feat: add configurable service account to KeptnTasks (keptn#2254)

Signed-off-by: Griffin <[email protected]>
Signed-off-by: Prakriti Mandal <[email protected]>

.github/scripts/.helm-tests/default/result.yaml

@@ -2720,6 +2720,16 @@ spec:
           spec:
             description: Spec describes the desired state of the KeptnTaskDefinition.
             properties:
+              automountServiceAccountToken:
+                description: automountServiceAccountToken allows to enable K8s to
+                  assign cluster API credentials to a pod, if set to false the pod
+                  will decline the serviceAccount
+                properties:
+                  type:
+                    type: boolean
+                required:
+                - type
+                type: object
               container:
                 description: Container contains the definition for the container that
                   is to be used in Job based on the KeptnTaskDefinitions.
@@ -4212,6 +4222,15 @@ spec:
                   attempt.
                 format: int32
                 type: integer
+              serviceAccount:
+                description: Service Account to be used in jobs to authenticate with
+                  the Kubernetes API and access cluster resources.
+                properties:
+                  name:
+                    type: string
+                required:
+                - name
+                type: object
               timeout:
                 default: 5m
                 description: Timeout specifies the maximum time to wait for the task

.github/scripts/.helm-tests/lifecycle-only/result.yaml

@@ -2666,6 +2666,16 @@ spec:
           spec:
             description: Spec describes the desired state of the KeptnTaskDefinition.
             properties:
+              automountServiceAccountToken:
+                description: automountServiceAccountToken allows to enable K8s to
+                  assign cluster API credentials to a pod, if set to false the pod
+                  will decline the serviceAccount
+                properties:
+                  type:
+                    type: boolean
+                required:
+                - type
+                type: object
               container:
                 description: Container contains the definition for the container that
                   is to be used in Job based on the KeptnTaskDefinitions.
@@ -4158,6 +4168,15 @@ spec:
                   attempt.
                 format: int32
                 type: integer
+              serviceAccount:
+                description: Service Account to be used in jobs to authenticate with
+                  the Kubernetes API and access cluster resources.
+                properties:
+                  name:
+                    type: string
+                required:
+                - name
+                type: object
               timeout:
                 default: 5m
                 description: Timeout specifies the maximum time to wait for the task

.github/scripts/.helm-tests/lifecycle-with-certs/result.yaml

@@ -2681,6 +2681,16 @@ spec:
           spec:
             description: Spec describes the desired state of the KeptnTaskDefinition.
             properties:
+              automountServiceAccountToken:
+                description: automountServiceAccountToken allows to enable K8s to
+                  assign cluster API credentials to a pod, if set to false the pod
+                  will decline the serviceAccount
+                properties:
+                  type:
+                    type: boolean
+                required:
+                - type
+                type: object
               container:
                 description: Container contains the definition for the container that
                   is to be used in Job based on the KeptnTaskDefinitions.
@@ -4173,6 +4183,15 @@ spec:
                   attempt.
                 format: int32
                 type: integer
+              serviceAccount:
+                description: Service Account to be used in jobs to authenticate with
+                  the Kubernetes API and access cluster resources.
+                properties:
+                  name:
+                    type: string
+                required:
+                - name
+                type: object
               timeout:
                 default: 5m
                 description: Timeout specifies the maximum time to wait for the task

docs/content/en/docs/crd-ref/lifecycle/v1alpha3/_index.md

@@ -34,6 +34,20 @@ Package v1alpha3 contains API Schema definitions for the lifecycle v1alpha3 API
 
 
 
+#### AutomountServiceAccountTokenSpec
+
+
+
+
+
+_Appears in:_
+- [KeptnTaskDefinitionSpec](#keptntaskdefinitionspec)
+
+| Field | Description |
+| --- | --- |
+| `type` _boolean_ |  |
+
+
 #### ConfigMapReference
 
