From 735425ac65861aa4a587d223bf31637b4728546d Mon Sep 17 00:00:00 2001 From: f41gh7 Date: Wed, 8 Jan 2025 05:41:12 +0100 Subject: [PATCH] build/vmcluster: properly mount ServiceAccount for `vmauth` load-balancer Initially `ServiceAccount` wasn't defined for `vmauth`'s `Deployment`. Since there was no practial use for it. At older versions of operator it made sense to mount `serviceAccount` for `vminsert` and `vmselect` components because of `PodSecurityPolicy` Kubernetes resources. But it's deprecated now and it makes `serviceAccount` irrelevant for these components. But for production use cases it could be useful. Strict security policy may require to disable auto service account mount. On of possible solutions for it to use `ServiceAccount` with disabled auto-mount option. This commit adds `serviceAccount` of `VMCluster` to the load-balancer `Deployment`. Related issue: https://github.com/VictoriaMetrics/operator/issues/1210 Signed-off-by: f41gh7 --- docs/CHANGELOG.md | 1 + .../controller/operator/factory/vmcluster/vmcluster.go | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index c19fa1df..90a40bf0 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -15,6 +15,7 @@ aliases: * BUGFIX: [vmagent](https://docs.victoriametrics.com/operator/resources/vmagent/): properly route headless service traffic to vmagent `pods` with `statefulMode` and `shardCount` defined. * BUGFIX: [vmsingle](https://docs.victoriametrics.com/operator/resources/vmsingle/): properly add `volumeMount` for external `storageDataPath` `volume`. +* BUGFIX: [vmcluster](https://docs.victoriametrics.com/operator/resources/vmcluster/): properly mount `serviceAccount` for `requestsLoadBalancer` `Deployment`. See [this issue](https://github.com/VictoriaMetrics/operator/issues/1210) for details. ## [v0.51.2](https://github.com/VictoriaMetrics/operator/releases/tag/v0.51.2) diff --git a/internal/controller/operator/factory/vmcluster/vmcluster.go b/internal/controller/operator/factory/vmcluster/vmcluster.go index c7c984fa..3a9eefd3 100644 --- a/internal/controller/operator/factory/vmcluster/vmcluster.go +++ b/internal/controller/operator/factory/vmcluster/vmcluster.go @@ -1524,9 +1524,10 @@ func buildVMauthLBDeployment(cr *vmv1beta1.VMCluster) (*appsv1.Deployment, error Labels: cr.VMAuthLBSelectorLabels(), }, Spec: corev1.PodSpec{ - Volumes: volumes, - InitContainers: spec.InitContainers, - Containers: containers, + Volumes: volumes, + InitContainers: spec.InitContainers, + Containers: containers, + ServiceAccountName: cr.GetServiceAccountName(), }, }, },