Specifiy/Create a service account used by the created SolrCloud

[thomaswoeckinger]

Currently there is no way to specify a serviceAccount or serviceAccountName to be used by the created SolrCloud. This makes it impossible to run on OKD, because default security constraints deny the usage of fsGroup 8983.

So there should be at least a parameter to configure the serviceAccount.

[HoustonPutman]

Good feature request! But we should shoot for v0.4.0 since there is a feature freeze for v0.3.0.

[HoustonPutman]

@thomaswoeckinger I'm working on the custom serviceAccountName now, and that is very straightforward.

This makes it impossible to run on OKD, because default security constraints deny the usage of fsGroup 8983.

This might be harder to fix. The reason we use fsGroup 8983 is because the Solr docker image uses the 8983 user to own /var/solr (the data directory)

I might be wrong here, but I believe that's why it was fsGroup has always been set to 8983. We can definitely look at changing that in the future, I want the solr-operator to be fully OKD compatible, but it will be more work than making the serviceAccountName configurable.

Are you able to get OKD to work with the 8983 fsGroup with a custom service account?

[thomaswoeckinger]

If an SCC with runAsUser set to 8983 exists which is associated with the used service account i can start the container. So from my point of view if the operator simply adds the serviceAccountName: <solr-service-account> to the deployment descriptor it would be sufficient. An extension would be if the required SCC and service account would be created by the operator itself.

[HoustonPutman]

Good to know.

So in the linked PR I added the ability to create the necessary ServiceAccount when deploying the solr helm chart, but the operator itself does not create the serviceAccount. We can change that in the future, but I think it's fine to start with.