feat(serviceaccount): support shared ServiceAccount across clusters and poolers#9287
Merged
leonardoce merged 20 commits intocloudnative-pg:mainfrom Mar 11, 2026
Merged
Conversation
bozkayasalihx
requested review from
a team,
NiccoloFei,
jsilvela and
litaocdl
as code owners
dosubot
bot
added
the
size:L
cnpg-bot
added
backport-requested ◀️
Contributor
|
❗ By default, the pull request is configured to backport to all release branches.
|
dosubot
bot
added
enhancement 🪄
bozkayasalihx
force-pushed
the
feat/shared-service-account
branch
from
a4f2a4f to
cdc0384
Compare
bozkayasalihx
changed the title
bozkayasalihx
changed the title
armru
force-pushed
the
feat/shared-service-account
branch
from
cdc0384 to
f263f28
Compare
Member
|
/test |
Contributor
|
@armru, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/19936223914 |
Member
|
/test |
Contributor
|
@armru, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/19965529026 |
dosubot
bot
added
size:XL
Member
|
@bozkayasalihx pushed a partial review, can you check my changes? Could you also add e2e test coverage for the pooler? |
Contributor
Author
|
@armru I'll review your changes this weekend and add the pooler e2e test. |
@bozkayasalihx , Have you got the chance to review this PR. |
Contributor
Author
|
@armru i've reviewed your PR and thanks for adding additional tests. i've added pooler e2e test. |
Contributor
Author
|
@armru Did you have a chance to look at the commit I sent? |
Member
|
@bozkayasalihx I pushed a few review commits on top of your work. The main changes are: added DNS name validation to the CRD fields, restructured e2e tests into unit tests keeping only slim smoke tests in e2e, and added a doc note about RBAC accumulation with shared ServiceAccounts. I also created #10276 to track the feature. |
mnencia
force-pushed
the
feat/shared-service-account
branch
from
7c1fb34 to
f725e65
Compare
mnencia
approved these changes
Mar 10, 2026
Member
|
/test |
Contributor
|
@mnencia, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/22913622673 |
Add optional ServiceAccountName field to ClusterSpec and PoolerSpec to allow users to specify an existing ServiceAccount instead of having the operator create a new one. This enables sharing a single ServiceAccount across multiple clusters, which is particularly useful for cloud IAM configurations where multiple clusters need the same cloud resource access permissions. The field is mutually exclusive with ServiceAccountTemplate. If not specified, the operator will continue to create a ServiceAccount with the cluster/pooler name as before. Signed-off-by: Salih Bozkaya <[email protected]>
Add support for specifying existing ServiceAccounts for both Cluster and Pooler resources, enabling multiple resources to share the same ServiceAccount for cloud IAM configurations. Signed-off-by: Salih Bozkaya <[email protected]>
Add comprehensive unit tests for the ServiceAccountName functionality in both Cluster and Pooler resources. Signed-off-by: Salih Bozkaya <[email protected]>
Add end-to-end tests to verify shared ServiceAccount functionality across multiple clusters and error handling. Test scenarios: - Multiple clusters sharing a single ServiceAccount - Verify pods use the shared ServiceAccount correctly - Validate no auto-created ServiceAccount when custom name is provided - Confirm error handling when specified ServiceAccount doesn't exist Includes fixture files demonstrating real-world cloud IAM use case with AWS IRSA annotation example. Signed-off-by: Salih Bozkaya <[email protected]>
…s_sa.yaml` Signed-off-by: Salih Bozkaya <[email protected]>
Signed-off-by: Armando Ruocco <[email protected]>
Signed-off-by: Salih Bozkaya <[email protected]>
Signed-off-by: Armando Ruocco <[email protected]>
Signed-off-by: Salih Bozkaya <[email protected]>
Signed-off-by: Salih Bozkaya <[email protected]>
…ability Change Pooler's ServiceAccountName from *string to string to match the Cluster API convention, eliminating inconsistent nil-checking patterns and unnecessary pointer deepcopy logic. Add CEL immutability validation (self == oldSelf) to prevent changes to serviceAccountName after creation, consistent with the Cluster field behavior. Also adds documentation for Pooler shared ServiceAccount usage in the security docs Signed-off-by: Armando Ruocco <[email protected]>
Signed-off-by: Marco Nenciarini <[email protected]>
Signed-off-by: Marco Nenciarini <[email protected]>
Assisted-by: Claude Opus 4.6 Signed-off-by: Marco Nenciarini <[email protected]>
Signed-off-by: Marco Nenciarini <[email protected]>
Add RoleBinding subjects verification to rolebinding_test.go and pgbouncer/rbac_test.go, cluster controller RoleBinding test with custom SA, and pooler controller tests for validateExistingServiceAccount and updateRBAC with custom ServiceAccount. Assisted-by: Claude Opus 4.6 Signed-off-by: Marco Nenciarini <[email protected]>
Replace 4 e2e test scenarios per resource type with a single smoke test each that verifies the end-to-end happy path: create shared SA, create cluster/pooler referencing it, verify pods use it, delete the resource, and confirm the shared SA is preserved. Detailed assertions (RoleBinding subjects, non-existent SA handling, mixed mode) are now covered by unit tests. Assisted-by: Claude Opus 4.6 Signed-off-by: Marco Nenciarini <[email protected]>
Add Pattern and MaxLength kubebuilder markers to ensure the serviceAccountName field conforms to Kubernetes DNS subdomain naming rules. Clarify in the field description that the ServiceAccount must be in the same namespace. Assisted-by: Claude Opus 4.6 Signed-off-by: Marco Nenciarini <[email protected]>
Signed-off-by: Marco Nenciarini <[email protected]>
Signed-off-by: Marco Nenciarini <[email protected]>
mnencia
force-pushed
the
feat/shared-service-account
branch
from
f725e65 to
6882561
Compare
leonardoce
approved these changes
Mar 11, 2026
leonardoce
added
the
do not backport
Contributor
Author
LGTM!, Thanks |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add an optional
serviceAccountNamefield to bothClusterSpecandPoolerSpecthat allows referencing a pre-existing ServiceAccount instead of having the operator create one per resource. This enables one-time IAM configuration (AWS IRSA, GCP Workload Identity, Azure Workload Identity) that works across all clusters and poolers using that ServiceAccount.When specified, the operator validates the referenced ServiceAccount exists, skips creating an operator-managed one, and uses it in pod specs, job specs, deployments, and RoleBinding subjects. The field is immutable once set, mutually exclusive with
serviceAccountTemplateon Cluster, and validated against DNS subdomain naming rules. No breaking changes — defaults to the resource name when not specified.Closes #10276