Allowed usage of custom SA for OAuth Proxy (#520)

Signed-off-by: Juraci Paixão Kröhling <juraci@kroehling.de>
jaegertracing · Jul 11, 2019 · b1a6a05 · b1a6a05
1 parent 1dfbda6
commit b1a6a05
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 4 deletions.
diff --git a/deploy/examples/custom-serviceaccount.yaml b/deploy/examples/custom-serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: customsa
+---
+apiVersion: jaegertracing.io/v1
+kind: Jaeger
+metadata:
+  name: custom-serviceaccount
+spec:
+  serviceAccount: customsa # this is created and managed externally to the operator
diff --git a/pkg/account/main.go b/pkg/account/main.go
@@ -4,15 +4,20 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/jaegertracing/jaeger-operator/pkg/apis/jaegertracing/v1"
+	v1 "github.com/jaegertracing/jaeger-operator/pkg/apis/jaegertracing/v1"
 	"github.com/jaegertracing/jaeger-operator/pkg/util"
 )
 
 // Get returns all the service accounts to be created for this Jaeger instance
 func Get(jaeger *v1.Jaeger) []*corev1.ServiceAccount {
 	accounts := []*corev1.ServiceAccount{}
 	if jaeger.Spec.Ingress.Security == v1.IngressSecurityOAuthProxy {
-		accounts = append(accounts, OAuthProxy(jaeger))
+		sa := util.Merge([]v1.JaegerCommonSpec{jaeger.Spec.Query.JaegerCommonSpec, jaeger.Spec.JaegerCommonSpec}).ServiceAccount
+		if len(sa) == 0 {
+			// if there's a service account specified for the query component, that's the one we use
+			// otherwise, we use a custom SA for the OAuth Proxy
+			accounts = append(accounts, OAuthProxy(jaeger))
+		}
 	}
 	return append(accounts, getMain(jaeger))
 }

diff --git a/pkg/account/oauth-proxy.go b/pkg/account/oauth-proxy.go
@@ -6,7 +6,8 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/jaegertracing/jaeger-operator/pkg/apis/jaegertracing/v1"
+	v1 "github.com/jaegertracing/jaeger-operator/pkg/apis/jaegertracing/v1"
+	"github.com/jaegertracing/jaeger-operator/pkg/util"
 )
 
 // OAuthProxy returns a service account representing a client in the context of the OAuth Proxy
@@ -46,6 +47,12 @@ func OAuthProxy(jaeger *v1.Jaeger) *corev1.ServiceAccount {
 
 // OAuthProxyAccountNameFor returns the service account name for this Jaeger instance in the context of the OAuth Proxy
 func OAuthProxyAccountNameFor(jaeger *v1.Jaeger) string {
+	sa := util.Merge([]v1.JaegerCommonSpec{jaeger.Spec.Query.JaegerCommonSpec, jaeger.Spec.JaegerCommonSpec}).ServiceAccount
+	if len(sa) > 0 {
+		// if we have a custom service account for the query object, that's the service name we return
+		return sa
+	}
+
 	return fmt.Sprintf("%s-ui-proxy", jaeger.Name)
 }
 

diff --git a/pkg/account/oauth_proxy_test.go b/pkg/account/oauth_proxy_test.go
@@ -21,5 +21,21 @@ func TestOAuthProxy(t *testing.T) {
 	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthProxy"})
 	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
 
-	assert.Equal(t, OAuthProxy(jaeger).Name, fmt.Sprintf("%s-ui-proxy", jaeger.Name))
+	assert.Equal(t, fmt.Sprintf("%s-ui-proxy", jaeger.Name), OAuthProxy(jaeger).Name)
+}
+
+func TestOAuthOverrideServiceAccountForQuery(t *testing.T) {
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthOverrideServiceAccountForQuery"})
+	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
+	jaeger.Spec.Query.ServiceAccount = "my-own-sa"
+
+	assert.Equal(t, "my-own-sa", OAuthProxy(jaeger).Name)
+}
+
+func TestOAuthOverrideServiceAccountForAllComponents(t *testing.T) {
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestOAuthOverrideServiceAccountForAllComponents"})
+	jaeger.Spec.Ingress.Security = v1.IngressSecurityOAuthProxy
+	jaeger.Spec.ServiceAccount = "my-own-sa"
+
+	assert.Equal(t, "my-own-sa", OAuthProxy(jaeger).Name)
 }