Provide a way to specify default service accounts

[sthaha]

This PR allows defaults service-account (configurable though the configmap)
to be set when none is specified in a PipelineRun.

Fixes: #1213
Signed-off-by: Sunil Thaha sthaha@redhat.com

Changes

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes tests (if functionality changed/added)
• [🙅‍♂ ] Includes docs (if user facing)
• Commit messages follow commit message best practices

See the contribution guide for more details.

Double check this list of stuff that's easy to miss:

• If you are adding a new binary/image to the cmd dir, please update
  the release Task and TaskRun to build and release this image

Reviewer Notes

If API changes
are included, additive changes
must be approved by at least two OWNERS
and backwards incompatible changes
must be approved by more than 50% of the OWNERS,
and they must first be added
in a backwards compatible way.

Release Notes

If pipeline controllers are deployed with a config-map that has `default-service-account` key set to a non-empty string, pipeline-runs that do not specify a ServiceAccount will be modified (mutated) to  the value of the `default-service-account`. 

[tekton-robot]

The following is the coverage report on pkg/.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/default.go	77.8%	81.8%	4.0

[vdemeester]

SGTM

/cc @bobcatfish @imjasonh

[sthaha]

@vdemeester @bobcatfish does it make sense to implement the same for taskruns as well?

[tekton-robot]

The following is the coverage report on pkg/.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/default.go	77.8%	81.8%	4.0

[vdemeester]

@vdemeester @bobcatfish does it make sense to implement the same for taskruns as well?

I would think so yes

[bobcatfish]

Thanks for adding this @sthaha and thanks for your patience! 🙏 A few requests:

• Can we add some docs on how to configure this? Maybe at https://github.com/tektoncd/pipeline/blob/master/docs/install.md#configuring-tekton-pipelines
• Can we add a test that ensures that the serviceAccount and serviceAccounts fields will override the configured default? (https://github.com/tektoncd/pipeline/blob/master/docs/pipelineruns.md#service-accounts) Looking at the way you implemented it, I bet it will work, but just to be sure :) (could be a reconciler test, or an end to end test, or even an example)
• Can we update https://github.com/tektoncd/pipeline/blob/master/docs/pipelineruns.md#service-account and https://github.com/tektoncd/pipeline/blob/master/docs/taskruns.md#service-account to indicate that the service account used when those fields aren't configured won't necessarily be the default account

Before this change, if there was no serviceAccount or serviceAccounts specified in a PipelineRun or a TaskRun, I could be reasonably sure that the service account default was used, but that is no longer completely obvious.. And if the configuration of the controller was changed, I wouldn't be able to tell from looking at a previous Run which service account was used. I wonder if it would make sense to include this in the status field? I'm not 100% sure this is a good idea tho - maybe we can open a follow up issue and discuss? Or wait to see if ppl actually care (curious what you think @imjasonh @vdemeester )

(The coverage reporting seems a bit odd, opened #1248)

[bobcatfish]

I'm a bit confused why in config/config-defaults.yaml the default service account is default, but if that file isn't use, the default will be default-service-account - would it make sense to use default in both cases?

[vdemeester]

@bobcatfish default-service-account is the "config" key to get the value for the default-service-account

[sthaha]

@bobcatfish like @vdemeester mentioned, defaultServiceAccountKey (default-service-account) refers to the key part of the configmap e.g.

data:
  default-service-account: tekton

which if unspecified would spawn the pods with the default ServiceAccount.

[bobcatfish]

ah whoops, thanks for the explanation!

[sthaha]

• Can we add some docs on how to configure this? Maybe at https://github.com/tektoncd/pipeline/blob/master/docs/install.md#configuring-tekton-pipelines

👍 will do

• Can we add a test that ensures that the serviceAccount and serviceAccounts fields will override the configured default? (https://github.com/tektoncd/pipeline/blob/master/docs/pipelineruns.md#service-accounts) Looking at the way you implemented it, I bet it will work, but just to be sure :) (could be a reconciler test, or an end to end test, or even an example)

Nice! didn't think of this test 🤗

• Can we update https://github.com/tektoncd/pipeline/blob/master/docs/pipelineruns.md#service-account and https://github.com/tektoncd/pipeline/blob/master/docs/taskruns.md#service-account to indicate that the service account used when those fields aren't configured won't necessarily be the default account

👍

Before this change, if there was no serviceAccount or serviceAccounts specified in a PipelineRun or a TaskRun, I could be reasonably sure that the service account default was used, but that is no longer completely obvious.. And if the configuration of the controller was changed, I wouldn't be able to tell from looking at a previous Run which service account was used. I wonder if it would make sense to include this in the status field? I'm not 100% sure this is a good idea tho - maybe we can open a follow up issue and discuss? Or wait to see if ppl actually care (curious what you think @imjasonh @vdemeester )

I agree that this can be taken up as a follow up issue. On a related note, would metadata.annotations.run be a good place to store this?

[bobcatfish]

On a related note, would metadata.annotations.run be a good place to store this?

I'm not sure! I feel like the status field is where we have been storing most information like this up until this point. I know there is a lot of precedent for using the metadata for this kind of thing. In this case I don't have a strong opinion either way!

