fix: Use controller-runtime's defaulting mechanism for serviceAccountName

Author: codablock

api/v1alpha1/objecttemplate_types.go

@@ -41,6 +41,7 @@ type ObjectTemplateSpec struct {
 	// ServiceAccountName specifies the name of the Kubernetes service account to impersonate
 	// when reconciling this ObjectTemplate. If omitted, the "default" service account is used
 	// +optional
+	// +kubebuilder:default:="default"
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 
 	// Prune enables pruning of previously created objects when these disappear from the list of rendered objects

api/v1alpha1/texttemplate_types.go

@@ -31,9 +31,10 @@ type TextTemplateSpec struct {
 	// +kubebuilder:default:=false
 	Suspend bool `json:"suspend"`
 
-	// The name of the Kubernetes service account to impersonate
-	// when reconciling this TextTemplate. If omitted, the "default" service account is used.
+	// ServiceAccountName specifies the name of the Kubernetes service account to impersonate
+	// when reconciling this TextTemplate. If omitted, the "default" service account is used
 	// +optional
+	// +kubebuilder:default:="default"
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 
 	// +optional

config/crd/bases/templates.kluctl.io_objecttemplates.yaml

@@ -108,6 +108,7 @@ spec:
                   these disappear from the list of rendered objects
                 type: boolean
               serviceAccountName:
+                default: default
                 description: |-
                   ServiceAccountName specifies the name of the Kubernetes service account to impersonate
                   when reconciling this ObjectTemplate. If omitted, the "default" service account is used

config/crd/bases/templates.kluctl.io_texttemplates.yaml

@@ -71,9 +71,10 @@ spec:
                   type: object
                 type: array
               serviceAccountName:
+                default: default
                 description: |-
-                  The name of the Kubernetes service account to impersonate
-                  when reconciling this TextTemplate. If omitted, the "default" service account is used.
+                  ServiceAccountName specifies the name of the Kubernetes service account to impersonate
+                  when reconciling this TextTemplate. If omitted, the "default" service account is used
                 type: string
               suspend:
                 default: false

controllers/base_template_reconciler.go

@@ -31,21 +31,17 @@ type BaseTemplateReconciler struct {
 	mutex sync.Mutex
 }
 
-func (r *BaseTemplateReconciler) getClientForObjects(serviceAccountName string, objNamespace string) (client.WithWatch, string, error) {
+func (r *BaseTemplateReconciler) getClientForObjects(serviceAccountName string, objNamespace string) (client.WithWatch, error) {
 	restConfig := rest.CopyConfig(r.Manager.GetConfig())
 
-	name := "default"
-	if serviceAccountName != "" {
-		name = serviceAccountName
-	}
-	username := fmt.Sprintf("system:serviceaccount:%s:%s", objNamespace, name)
+	username := fmt.Sprintf("system:serviceaccount:%s:%s", objNamespace, serviceAccountName)
 	restConfig.Impersonate = rest.ImpersonationConfig{UserName: username}
 
 	c, err := client.NewWithWatch(restConfig, client.Options{Mapper: r.RESTMapper()})
 	if err != nil {
-		return nil, "", err
+		return nil, err
 	}
-	return c, name, nil
+	return c, nil
 }
 
 func (r *BaseTemplateReconciler) buildBaseVars(templateObj runtime.Object, objVarName string) (map[string]any, error) {

controllers/objecttemplate_controller.go

@@ -184,13 +184,13 @@ func (r *ObjectTemplateReconciler) doReconcile(ctx context.Context, rt *template
 	var wg sync.WaitGroup
 	var mutex sync.Mutex
 
-	objClient, saName, err := r.getClientForObjects(rt.Spec.ServiceAccountName, rt.GetNamespace())
+	objClient, err := r.getClientForObjects(rt.Spec.ServiceAccountName, rt.GetNamespace())
 	if err != nil {
 		return err
 	}
 
 	wt := r.watchesUtil.getWatchesForTemplate(client.ObjectKeyFromObject(rt))
-	wt.setClient(objClient, saName)
+	wt.setClient(objClient, rt.Spec.ServiceAccountName)
 	newObjects := map[templatesv1alpha1.ObjectRef]bool{}
 	for _, me := range rt.Spec.Matrix {
 		if me.Object != nil {
@@ -466,7 +466,7 @@ func (r *ObjectTemplateReconciler) doFinalize(ctx context.Context, obj *template
 		return
 	}
 
-	objClient, _, err := r.getClientForObjects(obj.Spec.ServiceAccountName, obj.GetNamespace())
+	objClient, err := r.getClientForObjects(obj.Spec.ServiceAccountName, obj.GetNamespace())
 	if err != nil {
 		log.Error(err, "Failed to create objClient for deletion")
 		return

controllers/texttemplate_controller.go

@@ -111,13 +111,13 @@ func (r *TextTemplateReconciler) doReconcile(ctx context.Context, tt *templatesv
 	}
 	defer j2.Close()
 
-	objClient, saName, err := r.getClientForObjects(tt.Spec.ServiceAccountName, tt.GetNamespace())
+	objClient, err := r.getClientForObjects(tt.Spec.ServiceAccountName, tt.GetNamespace())
 	if err != nil {
 		return err
 	}
 
 	wt := r.watchesUtil.getWatchesForTemplate(client.ObjectKeyFromObject(tt))
-	wt.setClient(objClient, saName)
+	wt.setClient(objClient, tt.Spec.ServiceAccountName)
 	newObjects := map[templatesv1alpha1.ObjectRef]bool{}
 	if tt.Spec.TemplateRef != nil && tt.Spec.TemplateRef.ConfigMap != nil {
 		ns := tt.Spec.TemplateRef.ConfigMap.Namespace