MLE-21222: Support to add ServiceAccountName (#86)

pengzhouml · Peng Zhou · web-flow · commit 28656a5ca996 · 2025-06-02T17:15:58.000-07:00
* MLE-21222: Support to add ServiceAccountName

* add description in manifests

* Fix Service Account Not Assigned Issue

* update service account implementation by review

* add delete logic after test is done

* add debug information for minikube version

* fix the missing RBAC

---------

Co-authored-by: Peng Zhou &lt;peng.zhou@progress.com&gt;
diff --git a/Makefile b/Makefile
@@ -157,6 +157,7 @@ endif
 
 .PHONY: e2e-setup-minikube
 e2e-setup-minikube: kustomize controller-gen build docker-build
+	minikube version
 	minikube delete || true
 	minikube start --driver=docker --kubernetes-version=$(E2E_KUBERNETES_VERSION) --memory=8192 --cpus=2
 	minikube addons enable ingress
diff --git a/api/v1/marklogiccluster_types.go b/api/v1/marklogiccluster_types.go
@@ -42,6 +42,10 @@ type MarklogicClusterSpec struct {
 	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 
 	Auth *AdminAuth `json:"auth,omitempty"`
+	// +kubebuilder:default:="marklogic-workload"
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="ServiceAccountName can not be changed"
+	// The name of the service account to assigned to the MarkLogic pods
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 	// +kubebuilder:default:={enabled: true, size: "10Gi"}
 	Persistence                   *Persistence                 `json:"persistence,omitempty"`
 	Resources                     *corev1.ResourceRequirements `json:"resources,omitempty"`
diff --git a/api/v1/marklogicgroup_types.go b/api/v1/marklogicgroup_types.go
@@ -38,6 +38,7 @@ type MarklogicGroupSpec struct {
 	ImagePullPolicy               string                        `json:"imagePullPolicy,omitempty"`
 	ImagePullSecrets              []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 	Auth                          *AdminAuth                    `json:"auth,omitempty"`
+	ServiceAccountName            string                        `json:"serviceAccountName,omitempty"`
 	Persistence                   *Persistence                  `json:"persistence,omitempty"`
 	Resources                     *corev1.ResourceRequirements  `json:"resources,omitempty"`
 	TerminationGracePeriodSeconds *int64                        `json:"terminationGracePeriodSeconds,omitempty"`
diff --git a/config/crd/bases/marklogic.progress.com_marklogicclusters.yaml b/config/crd/bases/marklogic.progress.com_marklogicclusters.yaml
@@ -10814,6 +10814,14 @@ spec:
                         type: string
                     type: object
                 type: object
+              serviceAccountName:
+                default: marklogic-workload
+                description: The name of the service account to assigned to the MarkLogic
+                  pods
+                type: string
+                x-kubernetes-validations:
+                - message: ServiceAccountName can not be changed
+                  rule: self == oldSelf
               terminationGracePeriodSeconds:
                 format: int64
                 type: integer
diff --git a/config/crd/bases/marklogic.progress.com_marklogicgroups.yaml b/config/crd/bases/marklogic.progress.com_marklogicgroups.yaml
@@ -4557,6 +4557,8 @@ spec:
                       a service
                     type: string
                 type: object
+              serviceAccountName:
+                type: string
               terminationGracePeriodSeconds:
                 format: int64
                 type: integer
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -10,6 +10,7 @@ rules:
   - configmaps
   - pods
   - secrets
+  - serviceaccounts
   - services
   verbs:
   - create
diff --git a/internal/controller/marklogiccluster_controller.go b/internal/controller/marklogiccluster_controller.go
@@ -44,6 +44,7 @@ type MarklogicClusterReconciler struct {
 //+kubebuilder:rbac:groups=marklogic.progress.com,resources=marklogicclusters,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=marklogic.progress.com,resources=marklogicclusters/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=marklogic.progress.com,resources=marklogicclusters/finalizers,verbs=update
+//+kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
diff --git a/pkg/k8sutil/handler.go b/pkg/k8sutil/handler.go
@@ -30,6 +30,9 @@ func (oc *OperatorContext) ReconsileMarklogicGroupHandler() (reconcile.Result, e
 func (cc *ClusterContext) ReconsileMarklogicClusterHandler() (reconcile.Result, error) {
 	SetCommonAnnotations(cc.MarklogicCluster.GetAnnotations())
 	SetCommonLabels(cc.MarklogicCluster.GetLabels())
+	if result := cc.ReconcileServiceAccount(); result.Completed() {
+		return result.Output()
+	}
 	if result := cc.ReconcileSecret(); result.Completed() {
 		return result.Output()