[sthaha]

@bobcatfish

Before this change, if there was no serviceAccount or serviceAccounts specified in a PipelineRun or a TaskRun, I could be reasonably sure that the service account default was used, but that is no longer completely obvious.. And if the configuration of the controller was changed, I wouldn't be able to tell from looking at a previous Run which service account was used. I wonder if it would make sense to include this in the status field? I'm not 100% sure this is a good idea tho - maybe we can open a follow up issue and discuss? Or wait to see if ppl actually care (curious what you think @imjasonh @vdemeester )

IIUC, the serviceAccount set by the mutating webhook can still be seen when you inspect the pipelinerun or the taskrun

[sthaha]

@bobcatfish

Can we add a test that ensures that the serviceAccount and serviceAccounts fields will override the configured default? (https://github.com/tektoncd/pipeline/blob/master/docs/pipelineruns.md#service-accounts) Looking at the way you implemented it, I bet it will work, but just to be sure :) (could be a reconciler test, or an end to end test, or even an example)

This requires the test to

• setup: create an SA account say foobar
• setup: run webhook with the config-defaults.default-service-account set to foobar
• test: run a pipelinerun with the serviceAccount explicitly set to something-else

I was looking for a precedence (may be in the case of default-timeout-minutes) but can't find any. Do you have any pointers?

[tekton-robot]

The following is the coverage report on pkg/.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/default.go	77.8%	81.8%	4.0

[bobcatfish]

Hey @sthaha ! probably the easiest way would be to add a reconciler level test.

For example this test case is making sure the right service account is used:

pipeline/pkg/reconciler/taskrun/taskrun_test.go

Lines 460 to 491 in eb6edee

	name: "serviceaccount",
	taskRun: taskRunWithSaSuccess,
	wantPod: tb.Pod("test-taskrun-with-sa-run-success-pod-123456", "foo",
	tb.PodAnnotation("tekton.dev/ready", ""),
	tb.PodLabel(taskNameLabelKey, "test-with-sa"),
	tb.PodLabel(taskRunNameLabelKey, "test-taskrun-with-sa-run-success"),
	tb.PodLabel(resources.ManagedByLabelKey, resources.ManagedByLabelValue),
	tb.PodOwnerReference("TaskRun", "test-taskrun-with-sa-run-success",
	tb.OwnerReferenceAPIVersion(currentApiVersion)),
	tb.PodSpec(
	tb.PodServiceAccountName("test-sa"),
	tb.PodVolumes(toolsVolume, downward, workspaceVolume, homeVolume),
	tb.PodRestartPolicy(corev1.RestartPolicyNever),
	getCredentialsInitContainer("9l9zj"),
	getPlaceToolsInitContainer(),
	tb.PodContainer("step-sa-step", "foo",
	tb.Command(entrypointLocation),
	tb.Args("-wait_file", "/builder/downward/ready", "-post_file", "/builder/tools/0", "-wait_file_content", "-entrypoint", "/mycmd", "--"),
	tb.WorkingDir(workspaceDir),
	tb.EnvVar("HOME", "/builder/home"),
	tb.VolumeMount("tools", "/builder/tools"),
	tb.VolumeMount("downward", "/builder/downward"),
	tb.VolumeMount("workspace", workspaceDir),
	tb.VolumeMount("home", "/builder/home"),
	tb.Resources(tb.Requests(
	tb.CPU("0"),
	tb.Memory("0"),
	tb.EphemeralStorage("0"),
	)),
	),
	),
	),

pipeline/pkg/reconciler/taskrun/taskrun_test.go

Lines 1050 to 1061 in eb6edee

	saName := tc.taskRun.Spec.ServiceAccount
	if saName == "" {
	saName = "default"
	}
	if _, err := clients.Kube.CoreV1().ServiceAccounts(tc.taskRun.Namespace).Create(&corev1.ServiceAccount{
	ObjectMeta: metav1.ObjectMeta{
	Name: saName,
	Namespace: tc.taskRun.Namespace,
	},
	}); err != nil {
	t.Fatal(err)
	}

It looks like the reconciler that this test instantiates passes a config map watcher into the reconciler, so i think if you use those fake kube clients + configure a config map, the test reconciler would use it:

pipeline/pkg/reconciler/taskrun/taskrun_test.go

Lines 256 to 273 in eb6edee

	func getTaskRunController(t *testing.T, d test.Data) (test.TestAssets, func()) {
	ctx, _ := rtesting.SetupFakeContext(t)
	ctx, cancel := context.WithCancel(ctx)
	cloudEventClientBehaviour := cloudevent.FakeClientBehaviour{
	SendSuccessfully: true,
	}
	ctx = cloudevent.WithClient(ctx, &cloudEventClientBehaviour)
	entrypointCache, _ = entrypoint.NewCache()
	c, _ := test.SeedTestData(t, ctx, d)
	configMapWatcher := configmap.NewInformedWatcher(c.Kube, system.GetNamespace())
	return test.TestAssets{
	Controller: NewController(
	ctx,
	configMapWatcher,
	),
	Clients: c,
	}, cancel
	}

So what I would do is probably make a completely new test function, copying a lot of the body of the Run function from the test I linked above. (Sorry writing reconciler tests is kind of tedious!!)

[sthaha]

@bobcatfish @vdemeester Does this suffice? Has 2 tests

1. verifies that default service account specified in defaults is used
2. verifies that if SA is set ( test-sa ) then that will be used

[vdemeester]

yes 😻 We may want to refactor some of this, but I think that's the job of a follow-up

[tekton-robot]

The following is the coverage report on pkg/.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/default.go	77.8%	81.8%	4.0

[vdemeester]

/lgtm
/hold
^^ to let @bobcatfish review 👼

[vdemeester]

yes 😻 We may want to refactor some of this, but I think that's the job of a follow-up

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sthaha, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [vdemeester]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vdemeester]

/hold cancel