test/*,pkg/generator,commands,user-guide: Add SA for the operator (op…

…erator-framework#454)

This avoids running the operator using the 'default' service account.

Fixes operator-framework#189

README.md

@@ -70,6 +70,7 @@ $ docker push quay.io/example/app-operator
 $ sed -i 's|REPLACE_IMAGE|quay.io/example/app-operator|g' deploy/operator.yaml
 
 # Deploy the app-operator
+$ kubectl create -f deploy/sa.yaml
 $ kubectl create -f deploy/rbac.yaml
 $ kubectl create -f deploy/crd.yaml
 $ kubectl create -f deploy/operator.yaml
@@ -87,6 +88,7 @@ $ kubectl delete -f deploy/cr.yaml
 $ kubectl delete -f deploy/crd.yaml
 $ kubectl delete -f deploy/operator.yaml
 $ kubectl delete -f deploy/rbac.yaml
+$ kubectl delete -f deploy/sa.yaml
 ```
 
 ## User Guide

commands/operator-sdk/cmd/test.go

@@ -55,10 +55,14 @@ func NewTestCmd() *cobra.Command {
 }
 
 func testFunc(cmd *cobra.Command, args []string) {
-	// if no namespaced manifest path is given, combine deploy/rbac.yaml and deploy/operator.yaml
+	// if no namespaced manifest path is given, combine deploy/sa.yaml, deploy/rbac.yaml and deploy/operator.yaml
 	if namespacedManifestPath == "" {
 		os.Mkdir("deploy/test", os.FileMode(int(0775)))
 		namespacedManifestPath = "deploy/test/namespace-manifests.yaml"
+		sa, err := ioutil.ReadFile("deploy/sa.yaml")
+		if err != nil {
+			log.Fatalf("could not find sa manifest: %v", err)
+		}
 		rbac, err := ioutil.ReadFile("deploy/rbac.yaml")
 		if err != nil {
 			log.Fatalf("could not find rbac manifest: %v", err)
@@ -67,7 +71,9 @@ func testFunc(cmd *cobra.Command, args []string) {
 		if err != nil {
 			log.Fatalf("could not find operator manifest: %v", err)
 		}
-		combined := append(rbac, []byte("\n---\n")...)
+		combined := append(sa, []byte("\n---\n")...)
+		combined = append(combined, rbac...)
+		combined = append(combined, []byte("\n---\n")...)
 		combined = append(combined, operator...)
 		err = ioutil.WriteFile(namespacedManifestPath, combined, os.FileMode(int(0664)))
 		if err != nil {

doc/user-guide.md

@@ -140,6 +140,7 @@ Kubernetes deployment manifests are generated in `deploy/operator.yaml`. The dep
 Deploy the memcached-operator:
 
