evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix race condition in serviceaccount

Evan Jarrett 4d14decf 02121ff6

+10 -11
+5
helm/hsm-secrets-operator/templates/deployment.yaml
··· 64 64 value: {{ .Values.config.defaultSyncInterval | quote }} 65 65 - name: DEFAULT_SECRET_TYPE 66 66 value: {{ .Values.config.defaultSecretType | quote }} 67 + # Inject service account name using downward API 68 + - name: SERVICE_ACCOUNT_NAME 69 + valueFrom: 70 + fieldRef: 71 + fieldPath: spec.serviceAccountName 67 72 ports: 68 73 {{- if .Values.metrics.enabled }} 69 74 - name: metrics
+5 -11
internal/modes/manager/manager.go
··· 17 17 package manager 18 18 19 19 import ( 20 - "context" 21 20 "crypto/tls" 22 21 "flag" 23 22 "os" 24 23 "path/filepath" 25 - "time" 26 24 27 25 // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) 28 26 // to ensure that exec-entrypoint and run can make use of them. ··· 329 327 return err 330 328 } 331 329 332 - // Get the service account name that this pod is running under 333 - ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) 334 - defer cancel() 335 - 336 - serviceAccountName, err := config.GetCurrentServiceAccount(ctx, mgr.GetClient()) 337 - if err != nil { 338 - setupLog.Error(err, "unable to get current service account - agent and discovery pods will fail without proper RBAC") 339 - return err 330 + // Get the service account name from environment variable (injected via downward API) 331 + serviceAccountName := os.Getenv("SERVICE_ACCOUNT_NAME") 332 + if serviceAccountName == "" { 333 + serviceAccountName = "hsm-secrets-operator-controller-manager" // fallback default 340 334 } 341 - setupLog.Info("Detected service account", "serviceAccount", serviceAccountName) 335 + setupLog.Info("Using service account", "serviceAccount", serviceAccountName) 342 336 343 337 // Create agent manager runnable that will create the agent manager after TLS is ready 344 338 agentManagerRunnable := NewAgentManagerRunnable(mgr.GetClient(), cfg.agentImage, operatorNamespace, serviceAccountName, setupLog)