This commit adds a ServiceAccount (config/rbac/service_account.yaml)

and changes the default service account name from default to
controller-manager such that a user can specify which
service account their manager should be created in.
They may change this value by updating files referencing
the metadata.name value in service_account.yaml.

pkg/plugins/golang/v3: update all scaffold referencing the
default service account with references to the "controller-manager"
service account, specified in service_account.yaml.

Signed-off-by: Eric Stroczynski <[email protected]>

Author: estroz

pkg/plugins/golang/v3/scaffolds/init.go

@@ -105,6 +105,7 @@ func (s *initScaffolder) scaffold() error {
 		&rbac.RoleBinding{},
 		&rbac.LeaderElectionRole{},
 		&rbac.LeaderElectionRoleBinding{},
+		&rbac.ServiceAccount{},
 		&manager.Kustomization{},
 		&manager.Config{Image: imageName},
 		&manager.ControllerManagerConfig{},

pkg/plugins/golang/v3/scaffolds/internal/templates/config/manager/config.go

@@ -100,5 +100,6 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
 `

pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/auth_proxy_role_binding.go

@@ -50,6 +50,6 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
 `

pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/kustomization.go

@@ -43,6 +43,12 @@ func (f *Kustomization) SetTemplateDefaults() error {
 }
 
 const kustomizeRBACTemplate = `resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
 - role.yaml
 - role_binding.yaml
 - leader_election_role.yaml

pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/leader_election_role_binding.go

@@ -50,6 +50,6 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
 `

pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/role_binding.go

@@ -50,6 +50,6 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
 `

pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/service_account.go

@@ -0,0 +1,48 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rbac
+
+import (
+	"path/filepath"
+
+	"sigs.k8s.io/kubebuilder/v3/pkg/model/file"
+)
+
+var _ file.Template = &ServiceAccount{}
+
+// ServiceAccount scaffolds a file that defines the service account the manager is deployed in.
+type ServiceAccount struct {
+	file.TemplateMixin
+}
+
+// SetTemplateDefaults implements file.Template
+func (f *ServiceAccount) SetTemplateDefaults() error {
+	if f.Path == "" {
+		f.Path = filepath.Join("config", "rbac", "service_account.yaml")
+	}
+
+	f.TemplateBody = serviceAccountTemplate
+
+	return nil
+}
+
+const serviceAccountTemplate = `apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system
+`

test/e2e/utils/kubectl.go

@@ -27,7 +27,8 @@ import (
 // Kubectl contains context to run kubectl commands
 type Kubectl struct {
 	*CmdContext
-	Namespace string
+	Namespace      string
+	ServiceAccount string
 }
 
 // Command is a general func to run kubectl commands

test/e2e/utils/test_context.go

@@ -56,8 +56,9 @@ func NewTestContext(binaryName string, env ...string) (*TestContext, error) {
 
 	// Use kubectl to get Kubernetes client and cluster version.
 	kubectl := &Kubectl{
-		Namespace:  fmt.Sprintf("e2e-%s-system", testSuffix),
-		CmdContext: cc,
+		Namespace:      fmt.Sprintf("e2e-%s-system", testSuffix),
+		ServiceAccount: fmt.Sprintf("e2e-%s-controller-manager", testSuffix),
+		CmdContext:     cc,
 	}
 	k8sVersion, err := kubectl.Version()
 	if err != nil {

test/e2e/v3/plugin_cluster_test.go

@@ -69,6 +69,11 @@ var _ = Describe("kubebuilder", func() {
 			})
 
 			It("should generate a runnable project", func() {
+				// go/v3 uses a unqiue-per-project service account name,
+				// while go/v2 still uses "default".
+				tmp := kbc.Kubectl.ServiceAccount
+				kbc.Kubectl.ServiceAccount = "default"
+				defer func() { kbc.Kubectl.ServiceAccount = tmp }()
 				GenerateV2(kbc)
 				Run(kbc)
 			})
@@ -166,7 +171,7 @@ func Run(kbc *utils.TestContext) {
 	_, err = kbc.Kubectl.Command(
 		"create", "clusterrolebinding", fmt.Sprintf("metrics-%s", kbc.TestSuffix),
 		fmt.Sprintf("--clusterrole=e2e-%s-metrics-reader", kbc.TestSuffix),
-		fmt.Sprintf("--serviceaccount=%s:default", kbc.Kubectl.Namespace))
+		fmt.Sprintf("--serviceaccount=%s:%s", kbc.Kubectl.Namespace, kbc.Kubectl.ServiceAccount))
 	ExpectWithOffset(1, err).NotTo(HaveOccurred())
 
 	_ = curlMetrics(kbc)
@@ -263,18 +268,23 @@ func Run(kbc *utils.TestContext) {
 // curlMetrics curl's the /metrics endpoint, returning all logs once a 200 status is returned.
 func curlMetrics(kbc *utils.TestContext) string {
 	By("reading the metrics token")
-	b64Token, err := kbc.Kubectl.Get(true, "secrets", "-o=jsonpath={.items[0].data.token}")
+	// Filter token query by service account in case more than one exists in a namespace.
+	query := fmt.Sprintf(`{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name=="%s")].data.token}`,
+		kbc.Kubectl.ServiceAccount,
+	)
+	b64Token, err := kbc.Kubectl.Get(true, "secrets", "-o=jsonpath="+query)
 	ExpectWithOffset(2, err).NotTo(HaveOccurred())
 	token, err := base64.StdEncoding.DecodeString(strings.TrimSpace(b64Token))
 	ExpectWithOffset(2, err).NotTo(HaveOccurred())
 	ExpectWithOffset(2, len(token)).To(BeNumerically(">", 0))
 
 	By("creating a curl pod")
 	cmdOpts := []string{
-		"run", "--generator=run-pod/v1", "curl", "--image=curlimages/curl:7.68.0", "--restart=OnFailure", "--",
+		"run", "--generator=run-pod/v1", "curl", "--image=curlimages/curl:7.68.0", "--restart=OnFailure",
+		"--serviceaccount=" + kbc.Kubectl.ServiceAccount, "--",
 		"curl", "-v", "-k", "-H", fmt.Sprintf(`Authorization: Bearer %s`, token),
-		fmt.Sprintf("https://e2e-%v-controller-manager-metrics-service.e2e-%v-system.svc:8443/metrics",
-			kbc.TestSuffix, kbc.TestSuffix),
+		fmt.Sprintf("https://e2e-%s-controller-manager-metrics-service.%s.svc:8443/metrics",
+			kbc.TestSuffix, kbc.Kubectl.Namespace),
 	}
 	_, err = kbc.Kubectl.CommandInNamespace(cmdOpts...)
 	ExpectWithOffset(2, err).NotTo(HaveOccurred())