 ```sh
+$ kubectl create -f deploy/sa.yaml
 $ kubectl create -f deploy/rbac.yaml
 $ kubectl create -f deploy/operator.yaml
 ```

pkg/generator/generator.go

@@ -60,6 +60,7 @@ const (
 	config             = "config.yaml"
 	rbacYaml           = "rbac.yaml"
 	crYaml             = "cr.yaml"
+	saYaml             = "sa.yaml"
 	catalogPackageYaml = "package.yaml"
 	catalogCSVYaml     = "csv.yaml"
 	crdYaml            = "crd.yaml"
@@ -76,6 +77,7 @@ const (
 	operatorTmplName   = "deploy/operator.yaml"
 	rbacTmplName       = "deploy/rbac.yaml"
 	crTmplName         = "deploy/cr.yaml"
+	saTmplName         = "deploy/sa.yaml"
 	pluralSuffix       = "s"
 )
 
@@ -236,6 +238,13 @@ func renderDeployFiles(deployDir, projectName, apiVersion, kind string) error {
 		return err
 	}
 
+	saTd := tmplData{
+		ProjectName: projectName,
+	}
+	if err := renderWriteFile(filepath.Join(deployDir, saYaml), saTmplName, saYamlTmpl, saTd); err != nil {
+		return err
+	}
+
 	opTd := tmplData{
 		ProjectName:     projectName,
 		Image:           "REPLACE_IMAGE",

pkg/generator/generator_test.go

@@ -199,6 +199,7 @@ spec:
       labels:
         name: app-operator
     spec:
+      serviceAccountName: app-operator
       containers:
         - name: app-operator
           image: quay.io/example-inc/app-operator:0.0.1
@@ -255,16 +256,22 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
-  name: default-account-app-operator
+  name: app-operator
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: app-operator
 roleRef:
   kind: Role
   name: app-operator
   apiGroup: rbac.authorization.k8s.io
 `
 
+const saYamlExp = `apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: app-operator
+`
+
 func TestGenDeploy(t *testing.T) {
 	buf := &bytes.Buffer{}
 	crdTd := tmplData{
@@ -309,6 +316,16 @@ func TestGenDeploy(t *testing.T) {
 		diffs := dmp.DiffMain(rbacYamlExp, buf.String(), false)
 		t.Errorf("\nTest failed. Below is the diff of the expected vs actual results.\nRed text is missing and green text is extra.\n\n" + dmp.DiffPrettyText(diffs))
 	}
+
+	buf = &bytes.Buffer{}
+	if err := renderFile(buf, saTmplName, saYamlTmpl, tmplData{ProjectName: appProjectName}); err != nil {
+		t.Error(err)
+	}
+	if saYamlExp != buf.String() {
+		dmp := diffmatchpatch.New()
+		diffs := dmp.DiffMain(saYamlExp, buf.String(), false)
+		t.Errorf("\nTest failed. Below is the diff of the expected vs actual results.\nRed text is missing and green text is extra.\n\n" + dmp.DiffPrettyText(diffs))
+	}
 }
 
 const registerExp = `package v1alpha1

pkg/generator/templates.go

@@ -438,6 +438,7 @@ spec:
       labels:
         name: {{.ProjectName}}
     spec:
+      serviceAccountName: {{.ProjectName}}
       containers:
         - name: {{.ProjectName}}
           image: {{.Image}}
@@ -494,16 +495,22 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
-  name: default-account-{{.ProjectName}}
+  name: {{.ProjectName}}
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{.ProjectName}}
 roleRef:
   kind: Role
   name: {{.ProjectName}}
   apiGroup: rbac.authorization.k8s.io
 `
 
+const saYamlTmpl = `apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ProjectName}}
+`
+
 const crYamlTmpl = `apiVersion: "{{.APIVersion}}"
 kind: "{{.Kind}}"
 metadata:

test/e2e/memcached_test.go

@@ -246,6 +246,17 @@ func MemcachedCluster(t *testing.T) {
 		}
 	}
 
+	// create sa
+	saYAML, err := ioutil.ReadFile("deploy/sa.yaml")
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = ctx.CreateFromYAML(saYAML)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log("Created sa")
+
 	// create rbac
 	rbacYAML, err := ioutil.ReadFile("deploy/rbac.yaml")
 	rbacYAMLSplit := bytes.Split(rbacYAML, []byte("\n---\n"))

test/test-framework/deploy/namespace-init.yaml

@@ -1,3 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: memcached-operator
+
+---
+
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
@@ -36,10 +43,10 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
-  name: default-account-memcached-operator
+  name: memcached-operator
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: memcached-operator
 roleRef:
   kind: Role
   name: memcached-operator
@@ -61,6 +68,7 @@ spec:
       labels:
         name: memcached-operator
     spec:
+      serviceAccountName: memcached-operator
       containers:
         - name: memcached-operator
           image: quay.io/coreos/operator-sdk-dev:test-framework-operator

test/test-framework/deploy/operator.yaml

@@ -12,6 +12,7 @@ spec:
       labels:
         name: memcached-operator
     spec:
+      serviceAccountName: memcached-operator
       containers:
         - name: memcached-operator
           image: quay.io/coreos/operator-sdk-dev:test-framework-operator

test/test-framework/deploy/rbac.yaml

@@ -36,10 +36,10 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
-  name: default-account-memcached-operator
+  name: memcached-operator
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: memcached-operator
 roleRef:
   kind: Role
   name: memcached-operator

test/test-framework/deploy/sa.yaml

@@ -0,0 +1,4 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: memcached-operator