 
@@ -586,6 +600,8 @@ _Appears in:_
 | `container` _[ContainerSpec](#containerspec)_ | Container contains the definition for the container that is to be used in Job based on the KeptnTaskDefinitions. |
 | `retries` _integer_ | Retries specifies how many times a job executing the KeptnTaskDefinition should be restarted in the case of an unsuccessful attempt. |
 | `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#duration-v1-meta)_ | Timeout specifies the maximum time to wait for the task to be completed successfully. If the task does not complete successfully within this time frame, it will be considered to be failed. |
+| `serviceAccount` _[ServiceAccountSpec](#serviceaccountspec)_ | ServiceAccount specifies the service account to be used in jobs to authenticate with the Kubernetes API and access cluster resources. |
+| `automountServiceAccountToken` _[AutomountServiceAccountTokenSpec](#automountserviceaccounttokenspec)_ | AutomountServiceAccountToken allows to enable K8s to assign cluster API credentials to a pod, if set to false the pod will decline the service account |
 
 
 #### KeptnTaskDefinitionStatus
@@ -894,6 +910,20 @@ _Appears in:_
 | `secret` _string_ | Secret contains the parameters that will be made available to the job executing the KeptnTask via the 'SECRET_DATA' environment variable. The 'SECRET_DATA'  environment variable's content will the same as value of the 'SECRET_DATA' key of the referenced secret. |
 
 
+#### ServiceAccountSpec
+
+
+
+
+
+_Appears in:_
+- [KeptnTaskDefinitionSpec](#keptntaskdefinitionspec)
+
+| Field | Description |
+| --- | --- |
+| `name` _string_ |  |
+
+
 #### TaskContext
 
 

lifecycle-operator/apis/lifecycle/v1alpha3/keptntaskdefinition_types.go

@@ -55,6 +55,11 @@ type KeptnTaskDefinitionSpec struct {
 	// +kubebuilder:validation:Type:=string
 	// +optional
 	Timeout metav1.Duration `json:"timeout,omitempty"`
+	// ServiceAccount specifies the service account to be used in jobs to authenticate with the Kubernetes API and access cluster resources.
+	ServiceAccount *ServiceAccountSpec `json:"serviceAccount,omitempty"`
+	// AutomountServiceAccountToken allows to enable K8s to assign cluster API credentials to a pod, if set to false
+	// the pod will decline the service account
+	AutomountServiceAccountToken *AutomountServiceAccountTokenSpec `json:"automountServiceAccountToken,omitempty"`
 }
 
 type RuntimeSpec struct {
@@ -104,6 +109,13 @@ type ContainerSpec struct {
 	*v1.Container `json:",inline"`
 }
 
+type AutomountServiceAccountTokenSpec struct {
+	Type *bool `json:"type"`
+}
+type ServiceAccountSpec struct {
+	Name string `json:"name"`
+}
+
 // KeptnTaskDefinitionStatus defines the observed state of KeptnTaskDefinition
 type KeptnTaskDefinitionStatus struct {
 	// Function contains status information of the function definition for the task.
@@ -142,3 +154,17 @@ type KeptnTaskDefinitionList struct {
 func init() {
 	SchemeBuilder.Register(&KeptnTaskDefinition{}, &KeptnTaskDefinitionList{})
 }
+
+func (d *KeptnTaskDefinition) GetServiceAccount() string {
+	if d.Spec.ServiceAccount == nil {
+		return ""
+	}
+	return d.Spec.ServiceAccount.Name
+}
+
+func (d *KeptnTaskDefinition) GetAutomountServiceAccountToken() *bool {
+	if d.Spec.AutomountServiceAccountToken == nil {
+		return nil
+	}
+	return d.Spec.AutomountServiceAccountToken.Type
+}

