Support AutomountServiceAccountToken and executor specific service ac…

…count(argoproj#1480)
aviweit · Aug 21, 2019 · b5f2fde · b5f2fde
1 parent 8808726
commit b5f2fde
Show file tree

Hide file tree

Showing 19 changed files with 556 additions and 37 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
@@ -276,6 +276,16 @@
         }
       }
     },
+    "io.argoproj.workflow.v1alpha1.ExecutorConfig": {
+      "description": "ExecutorConfig holds configurations of an executor container.",
+      "type": "object",
+      "properties": {
+        "serviceAccountName": {
+          "description": "ServiceAccountName specifies the service account name of the executor container.",
+          "type": "string"
+        }
+      }
+    },
     "io.argoproj.workflow.v1alpha1.GitArtifact": {
       "description": "GitArtifact is the location of an git artifact",
       "type": "object",
@@ -891,6 +901,10 @@
           "description": "Arguments hold arguments to the template.",
           "$ref": "#/definitions/io.argoproj.workflow.v1alpha1.Arguments"
         },
+        "automountServiceAccountToken": {
+          "description": "AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in pods. ServiceAccountName of ExecutorConfig must be specified if this value is false.",
+          "type": "boolean"
+        },
         "container": {
           "description": "Container is the main container image to run in the pod",
           "$ref": "#/definitions/io.k8s.api.core.v1.Container"
@@ -903,6 +917,10 @@
           "description": "DAG template subtype which runs a DAG",
           "$ref": "#/definitions/io.argoproj.workflow.v1alpha1.DAGTemplate"
         },
+        "executor": {
+          "description": "Executor holds configurations of the executor container.",
+          "$ref": "#/definitions/io.argoproj.workflow.v1alpha1.ExecutorConfig"
+        },
         "hostAliases": {
           "description": "HostAliases is an optional list of hosts and IPs that will be injected into the pod spec",
           "type": "array",
@@ -1274,6 +1292,10 @@
           "description": "ArtifactRepositoryRef specifies the configMap name and key containing the artifact repository config.",
           "$ref": "#/definitions/io.argoproj.workflow.v1alpha1.ArtifactRepositoryRef"
         },
+        "automountServiceAccountToken": {
+          "description": "AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in pods. ServiceAccountName of ExecutorConfig must be specified if this value is false.",
+          "type": "boolean"
+        },
         "dnsConfig": {
           "description": "PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.",
           "$ref": "#/definitions/io.k8s.api.core.v1.PodDNSConfig"
@@ -1286,6 +1308,10 @@
           "description": "Entrypoint is a template reference to the starting point of the workflow",
           "type": "string"
         },
+        "executor": {
+          "description": "Executor holds configurations of executor containers of the workflow.",
+          "$ref": "#/definitions/io.argoproj.workflow.v1alpha1.ExecutorConfig"
+        },
         "hostAliases": {
           "description": "HostAliases is an optional list of hosts and IPs that will be injected into the pod spec",
           "type": "array",

diff --git a/manifests/base/kustomization.yaml b/manifests/base/kustomization.yaml
@@ -1,10 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-bases:
-- crds
-- workflow-controller
-- argo-ui
 
 images:
 - name: argoproj/argoui
@@ -13,3 +9,7 @@ images:
 - name: argoproj/workflow-controller
   newName: argoproj/workflow-controller
   newTag: latest
+resources:
+- crds
+- workflow-controller
+- argo-ui
diff --git a/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml b/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml
@@ -52,3 +52,10 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
diff --git a/manifests/install.yaml b/manifests/install.yaml
@@ -30,12 +30,12 @@ spec:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: argo-ui
+  name: argo
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: argo
+  name: argo-ui
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -142,15 +142,29 @@ rules:
   resources:
   - workflows
   - workflows/finalizers
-  - workflowtemplates
-  - workflowtemplates/finalizers
   verbs:
   - get
   - list
   - watch
   - update
   - patch
   - delete
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowtemplates
+  - workflowtemplates/finalizers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml
@@ -30,12 +30,12 @@ spec:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: argo-ui
+  name: argo
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: argo
+  name: argo-ui
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -82,6 +82,13 @@ rules:
   - update
   - patch
   - delete
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

diff --git a/manifests/namespace-install/workflow-controller-rbac/workflow-controller-role.yaml b/manifests/namespace-install/workflow-controller-rbac/workflow-controller-role.yaml
@@ -43,3 +43,10 @@ rules:
   - update
   - patch
   - delete
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
diff --git a/pkg/apis/workflow/v1alpha1/openapi_generated.go b/pkg/apis/workflow/v1alpha1/openapi_generated.go
diff --git a/pkg/apis/workflow/v1alpha1/workflow_types.go b/pkg/apis/workflow/v1alpha1/workflow_types.go
@@ -113,6 +113,13 @@ type WorkflowSpec struct {
 	// ServiceAccountName is the name of the ServiceAccount to run all pods of the workflow as.
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 
+	// AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in pods.
+	// ServiceAccountName of ExecutorConfig must be specified if this value is false.
+	AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"`
+
+	// Executor holds configurations of executor containers of the workflow.
+	Executor *ExecutorConfig `json:"executor,omitempty"`
+
 	// Volumes is a list of volumes that can be mounted by containers in a workflow.
 	Volumes []apiv1.Volume `json:"volumes,omitempty"`
 
@@ -306,6 +313,13 @@ type Template struct {
 	// ServiceAccountName to apply to workflow pods
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 
+	// AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in pods.
+	// ServiceAccountName of ExecutorConfig must be specified if this value is false.
+	AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"`
+
+	// Executor holds configurations of the executor container.
+	Executor *ExecutorConfig `json:"executor,omitempty"`
+
 	// HostAliases is an optional list of hosts and IPs that will be injected into the pod spec
 	HostAliases []apiv1.HostAlias `json:"hostAliases,omitempty"`
 
@@ -947,6 +961,12 @@ func (h *HTTPArtifact) HasLocation() bool {
 	return h != nil && h.URL != ""
 }
 
+// ExecutorConfig holds configurations of an executor container.
+type ExecutorConfig struct {
+	// ServiceAccountName specifies the service account name of the executor container.
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+}
+
 // ScriptTemplate is a template subtype to enable scripting through code steps
 type ScriptTemplate struct {
 	apiv1.Container `json:",inline"`