operator: modify service accounts and role bindings to be shared

Additional objects are shared between device plugin CRs. Once the last
CR is removed, the additional objects are also removed.

Signed-off-by: Tuomas Katila <[email protected]>

Author: tkatila

pkg/controllers/gpu/controller.go

@@ -37,9 +37,9 @@ import (
 )
 
 const (
-	ownerKey             = ".metadata.controller.gpu"
-	serviceAccountPrefix = "gpu-manager-sa"
-	roleBindingPrefix    = "gpu-manager-rolebinding"
+	ownerKey           = ".metadata.controller.gpu"
+	serviceAccountName = "gpu-manager-sa"
+	roleBindingName    = "gpu-manager-rolebinding"
 )
 
 var defaultNodeSelector = deployments.GPUPluginDaemonSet().Spec.Template.Spec.NodeSelector
@@ -76,48 +76,54 @@ func (c *controller) Upgrade(ctx context.Context, obj client.Object) bool {
 	return controllers.UpgradeImages(ctx, &dp.Spec.Image, &dp.Spec.InitImage)
 }
 
-func (c *controller) NewServiceAccount(rawObj client.Object) *v1.ServiceAccount {
-	devicePlugin := rawObj.(*devicepluginv1.GpuDevicePlugin)
-	if devicePlugin.Spec.ResourceManager {
-		sa := v1.ServiceAccount{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      prefixedName(serviceAccountPrefix, devicePlugin.Name),
+func (c *controller) NewSharedServiceAccount() *v1.ServiceAccount {
+	return &v1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      serviceAccountName,
+			Namespace: c.ns,
+		},
+	}
+}
+
+func (c *controller) NewSharedClusterRoleBinding() *rbacv1.ClusterRoleBinding {
+	return &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      roleBindingName,
+			Namespace: c.ns,
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      serviceAccountName,
 				Namespace: c.ns,
 			},
-		}
-
-		return &sa
+		},
+		RoleRef: rbacv1.RoleRef{
+			Kind:     "ClusterRole",
+			Name:     "inteldeviceplugins-gpu-manager-role",
+			APIGroup: "rbac.authorization.k8s.io",
+		},
 	}
+}
 
-	return nil
+func (c *controller) PluginMayRequireSharedObjects() bool {
+	return true
 }
 
-func (c *controller) NewClusterRoleBinding(rawObj client.Object) *rbacv1.ClusterRoleBinding {
-	devicePlugin := rawObj.(*devicepluginv1.GpuDevicePlugin)
-	if devicePlugin.Spec.ResourceManager {
-		rb := rbacv1.ClusterRoleBinding{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      prefixedName(roleBindingPrefix, devicePlugin.Name),
-				Namespace: c.ns,
-			},
-			Subjects: []rbacv1.Subject{
-				{
-					Kind:      "ServiceAccount",
-					Name:      prefixedName(serviceAccountPrefix, devicePlugin.Name),
-					Namespace: c.ns,
-				},
-			},
-			RoleRef: rbacv1.RoleRef{
-				Kind:     "ClusterRole",
-				Name:     "inteldeviceplugins-gpu-manager-role",
-				APIGroup: "rbac.authorization.k8s.io",
-			},
-		}
+func (c *controller) PluginRequiresSharedObjects(ctx context.Context, client client.Client) bool {
+	var list devicepluginv1.GpuDevicePluginList
 
-		return &rb
+	if err := client.List(ctx, &list); err != nil {
+		return false
 	}
 
-	return nil
+	for _, cr := range list.Items {
+		if cr.Spec.ResourceManager {
+			return true
+		}
+	}
+
+	return false
 }
 
 func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
@@ -143,7 +149,7 @@ func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
 
 	// add service account if resource manager is enabled
 	if devicePlugin.Spec.ResourceManager {
-		daemonSet.Spec.Template.Spec.ServiceAccountName = prefixedName(serviceAccountPrefix, devicePlugin.Name)
+		daemonSet.Spec.Template.Spec.ServiceAccountName = serviceAccountName
 		addVolumeIfMissing(&daemonSet.Spec.Template.Spec, "podresources", "/var/lib/kubelet/pod-resources", v1.HostPathDirectory)
 		addVolumeMountIfMissing(&daemonSet.Spec.Template.Spec, "podresources", "/var/lib/kubelet/pod-resources", false)
 		addVolumeIfMissing(&daemonSet.Spec.Template.Spec, "kubeletcrt", "/var/lib/kubelet/pki/kubelet.crt", v1.HostPathFileOrCreate)
@@ -324,7 +330,7 @@ func (c *controller) UpdateDaemonSet(rawObj client.Object, ds *apps.DaemonSet) (
 
 	newServiceAccountName := "default"
 	if dp.Spec.ResourceManager {
-		newServiceAccountName = prefixedName(serviceAccountPrefix, dp.Name)
+		newServiceAccountName = serviceAccountName
 	}
 
 	if ds.Spec.Template.Spec.ServiceAccountName != newServiceAccountName {

pkg/controllers/gpu/controller_test.go

@@ -146,7 +146,7 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 
 	// add service account if resource manager is enabled
 	if devicePlugin.Spec.ResourceManager {
-		daemonSet.Spec.Template.Spec.ServiceAccountName = serviceAccountPrefix + "-" + devicePlugin.Name
+		daemonSet.Spec.Template.Spec.ServiceAccountName = serviceAccountName
 
 		addVolumeIfMissing(&daemonSet.Spec.Template.Spec, "podresources", "/var/lib/kubelet/pod-resources", v1.HostPathDirectory)
 		addVolumeMountIfMissing(&daemonSet.Spec.Template.Spec, "podresources", "/var/lib/kubelet/pod-resources", false)
@@ -169,7 +169,7 @@ func (c *controller) updateDaemonSetExpected(rawObj client.Object, ds *apps.Daem
 	hadRM := strings.Contains(argString, "-resource-manager")
 
 	if !hadRM && dp.Spec.ResourceManager {
-		ds.Spec.Template.Spec.ServiceAccountName = serviceAccountPrefix + "-" + dp.Name
+		ds.Spec.Template.Spec.ServiceAccountName = serviceAccountName
 
 		addVolumeIfMissing(&ds.Spec.Template.Spec, "podresources", "/var/lib/kubelet/pod-resources", v1.HostPathDirectory)
 		addVolumeMountIfMissing(&ds.Spec.Template.Spec, "podresources", "/var/lib/kubelet/pod-resources", false)