 	}
diff --git a/pkg/k8sutil/marklogicServer.go b/pkg/k8sutil/marklogicServer.go
@@ -18,6 +18,7 @@ import (
 type MarkLogicGroupParameters struct {
 	Replicas                       *int32
 	Name                           string
+	ServiceAccountName             string
 	GroupConfig                    *marklogicv1.GroupConfig
 	Image                          string
 	ImagePullPolicy                string
@@ -52,6 +53,7 @@ type MarkLogicClusterParameters struct {
 	Auth                           *marklogicv1.AdminAuth
 	Replicas                       *int32
 	Name                           string
+	ServiceAccountName             string
 	Image                          string
 	ImagePullPolicy                string
 	ImagePullSecrets               []corev1.LocalObjectReference
@@ -109,6 +111,7 @@ func GenerateMarkLogicGroupDef(cr *marklogicv1.MarklogicCluster, index int, para
 			Name:                           params.Name,
 			GroupConfig:                    params.GroupConfig,
 			Auth:                           params.Auth,
+			ServiceAccountName:             params.ServiceAccountName,
 			Image:                          params.Image,
 			ImagePullSecrets:               params.ImagePullSecrets,
 			License:                        params.License,
@@ -208,6 +211,7 @@ func generateMarkLogicClusterParams(cr *marklogicv1.MarklogicCluster) *MarkLogic
 		Image:                          cr.Spec.Image,
 		ImagePullPolicy:                cr.Spec.ImagePullPolicy,
 		ImagePullSecrets:               cr.Spec.ImagePullSecrets,
+		ServiceAccountName:             cr.Spec.ServiceAccountName,
 		ClusterDomain:                  cr.Spec.ClusterDomain,
 		Persistence:                    cr.Spec.Persistence,
 		Affinity:                       cr.Spec.Affinity,
@@ -228,6 +232,7 @@ func generateMarkLogicClusterParams(cr *marklogicv1.MarklogicCluster) *MarkLogic
 		AdditionalVolumeMounts:         cr.Spec.AdditionalVolumeMounts,
 		AdditionalVolumeClaimTemplates: cr.Spec.AdditionalVolumeClaimTemplates,
 	}
+
 	if cr.Spec.HAProxy == nil || cr.Spec.HAProxy.PathBasedRouting == nil || !cr.Spec.HAProxy.Enabled || !*cr.Spec.HAProxy.PathBasedRouting {
 		markLogicClusterParameters.PathBasedRouting = false
 	} else {
@@ -247,6 +252,7 @@ func generateMarkLogicGroupParams(cr *marklogicv1.MarklogicCluster, index int, c
 		ImagePullPolicy:                clusterParams.ImagePullPolicy,
 		ImagePullSecrets:               clusterParams.ImagePullSecrets,
 		Auth:                           clusterParams.Auth,
+		ServiceAccountName:             clusterParams.ServiceAccountName,
 		License:                        clusterParams.License,
 		Persistence:                    clusterParams.Persistence,
 		TerminationGracePeriodSeconds:  clusterParams.TerminationGracePeriodSeconds,
diff --git a/pkg/k8sutil/serviceaccount.go b/pkg/k8sutil/serviceaccount.go
@@ -0,0 +1,47 @@
+package k8sutil
+
+import (
+	"github.com/marklogic/marklogic-operator-kubernetes/pkg/result"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+func (cc *ClusterContext) ReconcileServiceAccount() result.ReconcileResult {
+	logger := cc.ReqLogger
+	cr := cc.MarklogicCluster
+	namespace := cr.Namespace
+	saName := cr.Spec.ServiceAccountName
+	namespacedName := types.NamespacedName{Name: saName, Namespace: namespace}
+	sa := &corev1.ServiceAccount{}
+	logger.Info("Reconciling ServiceAccount", "namespace", namespacedName.Namespace, "name", namespacedName.Name)
+	err := cc.Client.Get(cc.Ctx, namespacedName, sa)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			logger.Info("ServiceAccount not found, creating a new one", "namespace", namespacedName.Namespace, "name", namespacedName.Name)
+			saDef := generateServiceAccountDef(namespacedName)
+			err = cc.Client.Create(cc.Ctx, saDef)
+			if err != nil {
+				logger.Error(err, "Failed to create service account", "namespace", namespacedName.Namespace, "name", namespacedName.Name)
+			}
+		} else {
+			logger.Error(err, "Failed to get ServiceAccount", "namespace", namespacedName.Namespace, "name", namespacedName.Name)
+			return result.Error(err)
+		}
+	} else {
+		logger.Info("ServiceAccount already exists")
+	}
+
+	return result.Continue()
+}
+
+func generateServiceAccountDef(namespacedName types.NamespacedName) *corev1.ServiceAccount {
+	serviceAccount := &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      namespacedName.Name,
+			Namespace: namespacedName.Namespace,
+		},
+	}
+	return serviceAccount
+}
diff --git a/pkg/k8sutil/statefulset.go b/pkg/k8sutil/statefulset.go
@@ -31,6 +31,7 @@ type statefulSetParameters struct {
 	PriorityClassName              string
 	ImagePullSecrets               []corev1.LocalObjectReference
 	AdditionalVolumeClaimTemplates *[]corev1.PersistentVolumeClaim
+	ServiceAccountName             string
 }
 
