Skip to content

Commit 7dad6f3

Browse files
Merge annotations from desired with existing ones in the ServiceAccounts (#969)
* Merge annotations from desired with existing ones for ServiceAccount objects Signed-off-by: Ruben Vargas <[email protected]> Co-authored-by: Israel Blancas <[email protected]>
1 parent 76bfab6 commit 7dad6f3

File tree

3 files changed

+52
-1
lines changed

3 files changed

+52
-1
lines changed

.chloggen/sa_fix.yaml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
2+
change_type: bug_fix
3+
4+
# The name of the component, or a single word describing the area of concern, (e.g. operator, github action)
5+
component: operator
6+
7+
# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
8+
note: Modify SA annotations managed by the operator, preserve others.
9+
10+
# One or more tracking issues related to the change
11+
issues: [970]
12+
13+
# (Optional) One or more lines of additional information to render under the primary note.
14+
# These lines will be padded with 2 spaces and then inserted directly into the document.
15+
# Use pipe (|) for multiline entries.
16+
subtext: |
17+
This prevents other controllers that modified the SA from create an infinite loop where the other controller modifies something,
18+
and tempo-operator removes it, the other controller detect the changes and add its and so on and so on.
19+
20+
This is specific for OpenShift case, where the openshift-controller-manager annotates the SA with
21+
openshift.io/internal-registry-pull-secret-ref.
22+
23+
See https://github.com/openshift/openshift-controller-manager/pull/288/ and
24+
https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html section about
25+
"Legacy service account API token secrets are no longer generated for each service account"

internal/manifests/mutate.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -181,7 +181,6 @@ func mutateConfigMap(existing, desired *corev1.ConfigMap) {
181181
}
182182

183183
func mutateServiceAccount(existing, desired *corev1.ServiceAccount) {
184-
existing.Annotations = desired.Annotations
185184
existing.Labels = desired.Labels
186185
}
187186

internal/manifests/mutate_test.go

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import (
55

66
routev1 "github.com/openshift/api/route/v1"
77
monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
8+
"github.com/stretchr/testify/assert"
89
"github.com/stretchr/testify/require"
910
appsv1 "k8s.io/api/apps/v1"
1011
corev1 "k8s.io/api/core/v1"
@@ -1171,3 +1172,29 @@ func TestGetMutateFunc_MutateRoute(t *testing.T) {
11711172
require.Exactly(t, got.Annotations, want.Annotations)
11721173
require.Exactly(t, got.Spec, want.Spec)
11731174
}
1175+
1176+
func TestMutateServiceAccount(t *testing.T) {
1177+
existing := corev1.ServiceAccount{
1178+
ObjectMeta: metav1.ObjectMeta{
1179+
Name: "simplest",
1180+
Annotations: map[string]string{
1181+
"config.openshift.io/serving-cert-secret-name": "my-secret",
1182+
},
1183+
},
1184+
}
1185+
desired := corev1.ServiceAccount{
1186+
ObjectMeta: metav1.ObjectMeta{
1187+
Name: "simplest",
1188+
},
1189+
}
1190+
1191+
mutateFn := manifests.MutateFuncFor(&existing, &desired)
1192+
err := mutateFn()
1193+
require.NoError(t, err)
1194+
assert.Equal(t, corev1.ServiceAccount{
1195+
ObjectMeta: metav1.ObjectMeta{
1196+
Name: "simplest",
1197+
Annotations: map[string]string{"config.openshift.io/serving-cert-secret-name": "my-secret"},
1198+
},
1199+
}, existing)
1200+
}

0 commit comments

Comments
 (0)