Merge pull request rook#9964 from thotz/add-service-account-rgw

object: add service account for RGW pod
Albe83 · Apr 4, 2022 · 2357cb7 · 2357cb7
2 parents 87c4319 + 5e72b26
commit 2357cb7
Show file tree

Hide file tree

Showing 9 changed files with 40 additions and 2 deletions.
diff --git a/Documentation/authenticated-registry.md b/Documentation/authenticated-registry.md
@@ -40,6 +40,7 @@ The service accounts are:
 * `default` (namespace: `rook-ceph`): Will affect most pods in the `rook-ceph` namespace.
 * `rook-ceph-mgr` (namespace: `rook-ceph`): Will affect the MGR pods in the `rook-ceph` namespace.
 * `rook-ceph-osd` (namespace: `rook-ceph`): Will affect the OSD pods in the `rook-ceph` namespace.
+* `rook-ceph-rgw` (namespace: `rook-ceph`): Will affect the RGW pods in the `rook-ceph` namespace.
 
 You can do it either via e.g. `kubectl -n <namespace> edit serviceaccount default` or by modifying the [`operator.yaml`](https://github.com/rook/rook/blob/master/deploy/examples/operator.yaml)
 and [`cluster.yaml`](https://github.com/rook/rook/blob/master/deploy/examples/cluster.yaml) before deploying them.

diff --git a/PendingReleaseNotes.md b/PendingReleaseNotes.md
@@ -16,3 +16,4 @@
 * Network compression is configurable with settings in the CephCluster CR. Requires Ceph Quincy (v17) or newer.
 * Add support for custom ceph.conf for csi pods. See #9567
 * Added and updated many Ceph prometheus rules, picked up from the ceph repo
+* Added service account rook-ceph-rgw for the RGW pods.
diff --git a/deploy/charts/library/templates/_cluster-serviceaccount.tpl b/deploy/charts/library/templates/_cluster-serviceaccount.tpl
@@ -45,4 +45,16 @@ metadata:
   name: rook-ceph-purge-osd
   namespace: {{ .Release.Namespace }} # namespace:cluster
 {{ include "library.imagePullSecrets" . }}
+---
+# Service account for RGW server
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rook-ceph-rgw
+  namespace: {{ .Release.Namespace }} # namespace:cluster
+  labels:
+    operator: rook
+    storage-backend: ceph
+    {{- include "library.rook-ceph.labels" . | nindent 4 }}
+{{ include "library.imagePullSecrets" . }}
 {{ end }}
diff --git a/deploy/examples/common-second-cluster.yaml b/deploy/examples/common-second-cluster.yaml
@@ -167,3 +167,9 @@ kind: ServiceAccount
 metadata:
   name: rook-ceph-purge-osd
   namespace: $NAMESPACE
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rook-ceph-rgw
+  namespace: $NAMESPACE
diff --git a/deploy/examples/common.yaml b/deploy/examples/common.yaml
@@ -1303,6 +1303,19 @@ metadata:
 # imagePullSecrets:
 #   - name: my-registry-secret
 ---
+# Service account for RGW server
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rook-ceph-rgw
+  namespace: rook-ceph # namespace:cluster
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/part-of: rook-ceph-operator
+# imagePullSecrets:
+#   - name: my-registry-secret
+---
 # Service account for the Rook-Ceph operator
 apiVersion: v1
 kind: ServiceAccount

diff --git a/deploy/examples/operator-openshift.yaml b/deploy/examples/operator-openshift.yaml
@@ -47,6 +47,7 @@ users:
   - system:serviceaccount:rook-ceph:default # serviceaccount:namespace:cluster
   - system:serviceaccount:rook-ceph:rook-ceph-mgr # serviceaccount:namespace:cluster
   - system:serviceaccount:rook-ceph:rook-ceph-osd # serviceaccount:namespace:cluster
+  - system:serviceaccount:rook-ceph:rook-ceph-rgw # serviceaccount:namespace:cluster
 ---
 # scc for the CSI driver
 kind: SecurityContextConstraints

diff --git a/pkg/apis/ceph.rook.io/v1/scc.go b/pkg/apis/ceph.rook.io/v1/scc.go
@@ -71,6 +71,7 @@ func NewSecurityContextConstraints(name, namespace string) *secv1.SecurityContex
 			fmt.Sprintf("system:serviceaccount:%s:default", namespace),
 			fmt.Sprintf("system:serviceaccount:%s:rook-ceph-mgr", namespace),
 			fmt.Sprintf("system:serviceaccount:%s:rook-ceph-osd", namespace),
+			fmt.Sprintf("system:serviceaccount:%s:rook-ceph-rgw", namespace),
 		},
 	}
 }
diff --git a/pkg/operator/ceph/object/spec.go b/pkg/operator/ceph/object/spec.go
@@ -40,6 +40,7 @@ import (
 
 const (
 	readinessProbePath = "/swift/healthcheck"
+	serviceAccountName = "rook-ceph-rgw"
 	// #nosec G101 since this is not leaking any hardcoded details
 	setupVaultTokenFile = `
 set -e
@@ -113,8 +114,9 @@ func (c *clusterConfig) makeRGWPodSpec(rgwConfig *rgwConfig) (v1.PodTemplateSpec
 			controller.DaemonVolumes(c.DataPathMap, rgwConfig.ResourceName),
 			c.mimeTypesVolume(),
 		),
-		HostNetwork:       c.clusterSpec.Network.IsHost(),
-		PriorityClassName: c.store.Spec.Gateway.PriorityClassName,
+		HostNetwork:        c.clusterSpec.Network.IsHost(),
+		PriorityClassName:  c.store.Spec.Gateway.PriorityClassName,
+		ServiceAccountName: serviceAccountName,
 	}
 
 	// If the log collector is enabled we add the side-car container

diff --git a/tests/framework/installer/ceph_settings.go b/tests/framework/installer/ceph_settings.go
@@ -97,6 +97,7 @@ func replaceNamespaces(name, manifest, operatorNamespace, clusterNamespace strin
 	manifest = strings.ReplaceAll(manifest, "rook-ceph:rook-ceph-system # serviceaccount:namespace:operator", operatorNamespace+":rook-ceph-system")
 	manifest = strings.ReplaceAll(manifest, "rook-ceph:rook-ceph-mgr # serviceaccount:namespace:cluster", clusterNamespace+":rook-ceph-mgr")
 	manifest = strings.ReplaceAll(manifest, "rook-ceph:rook-ceph-osd # serviceaccount:namespace:cluster", clusterNamespace+":rook-ceph-osd")
+	manifest = strings.ReplaceAll(manifest, "rook-ceph:rook-ceph-rgw # serviceaccount:namespace:cluster", clusterNamespace+":rook-ceph-rgw")
 
 	// SCC namespaces for CSI driver
 	manifest = strings.ReplaceAll(manifest, "rook-ceph:rook-csi-rbd-plugin-sa # serviceaccount:namespace:operator", operatorNamespace+":rook-csi-rbd-plugin-sa")