From 9152708f55c0630e8a99ec7cefa7ea276d55ea61 Mon Sep 17 00:00:00 2001 From: Michal Kuratczyk Date: Tue, 9 Jul 2024 14:38:18 +0200 Subject: [PATCH] WIP: support new k8s peer discovery These changes are not strictly necessary - the new k8s discovery (WIP) is fully backwards compatbile. However, it allows the Operator to be deployed with reduced permissions and doesn't require the RabbitMQ clusters to have access to the Kubernetes API --- .github/workflows/build-test-publish.yml | 1 + config/rbac/role.yaml | 10 ---------- controllers/rabbitmqcluster_controller.go | 1 - internal/resource/statefulset.go | 3 +-- internal/resource/statefulset_test.go | 4 ++-- 5 files changed, 4 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-test-publish.yml b/.github/workflows/build-test-publish.yml index c0a50e432..dca03f348 100644 --- a/.github/workflows/build-test-publish.yml +++ b/.github/workflows/build-test-publish.yml @@ -19,6 +19,7 @@ env: KIND_NODE_IMAGE: "kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245" KIND_OLDEST_NODE_IMAGE: "kindest/node:v1.26.3@sha256:61b92f38dff6ccc29969e7aa154d34e38b89443af1a2c14e6cfbd2df6419c66f" BASELINE_UPGRADE_VERSION: v2.1.0 + RABBITMQ_IMAGE: pivotalrabbitmq/rabbitmq:k8s-peer-discovery-simplified jobs: kubectl_tests: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index f8a074c04..36346c391 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -73,16 +73,6 @@ rules: - list - update - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - get - - list - - update - - watch - apiGroups: - "" resources: diff --git a/controllers/rabbitmqcluster_controller.go b/controllers/rabbitmqcluster_controller.go index 4fee560fd..c47c4d765 100644 --- a/controllers/rabbitmqcluster_controller.go +++ b/controllers/rabbitmqcluster_controller.go @@ -85,7 +85,6 @@ type RabbitmqClusterReconciler struct { // +kubebuilder:rbac:groups=rabbitmq.com,resources=rabbitmqclusters/status,verbs=get;update // +kubebuilder:rbac:groups=rabbitmq.com,resources=rabbitmqclusters/finalizers,verbs=update // +kubebuilder:rbac:groups="",resources=events,verbs=get;create;patch -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update // +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,verbs=get;list;watch;create;update // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go index bf8555217..8570d0fce 100644 --- a/internal/resource/statefulset.go +++ b/internal/resource/statefulset.go @@ -570,8 +570,7 @@ func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[st }, ImagePullSecrets: builder.Instance.Spec.ImagePullSecrets, TerminationGracePeriodSeconds: builder.Instance.Spec.TerminationGracePeriodSeconds, - ServiceAccountName: builder.Instance.ChildResourceName(serviceAccountName), - AutomountServiceAccountToken: ptr.To(true), + AutomountServiceAccountToken: ptr.To(false), Affinity: builder.Instance.Spec.Affinity, Tolerations: builder.Instance.Spec.Tolerations, InitContainers: []corev1.Container{setupContainer(builder.Instance)}, diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go index cf38db590..4fcd08ecd 100644 --- a/internal/resource/statefulset_test.go +++ b/internal/resource/statefulset_test.go @@ -1352,14 +1352,14 @@ default_pass = {{ .Data.data.password }} stsBuilder := builder.StatefulSet() Expect(stsBuilder.Update(statefulSet)).To(Succeed()) - Expect(statefulSet.Spec.Template.Spec.ServiceAccountName).To(Equal(instance.ChildResourceName("server"))) + Expect(statefulSet.Spec.Template.Spec.ServiceAccountName).To(BeEmpty()) }) It("mounts the service account in its pods", func() { stsBuilder := builder.StatefulSet() Expect(stsBuilder.Update(statefulSet)).To(Succeed()) - Expect(*statefulSet.Spec.Template.Spec.AutomountServiceAccountToken).To(BeTrue()) + Expect(*statefulSet.Spec.Template.Spec.AutomountServiceAccountToken).To(BeFalse()) }) It("creates the required SecurityContext", func() {