c.OpConfig.PodServiceAccount.SetNamespace(c.Namespace)
+		// get a separate copy of service account
+		// to prevent a race condition when setting a namespace for many clusters
+		sa := *c.PodServiceAccount
+		sa.SetNamespace(c.Namespace)

-		_, err = c.KubeClient.ServiceAccounts(c.Namespace).Create(&c.OpConfig.PodServiceAccount)
+		_, err = c.KubeClient.ServiceAccounts(c.Namespace).Create(&sa)
 		if err != nil {
 			return fmt.Errorf("cannot deploy the pod service account %q defined in the config map to the %q namespace: %v", podServiceAccountName, c.Namespace, err)
 		}
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@ -51,6 +51,8 @@ type Controller struct {
 	lastClusterSyncTime int64

 	workerLogs map[uint32]ringlog.RingLogger
+
+	PodServiceAccount *v1.ServiceAccount
 }

 // NewController creates a new controller
@ -128,9 +130,9 @@ func (c *Controller) initPodServiceAccount() {
 	case groupVersionKind.Kind != "ServiceAccount":
 		panic(fmt.Errorf("pod service account definiton in the operator config map defines another type of resource: %v", groupVersionKind.Kind))
 	default:
-		c.opConfig.PodServiceAccount = *obj.(*v1.ServiceAccount)
+		c.PodServiceAccount = obj.(*v1.ServiceAccount)
 		// ensure consistent naming of the account
-		c.opConfig.PodServiceAccount.Name = c.opConfig.PodServiceAccountName
+		c.PodServiceAccount.Name = c.opConfig.PodServiceAccountName
 	}

 	// actual service accounts are deployed at the time of Postgres/Spilo cluster creation
--- a/pkg/controller/util.go
+++ b/pkg/controller/util.go
@ -26,6 +26,7 @@ func (c *Controller) makeClusterConfig() cluster.Config {
 		RestConfig:          c.config.RestConfig,
 		OpConfig:            config.Copy(c.opConfig),
 		InfrastructureRoles: infrastructureRoles,
+		PodServiceAccount:   c.PodServiceAccount,
 	}
 }

--- a/pkg/util/config/config.go
+++ b/pkg/util/config/config.go
@ -8,7 +8,6 @@ import (
 	"fmt"

 	"github.com/zalando-incubator/postgres-operator/pkg/spec"
-	"k8s.io/client-go/pkg/api/v1"
 )

 // CRD describes CustomResourceDefinition specific configuration parameters
@ -68,7 +67,7 @@ type Config struct {
 	Resources
 	Auth
 	Scalyr
-	PodServiceAccount v1.ServiceAccount // has to be struct value, not a pointer
+
 	WatchedNamespace string `name:"watched_namespace"` // special values: "*" means 'watch all namespaces', the empty string "" means 'watch a namespace where operator is deployed to'
 	EtcdHost         string `name:"etcd_host" default:"etcd-client.default.svc.cluster.local:2379"`
 	DockerImage      string `name:"docker_image" default:"registry.opensource.zalan.do/acid/spiloprivate-9.6:1.2-p4"`