From b447f6761b00bbf5d39b8cab3b3ec348cae291d9 Mon Sep 17 00:00:00 2001
From: Wolodja Wentland <w@wentland.dev>
Date: Thu, 26 Oct 2023 11:35:10 +0200
Subject: [PATCH] [release-1.28] [occm] Use standard service account name in
 OCCM helm chart (#2447)

* Use standard service account name in OCCM helm chart (#2332)

This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager and moves the default values into
the values file.

The change is motivated by the following:

- Create suitable service accounts, cluster roles and cluster role
  bindings for use with `--use-service-accounts-credentials=true`
- Normalise service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- https://github.com/kubernetes/cloud-provider-openstack/issues/2049
- https://github.com/kubernetes/cloud-provider-openstack/issues/1722
- https://github.com/kubernetes/cloud-provider-openstack/pull/1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>

* Remove spurious whitespace in OCCM values file (#2347)

The space character was sadly introduced in an earlier PR and had not
been picked up by the helm linter, presumably because the GHA did
not run.

Signed-off-by: Wolodja Wentland <w@wentland.dev>

---------

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
Signed-off-by: Wolodja Wentland <w@wentland.dev>
---
 charts/openstack-cloud-controller-manager/Chart.yaml       | 2 +-
 .../templates/clusterrole.yaml                             | 2 +-
 .../templates/clusterrolebinding.yaml                      | 7 ++++---
 .../templates/daemonset.yaml                               | 2 +-
 .../templates/serviceaccount.yaml                          | 2 +-
 charts/openstack-cloud-controller-manager/values.yaml      | 4 ++++
 6 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/charts/openstack-cloud-controller-manager/Chart.yaml b/charts/openstack-cloud-controller-manager/Chart.yaml
index 5e8de5985c..8575befcd1 100644
--- a/charts/openstack-cloud-controller-manager/Chart.yaml
+++ b/charts/openstack-cloud-controller-manager/Chart.yaml
@@ -4,7 +4,7 @@ description: Openstack Cloud Controller Manager Helm Chart
 icon: https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-images-prod/openstack-logo/OpenStack-Logo-Vertical.png
 home: https://github.com/kubernetes/cloud-provider-openstack
 name: openstack-cloud-controller-manager
-version: 2.28.1
+version: 2.28.2
 maintainers:
   - name: eumel8
     email: f.kloeker@telekom.de
diff --git a/charts/openstack-cloud-controller-manager/templates/clusterrole.yaml b/charts/openstack-cloud-controller-manager/templates/clusterrole.yaml
index 7eee6c4e40..6786931f41 100644
--- a/charts/openstack-cloud-controller-manager/templates/clusterrole.yaml
+++ b/charts/openstack-cloud-controller-manager/templates/clusterrole.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:openstack-cloud-controller-manager
+  name: {{ .Values.clusterRoleName }}
   annotations:
     {{- with .Values.commonAnnotations }}
     {{- toYaml . | nindent 4 }}
diff --git a/charts/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml b/charts/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml
index f19f0ef929..a572710908 100644
--- a/charts/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml
+++ b/charts/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml
@@ -1,7 +1,8 @@
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:openstack-cloud-controller-manager
+  name: {{ .Values.clusterRoleName }}
   annotations:
     {{- with .Values.commonAnnotations }}
     {{- toYaml . | nindent 4 }}
@@ -9,8 +10,8 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:openstack-cloud-controller-manager
+  name: {{ .Values.clusterRoleName }}
 subjects:
 - kind: ServiceAccount
-  name: openstack-cloud-controller-manager
+  name: {{ .Values.serviceAccountName }}
   namespace: {{ .Release.Namespace | quote }}
diff --git a/charts/openstack-cloud-controller-manager/templates/daemonset.yaml b/charts/openstack-cloud-controller-manager/templates/daemonset.yaml
index aad6808177..aa2006e0d4 100644
--- a/charts/openstack-cloud-controller-manager/templates/daemonset.yaml
+++ b/charts/openstack-cloud-controller-manager/templates/daemonset.yaml
@@ -37,7 +37,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: openstack-cloud-controller-manager
+      serviceAccountName: {{ .Values.serviceAccountName }}
       containers:
         - name: openstack-cloud-controller-manager
           image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
diff --git a/charts/openstack-cloud-controller-manager/templates/serviceaccount.yaml b/charts/openstack-cloud-controller-manager/templates/serviceaccount.yaml
index e24737e164..f97f1c8a65 100644
--- a/charts/openstack-cloud-controller-manager/templates/serviceaccount.yaml
+++ b/charts/openstack-cloud-controller-manager/templates/serviceaccount.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: openstack-cloud-controller-manager
+  name: {{ .Values.serviceAccountName }}
   namespace: {{ .Release.Namespace }}
   annotations:
     {{- with .Values.commonAnnotations }}
diff --git a/charts/openstack-cloud-controller-manager/values.yaml b/charts/openstack-cloud-controller-manager/values.yaml
index af3304713e..40898dad7e 100644
--- a/charts/openstack-cloud-controller-manager/values.yaml
+++ b/charts/openstack-cloud-controller-manager/values.yaml
@@ -130,3 +130,7 @@ extraVolumeMounts:
 # cluster name that used for created cluster
 cluster:
   name: kubernetes
+
+clusterRoleName: system:cloud-controller-manager
+
+serviceAccountName: cloud-controller-manager