add controller for downloads service account deletion logic

ehearne-redhat · ehearne-redhat · commit 0504779983e3 · 2026-02-16T09:37:17.000Z
diff --git a/bindata/assets/deployments/downloads-deployment.yaml b/bindata/assets/deployments/downloads-deployment.yaml
@@ -8,7 +8,6 @@ metadata:
     component: downloads
   annotations: {}
 spec:
-  serviceAccountName: downloads
   selector:
     matchLabels:
       app: console
@@ -25,6 +24,7 @@ spec:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
         openshift.io/required-scc: restricted-v2
     spec:
+      serviceAccountName: downloads
       nodeSelector:
         kubernetes.io/os: linux
         node-role.kubernetes.io/master: ""
diff --git a/bindata/assets/serviceaccounts/downloads-sa.yaml b/bindata/assets/serviceaccounts/downloads-sa.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: downloads
+  namespace: openshift-console
+  annotations:
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    capability.openshift.io/name: Console
diff --git a/manifests/03-rbac-role-cluster.yaml b/manifests/03-rbac-role-cluster.yaml
@@ -148,6 +148,17 @@ rules:
       - list
       - watch
       - delete
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - get
+      - list
+      - delete
+      - create
+      - update
+      - watch
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/manifests/06-sa.yaml b/manifests/06-sa.yaml
@@ -21,16 +21,4 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     include.release.openshift.io/single-node-developer: "true"
     capability.openshift.io/name: Console
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: downloads
-  namespace: openshift-console
-  annotations:
-    include.release.openshift.io/hypershift: "true"
-    include.release.openshift.io/ibm-cloud-managed: "true"
-    include.release.openshift.io/self-managed-high-availability: "true"
-    include.release.openshift.io/single-node-developer: "true"
-    capability.openshift.io/name: Console
 ---
diff --git a/pkg/console/controllers/downloadsserviceaccount/controller.go b/pkg/console/controllers/downloadsserviceaccount/controller.go
@@ -0,0 +1,115 @@
+package downloadsserviceaccount
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	coreinformersv1 "k8s.io/client-go/informers/core/v1"
+	coreclientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	"k8s.io/klog/v2"
+
+	operatorv1 "github.com/openshift/api/operator/v1"
+	operatorinformerv1 "github.com/openshift/client-go/operator/informers/externalversions/operator/v1"
+	operatorlistersv1 "github.com/openshift/client-go/operator/listers/operator/v1"
+	"github.com/openshift/console-operator/pkg/api"
+	"github.com/openshift/console-operator/pkg/console/controllers/util"
+	"github.com/openshift/console-operator/pkg/console/status"
+	serviceaccountsub "github.com/openshift/console-operator/pkg/console/subresource/serviceaccount"
+	"github.com/openshift/library-go/pkg/controller/factory"
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
+	"github.com/openshift/library-go/pkg/operator/v1helpers"
+)
+
+type DownloadsServiceAccountSyncController struct {
+	operatorClient v1helpers.OperatorClient
+	// configs
+	consoleOperatorLister operatorlistersv1.ConsoleLister
+	// core kube
+	serviceAccountClient coreclientv1.ServiceAccountsGetter
+}
+
+func NewDownloadsServiceAccountSyncController(
+	// clients
+	operatorClient v1helpers.OperatorClient,
+	// informer
+	operatorConfigInformer operatorinformerv1.ConsoleInformer,
+	// core kube
+	serviceAccountClient coreclientv1.ServiceAccountsGetter,
+	serviceAccountInformer coreinformersv1.ServiceAccountInformer,
+	// events
+	recorder events.Recorder,
+) factory.Controller {
+	ctrl := &DownloadsServiceAccountSyncController{
+		// configs
+		operatorClient:        operatorClient,
+		consoleOperatorLister: operatorConfigInformer.Lister(),
+		// client
+		serviceAccountClient: serviceAccountClient,
+	}
+
+	configNameFilter := util.IncludeNamesFilter(api.ConfigResourceName)
+	downloadsNameFilter := util.IncludeNamesFilter(api.DownloadsResourceName)
+
+	return factory.New().
+		WithFilteredEventsInformers( // configs
+			configNameFilter,
+			operatorConfigInformer.Informer(),
+		).WithFilteredEventsInformers( // downloads service account
+		downloadsNameFilter,
+		serviceAccountInformer.Informer(),
+	).ResyncEvery(time.Minute).WithSync(ctrl.Sync).
