Service account is created even when one is specified in collector spec

[bryan-aguilar]

Component(s)

operator

What happened?

Description

According to serviceAccount API docs ServiceAccount indicates the name of an existing service account to use with this instance. When set, the operator will not automatically create a ServiceAccount for the collector.

Steps to Reproduce

apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-sa
  namespace: collector-deployment
  labels:
    app.kubernetes.io/name: test-sa
---
apiVersion: opentelemetry.io/v1alpha1
kind: OpenTelemetryCollector
metadata:
  name: test
  namespace: collector-deployment
spec:
  mode: deployment
  replicas: 1
  resources: 
    requests:
      cpu: 200m
      memory: 300Mi
    limits:
      memory: 1000Mi

  serviceAccount: test-sa
  config: |
    receivers:
      otlp:
        protocols:
          http:    
    processors:
      batch:
    exporters:
      awsxray:
        region: us-west-2
    service:
      pipelines:
        traces/xray:
          receivers:
            - otlp
          processors:
            - batch
          exporters:
            - awsxray

Expected Result

test-collector service account does not get created since test-sa is defnied in spec.

Actual Result

bryaag@147ddac12c15 eksTemplates % kubectl get serviceaccounts -n collector-deployment 
NAME             SECRETS   AGE
default          0         10m
test-collector   0         6s
test-sa          0         6s

Kubernetes Version

1.26

Operator version

v0.88.0

Collector version

v0.88.0

Environment information

Environment

EKS, AL2 AMI

Log output

No response

Additional context

No response

[changexd]

It seems like operator didn't check if OtelCol.Spec.ServiceAccount == "" when building manifest for collectors, so the service account will still be created even though other resources already changed to the specified service account, @jaronoff97 could you please assign this issue to me?

[dlorent]

Not entirely sure if it's a configuration issue or if its related. I got the same issue as @bryan-aguilar
but additionally, it seems to ignore the service account specified, if the deployment of Application-X has one specified too.

v1.28.3-gke.1118000 Container-Optimized OS from Google

Tested with

Operator 0.87,88,89
Collector-contrib 0.87,88,89

apiVersion: apps/v1
kind: Deployment
metadata:
 ...............
spec:
  ...................
  template:
    metadata:
      annotations:
        sidecar.opentelemetry.io/inject: otel-sidecar
    spec:
      containers:
			...............
      serviceAccount: application-specific-sa
      serviceAccountName: application-specific-sa
---
apiVersion: opentelemetry.io/v1alpha1
kind: OpenTelemetryCollector
metadata:
  name: otel-sidecar
spec:
  mode: sidecar
  serviceAccount: otel-collector
  config: |
    receivers:
      otlp:
        protocols:
          grpc:

................
ServiceAccounts in namespace.

NAME                                  SECRETS   AGE
application-specific-sa               1         341d
default                               1         459d
otel-collector                        0         18d
otel-sidecar-collector                0         10d

Logs shows namespaceX:application-specific-sa instead of namespaceX:otel-collector

W1120 11:38:49.610447       1 reflector.go:535] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1.Pod: pods is forbidden:                          User "system:serviceaccount:namespaceX:application-specific-sa" cannot list resource "pods" in API group "" at the cluster scope
E1120 11:38:49.610495       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:namespaceX:application-specific-sa" cannot list resource "pods" in API group "" at the cluster scope

W1120 11:38:56.895323       1 reflector.go:535] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1.Namespace: namespaces is forbidden:                                User "system:serviceaccount:application-specific-sa" cannot list resource "namespaces" in API group "" at the cluster scope
E1120 11:38:56.895354       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:application-specific-sa" cannot list resource "namespaces" in API group "" at the cluster scope

[pavolloffay]

done #2378

[lorelei-rupp-imprivata]

@pavolloffay how do we know which build this will be in of the operator? Will it be 0.90.0?

[jaronoff97]

Yes, this will be in our next release 0.90.0. We're waiting on the collector to finish their release of that version at which point we can begin our process.