build/vmcluster: properly mount ServiceAccount for vmauth load-bala…

…ncer Initially `ServiceAccount` wasn't defined for `vmauth`'s `Deployment`. Since there was no practial use for it. At older versions of operator it made sense to mount `serviceAccount` for `vminsert` and `vmselect` components because of `PodSecurityPolicy` Kubernetes resources. But it's deprecated now and it makes `serviceAccount` irrelevant for these components. But for production use cases it could be useful. Strict security policy may require to disable auto service account mount. On of possible solutions for it to use `ServiceAccount` with disabled auto-mount option. This commit adds `serviceAccount` of `VMCluster` to the load-balancer `Deployment`. Related issue: #1210 Signed-off-by: f41gh7 <[email protected]>
VictoriaMetrics · Jan 8, 2025 · 735425a · 735425a
1 parent fc5fe87
commit 735425a
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -15,6 +15,7 @@ aliases:
 
 * BUGFIX: [vmagent](https://docs.victoriametrics.com/operator/resources/vmagent/): properly route headless service traffic to vmagent `pods` with `statefulMode` and `shardCount` defined.
 * BUGFIX: [vmsingle](https://docs.victoriametrics.com/operator/resources/vmsingle/): properly add `volumeMount` for external `storageDataPath` `volume`.
+* BUGFIX: [vmcluster](https://docs.victoriametrics.com/operator/resources/vmcluster/): properly mount `serviceAccount` for `requestsLoadBalancer` `Deployment`.  See [this issue](https://github.com/VictoriaMetrics/operator/issues/1210) for details.
 
 ## [v0.51.2](https://github.com/VictoriaMetrics/operator/releases/tag/v0.51.2)
 

diff --git a/internal/controller/operator/factory/vmcluster/vmcluster.go b/internal/controller/operator/factory/vmcluster/vmcluster.go
@@ -1524,9 +1524,10 @@ func buildVMauthLBDeployment(cr *vmv1beta1.VMCluster) (*appsv1.Deployment, error
 					Labels: cr.VMAuthLBSelectorLabels(),
 				},
 				Spec: corev1.PodSpec{
-					Volumes:        volumes,
-					InitContainers: spec.InitContainers,
-					Containers:     containers,
+					Volumes:            volumes,
+					InitContainers:     spec.InitContainers,
+					Containers:         containers,
+					ServiceAccountName: cr.GetServiceAccountName(),
 				},
 			},
 		},