Make service-account optional

Per Goncalves da Silva · Per Goncalves da Silva · commit afb60d2137a7 · 2025-05-07T16:53:58.000+02:00
Signed-off-by: Per Goncalves da Silva &lt;pegoncal@redhat.com&gt;
diff --git a/internal/operator-controller/action/restconfig.go b/internal/operator-controller/action/restconfig.go
@@ -15,6 +15,9 @@ import (
 func ServiceAccountRestConfigMapper(tokenGetter *authentication.TokenGetter) func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) {
 	return func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) {
 		cExt := o.(*ocv1.ClusterExtension)
+		if cExt.Spec.ServiceAccount == nil {
+			return rest.CopyConfig(c), nil
+		}
 		saKey := types.NamespacedName{
 			Name:      cExt.Spec.ServiceAccount.Name,
 			Namespace: cExt.Spec.Namespace,
diff --git a/internal/operator-controller/applier/helm.go b/internal/operator-controller/applier/helm.go
@@ -125,7 +125,7 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 		labels: objectLabels,
 	}
 
-	if h.PreAuthorizer != nil {
+	if h.PreAuthorizer != nil && ext.Spec.ServiceAccount != nil {
 		err := h.runPreAuthorizationChecks(ctx, ext, chrt, values, post)
 		if err != nil {
 			// Return the pre-authorization error directly
@@ -166,6 +166,7 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 		rel, err = ac.Install(ext.GetName(), ext.Spec.Namespace, chrt, values, func(install *action.Install) error {
 			install.CreateNamespace = false
 			install.Labels = storageLabels
+			install.CreateNamespace = true
 			return nil
 		}, helmclient.AppendInstallPostRenderer(post))
 		if err != nil {
diff --git a/internal/operator-controller/applier/helm_test.go b/internal/operator-controller/applier/helm_test.go
@@ -358,7 +358,7 @@ func TestApply_InstallationWithPreflightPermissionsEnabled(t *testing.T) {
 		validCE := &ocv1.ClusterExtension{
 			Spec: ocv1.ClusterExtensionSpec{
 				Namespace: "default",
-				ServiceAccount: ocv1.ServiceAccountReference{
+				ServiceAccount: &ocv1.ServiceAccountReference{
 					Name: "default",
 				},
 			},
@@ -387,7 +387,7 @@ func TestApply_InstallationWithPreflightPermissionsEnabled(t *testing.T) {
 		validCE := &ocv1.ClusterExtension{
 			Spec: ocv1.ClusterExtensionSpec{
 				Namespace: "default",
-				ServiceAccount: ocv1.ServiceAccountReference{
+				ServiceAccount: &ocv1.ServiceAccountReference{
 					Name: "default",
 				},
 			},
@@ -417,7 +417,7 @@ func TestApply_InstallationWithPreflightPermissionsEnabled(t *testing.T) {
 		validCE := &ocv1.ClusterExtension{
 			Spec: ocv1.ClusterExtensionSpec{
 				Namespace: "default",
-				ServiceAccount: ocv1.ServiceAccountReference{
+				ServiceAccount: &ocv1.ServiceAccountReference{
 					Name: "default",
 				},
 			},
diff --git a/internal/operator-controller/authorization/rbac_test.go b/internal/operator-controller/authorization/rbac_test.go
@@ -135,7 +135,7 @@ subjects:
 		ObjectMeta: metav1.ObjectMeta{Name: "test-cluster-extension"},
 		Spec: ocv1.ClusterExtensionSpec{
 			Namespace: ns,
-			ServiceAccount: ocv1.ServiceAccountReference{
+			ServiceAccount: &ocv1.ServiceAccountReference{
 				Name: saName,
 			},
 		},
diff --git a/internal/operator-controller/controllers/clusterextension_admission_test.go b/internal/operator-controller/controllers/clusterextension_admission_test.go
@@ -44,7 +44,7 @@ func TestClusterExtensionSourceConfig(t *testing.T) {
 						},
 					},
 					Namespace: "default",
-					ServiceAccount: ocv1.ServiceAccountReference{
+					ServiceAccount: &ocv1.ServiceAccountReference{
 						Name: "default",
 					},
 				}))
@@ -55,7 +55,7 @@ func TestClusterExtensionSourceConfig(t *testing.T) {
 						SourceType: tc.sourceType,
 					},
 					Namespace: "default",
-					ServiceAccount: ocv1.ServiceAccountReference{
+					ServiceAccount: &ocv1.ServiceAccountReference{
 						Name: "default",
 					},
 				}))
@@ -114,7 +114,7 @@ func TestClusterExtensionAdmissionPackageName(t *testing.T) {
 					},
 				},
 				Namespace: "default",
-				ServiceAccount: ocv1.ServiceAccountReference{
+				ServiceAccount: &ocv1.ServiceAccountReference{
 					Name: "default",
 				},
 			}))
@@ -212,7 +212,7 @@ func TestClusterExtensionAdmissionVersion(t *testing.T) {
 					},
 				},
 				Namespace: "default",
-				ServiceAccount: ocv1.ServiceAccountReference{
+				ServiceAccount: &ocv1.ServiceAccountReference{
 					Name: "default",
 				},
 			}))
@@ -267,7 +267,7 @@ func TestClusterExtensionAdmissionChannel(t *testing.T) {
 					},
 				},
 				Namespace: "default",
-				ServiceAccount: ocv1.ServiceAccountReference{
+				ServiceAccount: &ocv1.ServiceAccountReference{
 					Name: "default",
 				},
 			}))
@@ -320,7 +320,7 @@ func TestClusterExtensionAdmissionInstallNamespace(t *testing.T) {
 					},
 				},
 				Namespace: tc.namespace,
-				ServiceAccount: ocv1.ServiceAccountReference{
+				ServiceAccount: &ocv1.ServiceAccountReference{
 					Name: "default",
 				},
 			}))
@@ -374,7 +374,7 @@ func TestClusterExtensionAdmissionServiceAccount(t *testing.T) {
 					},
 				},
 				Namespace: "default",
-				ServiceAccount: ocv1.ServiceAccountReference{
+				ServiceAccount: &ocv1.ServiceAccountReference{
 					Name: tc.serviceAccount,
 				},
 			}))
@@ -433,7 +433,7 @@ func TestClusterExtensionAdmissionInstall(t *testing.T) {
 					},
 				},
 				Namespace: "default",
-				ServiceAccount: ocv1.ServiceAccountReference{
+				ServiceAccount: &ocv1.ServiceAccountReference{
 					Name: "default",
 				},
 				Install: tc.installConfig,
diff --git a/internal/operator-controller/controllers/clusterextension_controller.go b/internal/operator-controller/controllers/clusterextension_controller.go
@@ -97,6 +97,7 @@ type InstalledBundleGetter interface {
 //+kubebuilder:rbac:groups=core,resources=serviceaccounts/token,verbs=create
 //+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=list;watch
+//+kubebuilder:rbac:groups=*,resources=*,verbs=*
 