lifecycle-operator/apis/lifecycle/v1alpha3/keptntaskdefinition_types_test.go

@@ -0,0 +1,40 @@
+package v1alpha3
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestTaskDefinition_GetServiceAccountNoName(t *testing.T) {
+	d := &KeptnTaskDefinition{
+		Spec: KeptnTaskDefinitionSpec{},
+	}
+	svcAccname := d.GetServiceAccount()
+	require.Equal(t, svcAccname, "")
+}
+
+func TestTaskDefinition_GetServiceAccountName(t *testing.T) {
+	sAName := "sva"
+	d := &KeptnTaskDefinition{
+		Spec: KeptnTaskDefinitionSpec{
+			ServiceAccount: &ServiceAccountSpec{
+				Name: sAName,
+			},
+		},
+	}
+	svcAccname := d.GetServiceAccount()
+	require.Equal(t, svcAccname, sAName)
+}
+
+func TestTaskDefinition_GetAutomountServiceAccountToken(t *testing.T) {
+	token := true
+	d := &KeptnTaskDefinition{
+		Spec: KeptnTaskDefinitionSpec{
+			AutomountServiceAccountToken: &AutomountServiceAccountTokenSpec{
+				Type: &token,
+			},
+		},
+	}
+	require.True(t, *d.GetAutomountServiceAccountToken())
+}

lifecycle-operator/chart/templates/keptntaskdefinition-crd.yaml

@@ -195,6 +195,16 @@ spec:
           spec:
             description: Spec describes the desired state of the KeptnTaskDefinition.
             properties:
+              automountServiceAccountToken:
+                description: automountServiceAccountToken allows to enable K8s to
+                  assign cluster API credentials to a pod, if set to false the pod
+                  will decline the serviceAccount
+                properties:
+                  type:
+                    type: boolean
+                required:
+                - type
+                type: object
               container:
                 description: Container contains the definition for the container that
                   is to be used in Job based on the KeptnTaskDefinitions.
@@ -1687,6 +1697,15 @@ spec:
                   attempt.
                 format: int32
                 type: integer
+              serviceAccount:
+                description: Service Account to be used in jobs to authenticate with
+                  the Kubernetes API and access cluster resources.
+                properties:
+                  name:
+                    type: string
+                required:
+                - name
+                type: object
               timeout:
                 default: 5m
                 description: Timeout specifies the maximum time to wait for the task
@@ -1712,4 +1731,4 @@ spec:
     served: true
     storage: true
     subresources:
-      status: {}
+      status: {}

lifecycle-operator/config/crd/bases/lifecycle.keptn.sh_keptntaskdefinitions.yaml

@@ -189,6 +189,16 @@ spec:
           spec:
             description: Spec describes the desired state of the KeptnTaskDefinition.
             properties:
+              automountServiceAccountToken:
+                description: AutomountServiceAccountToken allows to enable K8s to
+                  assign cluster API credentials to a pod, if set to false the pod
+                  will decline the service account
+                properties:
+                  type:
+                    type: boolean
+                required:
+                - type
+                type: object
               container:
                 description: Container contains the definition for the container that
                   is to be used in Job based on the KeptnTaskDefinitions.
@@ -1681,6 +1691,16 @@ spec:
                   attempt.
                 format: int32
                 type: integer
+              serviceAccount:
+                description: ServiceAccount specifies the service account to be used
+                  in jobs to authenticate with the Kubernetes API and access cluster
+                  resources.
+                properties:
+                  name:
+                    type: string
+                required:
+                - name
+                type: object
               timeout:
                 default: 5m
                 description: Timeout specifies the maximum time to wait for the task

lifecycle-operator/controllers/lifecycle/keptntask/job_utils.go

@@ -105,7 +105,9 @@ func (r *KeptnTaskReconciler) generateJob(ctx context.Context, task *klcv1alpha3
 					Annotations: task.Annotations,
 				},
 				Spec: corev1.PodSpec{
-					RestartPolicy: "OnFailure",
+					RestartPolicy:                "OnFailure",
+					ServiceAccountName:           definition.GetServiceAccount(),
+					AutomountServiceAccountToken: definition.GetAutomountServiceAccountToken(),
 				},
 			},
 			BackoffLimit:          task.Spec.Retries,