+		ToController("ConsoleDownloadsServiceAccountSyncController", recorder.WithComponentSuffix("console-downloads-service-account-controller"))
+}
+
+func (c *DownloadsServiceAccountSyncController) Sync(ctx context.Context, controllerContext factory.SyncContext) error {
+	operatorConfig, err := c.consoleOperatorLister.Get(api.ConfigResourceName)
+	if err != nil {
+		return err
+	}
+	operatorConfigCopy := operatorConfig.DeepCopy()
+
+	switch operatorConfigCopy.Spec.ManagementState {
+	case operatorv1.Managed:
+		klog.V(4).Infoln("console is in a managed state: syncing downloads service account")
+	case operatorv1.Unmanaged:
+		klog.V(4).Infoln("console is in an unmanaged state: skipping downloads service account sync")
+		return nil
+	case operatorv1.Removed:
+		klog.V(4).Infoln("console is in a removed state: removing downloads service account")
+		return c.removeDownloadsServiceAccount(ctx)
+	default:
+		return fmt.Errorf("unknown state: %v", operatorConfigCopy.Spec.ManagementState)
+	}
+	statusHandler := status.NewStatusHandler(c.operatorClient)
+
+	_, _, serviceAccountErr := c.SyncDownloadsServiceAccount(ctx, operatorConfigCopy, controllerContext)
+	statusHandler.AddConditions(status.HandleProgressingOrDegraded("DownloadsServiceAccountSync", "FailedApply", serviceAccountErr))
+	if serviceAccountErr != nil {
+		return statusHandler.FlushAndReturn(serviceAccountErr)
+	}
+
+	return statusHandler.FlushAndReturn(nil)
+}
+
+func (c *DownloadsServiceAccountSyncController) SyncDownloadsServiceAccount(ctx context.Context, operatorConfigCopy *operatorv1.Console, controllerContext factory.SyncContext) (*corev1.ServiceAccount, bool, error) {
+	requiredDownloadsServiceAccount := serviceaccountsub.DefaultDownloadsServiceAccount(operatorConfigCopy)
+
+	return resourceapply.ApplyServiceAccount(ctx,
+		c.serviceAccountClient,
+		controllerContext.Recorder(),
+		requiredDownloadsServiceAccount,
+	)
+}
+
+func (c *DownloadsServiceAccountSyncController) removeDownloadsServiceAccount(ctx context.Context) error {
+	err := c.serviceAccountClient.ServiceAccounts(api.OpenShiftConsoleNamespace).Delete(ctx, api.DownloadsResourceName, metav1.DeleteOptions{})
+	if apierrors.IsNotFound(err) {
+		return nil
+	}
+	return err
+}
diff --git a/pkg/console/starter/starter.go b/pkg/console/starter/starter.go
@@ -30,6 +30,7 @@ import (
 	"github.com/openshift/console-operator/pkg/console/controllers/clidownloads"
 	"github.com/openshift/console-operator/pkg/console/controllers/clioidcclientstatus"
 	"github.com/openshift/console-operator/pkg/console/controllers/downloadsdeployment"
+	"github.com/openshift/console-operator/pkg/console/controllers/downloadsserviceaccount"
 	"github.com/openshift/console-operator/pkg/console/controllers/healthcheck"
 	"github.com/openshift/console-operator/pkg/console/controllers/migration"
 	"github.com/openshift/console-operator/pkg/console/controllers/oauthclients"
@@ -338,6 +339,17 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 		recorder,
 	)
 
+	downloadsServiceAccountController := downloadsserviceaccount.NewDownloadsServiceAccountSyncController(
+		// clients
+		operatorClient,
+		// operator
+		operatorConfigInformers.Operator().V1().Consoles(),
+		// service accounts
+		kubeClient.CoreV1(),
+		kubeInformersNamespaced.Core().V1().ServiceAccounts(),
+		recorder,
+	)
+
 	cliDownloadsController := clidownloads.NewCLIDownloadsSyncController(
 		// top level config
 		configClient.ConfigV1(),
@@ -639,6 +651,7 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 		consoleOperator,
 		cliDownloadsController,
 		downloadsDeploymentController,
+		downloadsServiceAccountController,
 		consoleRouteHealthCheckController,
 		consolePDBController,
 		downloadsPDBController,
diff --git a/pkg/console/subresource/serviceaccount/serviceaccount.go b/pkg/console/subresource/serviceaccount/serviceaccount.go
@@ -0,0 +1,18 @@
+package serviceaccount
+
+import (
+	corev1 "k8s.io/api/core/v1"
+
+	operatorv1 "github.com/openshift/api/operator/v1"
+	"github.com/openshift/console-operator/bindata"
+	"github.com/openshift/console-operator/pkg/console/subresource/util"
+	"github.com/openshift/library-go/pkg/operator/resource/resourceread"
+)
+
+func DefaultDownloadsServiceAccount(operatorConfig *operatorv1.Console) *corev1.ServiceAccount {
+	serviceAccount := resourceread.ReadServiceAccountV1OrDie(
+		bindata.MustAsset("assets/serviceaccounts/downloads-sa.yaml"),
+	)
+	util.AddOwnerRef(serviceAccount, util.OwnerRefFrom(operatorConfig))
+	return serviceAccount
+}
