diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go index 6e2999290..478940963 100644 --- a/pkg/cluster/cluster.go +++ b/pkg/cluster/cluster.go @@ -208,13 +208,11 @@ func (c *Cluster) createPodServiceAccounts() error { _, err := c.KubeClient.ServiceAccounts(c.Namespace).Get(podServiceAccountName, metav1.GetOptions{}) if err != nil { - c.logger.Warnf("the pod service account %q cannot be retrieved in the namespace %q. Stateful sets in the namespace may be unable to create pods. Error: %v", podServiceAccountName, c.Namespace, err) + c.logger.Infof("the pod service account %q cannot be retrieved in the namespace %q; stateful sets in the namespace may be unable to create pods. Trying to deploy the account.", podServiceAccountName, c.Namespace) // get a separate copy of service account // to prevent a race condition when setting a namespace for many clusters sa := *c.PodServiceAccount - sa.SetNamespace(c.Namespace) - _, err = c.KubeClient.ServiceAccounts(c.Namespace).Create(&sa) if err != nil { return fmt.Errorf("cannot deploy the pod service account %q defined in the config map to the %q namespace: %v", podServiceAccountName, c.Namespace, err) diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go index 406a29429..144c0fb4c 100644 --- a/pkg/controller/controller.go +++ b/pkg/controller/controller.go @@ -120,6 +120,17 @@ func (c *Controller) initOperatorConfig() { } func (c *Controller) initPodServiceAccount() { + + if c.opConfig.PodServiceAccountDefinition == "" { + c.opConfig.PodServiceAccountDefinition = ` + { "apiVersion": "v1", + "kind": "ServiceAccount", + "metadata": { + "name": "operator" + } + }` + } + // re-uses k8s internal parsing. See k8s client-go issue #193 for explanation decode := scheme.Codecs.UniversalDeserializer().Decode obj, groupVersionKind, err := decode([]byte(c.opConfig.PodServiceAccountDefinition), nil, nil) @@ -134,6 +145,7 @@ func (c *Controller) initPodServiceAccount() { if c.PodServiceAccount.Name != c.opConfig.PodServiceAccountName { c.logger.Warnf("in the operator config map, the pod service account name %v does not match the name %v given in the account definition; using the former for consistency", c.opConfig.PodServiceAccountName, c.PodServiceAccount.Name) c.PodServiceAccount.Name = c.opConfig.PodServiceAccountName + c.PodServiceAccount.Namespace = "" } } diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go index f38dc9b1c..b101c6f08 100644 --- a/pkg/util/config/config.go +++ b/pkg/util/config/config.go @@ -72,8 +72,9 @@ type Config struct { EtcdHost string `name:"etcd_host" default:"etcd-client.default.svc.cluster.local:2379"` DockerImage string `name:"docker_image" default:"registry.opensource.zalan.do/acid/spiloprivate-9.6:1.2-p4"` // default name `operator` enables backward compatibility with the older ServiceAccountName field - PodServiceAccountName string `name:"pod_service_account_name" default:"operator"` - PodServiceAccountDefinition string `name:"pod_service_account_definition" default:"apiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: operator\n"` + PodServiceAccountName string `name:"pod_service_account_name" default:"operator"` + // value of this string must be valid JSON or YAML; see initPodServiceAccount + PodServiceAccountDefinition string `name:"pod_service_account_definition" default:""` DbHostedZone string `name:"db_hosted_zone" default:"db.example.com"` EtcdScope string `name:"etcd_scope" default:"service"` WALES3Bucket string `name:"wal_s3_bucket"`