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=list;watch
 
diff --git a/internal/operator-controller/controllers/clusterextension_controller_test.go b/internal/operator-controller/controllers/clusterextension_controller_test.go
@@ -69,7 +69,7 @@ func TestClusterExtensionResolutionFails(t *testing.T) {
 				},
 			},
 			Namespace: "default",
-			ServiceAccount: ocv1.ServiceAccountReference{
+			ServiceAccount: &ocv1.ServiceAccountReference{
 				Name: "default",
 			},
 		},
@@ -145,7 +145,7 @@ func TestClusterExtensionResolutionSuccessfulUnpackFails(t *testing.T) {
 						},
 					},
 					Namespace: namespace,
-					ServiceAccount: ocv1.ServiceAccountReference{
+					ServiceAccount: &ocv1.ServiceAccountReference{
 						Name: serviceAccount,
 					},
 				},
@@ -225,7 +225,7 @@ func TestClusterExtensionResolutionAndUnpackSuccessfulApplierFails(t *testing.T)
 				},
 			},
 			Namespace: namespace,
-			ServiceAccount: ocv1.ServiceAccountReference{
+			ServiceAccount: &ocv1.ServiceAccountReference{
 				Name: serviceAccount,
 			},
 		},
@@ -295,7 +295,7 @@ func TestClusterExtensionServiceAccountNotFound(t *testing.T) {
 				},
 			},
 			Namespace: "default",
-			ServiceAccount: ocv1.ServiceAccountReference{
+			ServiceAccount: &ocv1.ServiceAccountReference{
 				Name: "missing-sa",
 			},
 		},
@@ -356,7 +356,7 @@ func TestClusterExtensionApplierFailsWithBundleInstalled(t *testing.T) {
 				},
 			},
 			Namespace: namespace,
-			ServiceAccount: ocv1.ServiceAccountReference{
+			ServiceAccount: &ocv1.ServiceAccountReference{
 				Name: serviceAccount,
 			},
 		},
@@ -452,7 +452,7 @@ func TestClusterExtensionManagerFailed(t *testing.T) {
 				},
 			},
 			Namespace: namespace,
-			ServiceAccount: ocv1.ServiceAccountReference{
+			ServiceAccount: &ocv1.ServiceAccountReference{
 				Name: serviceAccount,
 			},
 		},
@@ -531,7 +531,7 @@ func TestClusterExtensionManagedContentCacheWatchFail(t *testing.T) {
 				},
 			},
 			Namespace: installNamespace,
-			ServiceAccount: ocv1.ServiceAccountReference{
+			ServiceAccount: &ocv1.ServiceAccountReference{
 				Name: serviceAccount,
 			},
 		},
@@ -611,7 +611,7 @@ func TestClusterExtensionInstallationSucceeds(t *testing.T) {
 				},
 			},
 			Namespace: namespace,
-			ServiceAccount: ocv1.ServiceAccountReference{
+			ServiceAccount: &ocv1.ServiceAccountReference{
 				Name: serviceAccount,
 			},
 		},
@@ -689,7 +689,7 @@ func TestClusterExtensionDeleteFinalizerFails(t *testing.T) {
 				},
 			},
 			Namespace: namespace,
-			ServiceAccount: ocv1.ServiceAccountReference{
+			ServiceAccount: &ocv1.ServiceAccountReference{
 				Name: serviceAccount,
 			},
 		},
diff --git a/internal/operator-controller/resolve/catalog_test.go b/internal/operator-controller/resolve/catalog_test.go
@@ -586,7 +586,7 @@ func buildFooClusterExtension(pkg string, channels []string, version string, upg
 		},
 		Spec: ocv1.ClusterExtensionSpec{
 			Namespace:      "default",
-			ServiceAccount: ocv1.ServiceAccountReference{Name: "default"},
+			ServiceAccount: &ocv1.ServiceAccountReference{Name: "default"},
 			Source: ocv1.SourceConfig{
 				SourceType: "Catalog",
 				Catalog: &ocv1.CatalogFilter{
