{cmd,}/k8s-operator: support IRSA for Recorder resources (#15913)

Adds Recorder fields to configure the name and annotations of the ServiceAccount
created for and used by its associated StatefulSet. This allows the created Pod
to authenticate with AWS without requiring a Secret with static credentials,
using AWS' IAM Roles for Service Accounts feature, documented here:
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

Fixes #15875

Change-Id: Ib0e15c0dbc357efa4be260e9ae5077bacdcb264f
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>

k8s-operator/api.md

@@ -726,6 +726,24 @@ _Appears in:_
 | `imagePullSecrets` _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.3/#localobjectreference-v1-core) array_ | Image pull Secrets for Recorder Pods.<br />https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec |  |  |
 | `nodeSelector` _object (keys:string, values:string)_ | Node selector rules for Recorder Pods. By default, the operator does<br />not apply any node selector rules.<br />https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling |  |  |
 | `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.3/#toleration-v1-core) array_ | Tolerations for Recorder Pods. By default, the operator does not apply<br />any tolerations.<br />https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling |  |  |
+| `serviceAccount` _[RecorderServiceAccount](#recorderserviceaccount)_ | Config for the ServiceAccount to create for the Recorder's StatefulSet.<br />By default, the operator will create a ServiceAccount with the same<br />name as the Recorder resource.<br />https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#service-account |  |  |
+
+
+#### RecorderServiceAccount
+
+
+
+
+
+
+
+_Appears in:_
+- [RecorderPod](#recorderpod)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `name` _string_ | Name of the ServiceAccount to create. Defaults to the name of the<br />Recorder resource.<br />https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#service-account |  | MaxLength: 253 <br />Pattern: `^[a-z0-9]([a-z0-9-.]{0,61}[a-z0-9])?$` <br />Type: string <br /> |
+| `annotations` _object (keys:string, values:string)_ | Annotations to add to the ServiceAccount.<br />https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set<br />You can use this to add IAM roles to the ServiceAccount (IRSA) instead of<br />providing static S3 credentials in a Secret.<br />https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html<br />For example:<br />eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<role-name> |  |  |
 
 
 #### RecorderSpec

k8s-operator/apis/v1alpha1/types_recorder.go

@@ -142,6 +142,36 @@ type RecorderPod struct {
 	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
 	// +optional
 	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
+
+	// Config for the ServiceAccount to create for the Recorder's StatefulSet.
+	// By default, the operator will create a ServiceAccount with the same
+	// name as the Recorder resource.
+	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#service-account
+	// +optional
+	ServiceAccount RecorderServiceAccount `json:"serviceAccount,omitempty"`
+}
+
+type RecorderServiceAccount struct {
+	// Name of the ServiceAccount to create. Defaults to the name of the
+	// Recorder resource.
+	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#service-account
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern=`^[a-z0-9]([a-z0-9-.]{0,61}[a-z0-9])?$`
+	// +kubebuilder:validation:MaxLength=253
+	// +optional
+	Name string `json:"name,omitempty"`
+
+	// Annotations to add to the ServiceAccount.
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
+	//
+	// You can use this to add IAM roles to the ServiceAccount (IRSA) instead of
+	// providing static S3 credentials in a Secret.
+	// https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
+	//
+	// For example:
+	// eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<role-name>
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
 }
 
 type RecorderContainer struct {

k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go

@@ -838,6 +838,7 @@ func (in *RecorderPod) DeepCopyInto(out *RecorderPod) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	in.ServiceAccount.DeepCopyInto(&out.ServiceAccount)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecorderPod.
@@ -850,6 +851,28 @@ func (in *RecorderPod) DeepCopy() *RecorderPod {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RecorderServiceAccount) DeepCopyInto(out *RecorderServiceAccount) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecorderServiceAccount.
+func (in *RecorderServiceAccount) DeepCopy() *RecorderServiceAccount {
+	if in == nil {
+		return nil
+	}
+	out := new(RecorderServiceAccount)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecorderSpec) DeepCopyInto(out *RecorderSpec) {
 	*out = *in