search

keptn / lifecycle-toolkit

Toolkit for cloud-native application lifecycle management
https://keptn.sh
Apache License 2.0
288 stars 118 forks source link

Add configurable service account to KeptnTasks #1869

Closed mowies closed 9 months ago

mowies commented 1 year ago

As a user, I want to set custom service accounts on my KeptnTaskDefinitions to follow security and least privilege best practices.

Details

Add a field to the keptn task definition that contains a reference to a service account. Pass the service account reference to the underlying job so that it is used during pre/post deployment tasks.

DoD

prakrit55 commented 12 months ago

I will resolve it. @mowies pls assign it to me.

prakrit55 commented 11 months ago

Hello @mowies, I need a bit context here since I am new into crds and controllers

mowies commented 11 months ago

essentially, yes! but maybe @bacherfl can help out here with some better insights

prakrit55 commented 11 months ago

hello @bacherfl, any relevant info to initiate this would be helpful

bacherfl commented 11 months ago

Hello @prakrit55 - The place to start with this would be to add those new fields to the golang struct representing the KeptnTaskDefinition: https://github.com/keptn/lifecycle-toolkit/blob/84ae464abc789d4d464301ffd4e266136c60046b/lifecycle-operator/apis/lifecycle/v1alpha3/keptntaskdefinition_types.go#L28

Once you have updated/added the field, you need to run the following commands (in the lifecycle-operator directory, to create the manifests for the CRD:

make generate
make manifests

You also need to make sure all the CRD docs are up-to-date (this needs to be run in the base directory of the lifecycle-toolkit repo):

./.github/scripts/generate-crd-docs/generate-crd-docs.sh

Then, make sure that the CRD definition in the helm chart is up to date with the updated spec: https://github.com/keptn/lifecycle-toolkit/blob/main/helm/chart/templates/keptnevaluationdefinition-crd.yaml

Finally, you can make use of that new field in the logic of the KeptnTask controller, which creates the K8s jobs based on a task definition - this should roughly be the place where you'll need to make use of that field: https://github.com/keptn/lifecycle-toolkit/blob/84ae464abc789d4d464301ffd4e266136c60046b/lifecycle-operator/controllers/lifecycle/keptntask/job_utils.go#L19

You can use the following PR as a reference, where a new field has been added to the KeptnMetric CRD to see what needs to be updated after modifying a CRD: https://github.com/keptn/lifecycle-toolkit/pull/1900/files

prakrit55 commented 11 months ago

Hey @bacherfl, I am done with the first task. So about generating job with the service account, shouldn't I define the service account field in the keptntask_types.go and generate the crd for KeptnTask ?

bacherfl commented 11 months ago

Hi @prakrit55 - From my understanding it should not be required to also add the serviceAccount field to the KeptnTask CRD, as a KeptnTask gets all the required information from the referenced KeptnTaskDefinition when creating the job (see https://github.com/keptn/lifecycle-toolkit/blob/84ae464abc789d4d464301ffd4e266136c60046b/lifecycle-operator/controllers/lifecycle/keptntask/job_utils.go#L21C1-L21C1). So the next step would be to make use of the serviceAccount field added to the KeptnTaskDefinition and use the service account for the job running the KeptnTask

github-actions[bot] commented 10 months ago

This issue will be unassigned in 1 week if no further activity is seen. If you are active please provide an update on the status of the issue and if you would like to continue working on it.

prakrit55 commented 9 months ago

Hey @odubajDT, I think this one can be closed.

odubajDT commented 9 months ago

@prakrit55 thanks for reminding!