 type containerParameters struct {
@@ -227,6 +228,9 @@ func generateStatefulSetsDef(stsMeta metav1.ObjectMeta, params statefulSetParame
 	if params.AdditionalVolumeClaimTemplates != nil {
 		statefulSet.Spec.VolumeClaimTemplates = append(statefulSet.Spec.VolumeClaimTemplates, *params.AdditionalVolumeClaimTemplates...)
 	}
+	if params.ServiceAccountName != "" {
+		statefulSet.Spec.Template.Spec.ServiceAccountName = params.ServiceAccountName
+	}
 	if containerParams.Tls != nil && containerParams.Tls.EnableOnDefaultAppServers {
 		copyCertsVM := []corev1.VolumeMount{
 			{
@@ -341,6 +345,7 @@ func generateStatefulSetsParams(cr *marklogicv1.MarklogicGroup) statefulSetParam
 	params := statefulSetParameters{
 		Replicas:                       cr.Spec.Replicas,
 		Name:                           cr.Spec.Name,
+		ServiceAccountName:             cr.Spec.ServiceAccountName,
 		TerminationGracePeriodSeconds:  cr.Spec.TerminationGracePeriodSeconds,
 		UpdateStrategy:                 cr.Spec.UpdateStrategy,
 		NodeSelector:                   cr.Spec.NodeSelector,
diff --git a/test/e2e/2_marklogic_cluster_test.go b/test/e2e/2_marklogic_cluster_test.go
@@ -368,6 +368,9 @@ func TestMarklogicCluster(t *testing.T) {
 	// Using feature.Teardown to clean up
 	feature.Teardown(func(ctx context.Context, t *testing.T, c *envconf.Config) context.Context {
 		client := c.Client()
+		if err := client.Resources(mlNamespace).Delete(ctx, marklogiccluster); err != nil {
+			t.Fatalf("Failed to delete MarklogicCluster: %s", err)
+		}
 		if err := client.Resources().Delete(ctx, &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "grafana"}}); err != nil {
 			t.Fatalf("Failed to delete namespace: %s", err)
 		}
