Skip to content

Preserve ServiceAccount annotations during CSV update #3610

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Preserve ServiceAccount annotations during CSV update #3610

wants to merge 1 commit into from
+247 −1

Conversation

kaovilai
Copy link

@kaovilai kaovilai commented Jul 8, 2025

Description of the change:
Modified the EnsureServiceAccount function in pkg/controller/operators/catalog/step_ensurer.go to preserve existing annotations on ServiceAccounts during CSV updates. The implementation merges existing annotations with new ones, giving precedence to new annotations in case of conflicts.

Motivation for the change:
Currently, when a ClusterServiceVersion (CSV) is updated, the EnsureServiceAccount function reconciles the associated ServiceAccount but does not preserve existing annotations. This leads to the loss of important annotations that may have been added by users or other controllers.

Architectural changes:
No architectural changes. This is a small enhancement to the existing EnsureServiceAccount function to preserve annotations similar to how it already preserves Secrets and OwnerReferences.

Testing remarks:

  • Added comprehensive unit tests in step_ensurer_test.go covering:
    • Creating new service accounts with annotations
    • Preserving existing annotations during updates
    • Handling annotation conflicts (new annotations take precedence)
    • Preserving secrets during updates
    • Error handling scenarios
  • All tests pass successfully

Closes #3607

@openshift-ci openshift-ci bot requested review from anik120 and oceanc80 July 8, 2025 14:08
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 8, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign anik120 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 8, 2025

Hi @kaovilai. Thanks for your PR.

I'm waiting for a operator-framework member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 8, 2025
@kaovilai kaovilai force-pushed the fix-serviceaccount-annotations-3607 branch 2 times, most recently from 0fda9a2 to 5970407 Compare July 8, 2025 14:16
@grokspawn
Copy link
Contributor

/ok-to-test

@openshift-ci openshift-ci bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 8, 2025
@kaovilai
Preserve ServiceAccount annotations during CSV update
e910a91 
Fixes operator-framework#3607

When a ClusterServiceVersion (CSV) is updated, the EnsureServiceAccount
function now preserves existing annotations on the ServiceAccount. This
prevents the loss of important annotations that may have been added by
users or other controllers.

The fix merges existing annotations from the old ServiceAccount with
annotations from the new ServiceAccount object, giving precedence to
the new annotations in case of conflicts.

Signed-off-by: Tiger Kaovilai <[email protected]>

Add unit tests for ServiceAccount annotation preservation

Added comprehensive unit tests for the EnsureServiceAccount function
to verify that annotations are properly preserved during updates.
The tests cover:
- Creating new service accounts
- Preserving existing annotations during updates
- Handling annotation conflicts (new annotations take precedence)
- Preserving secrets during updates
- Error handling scenarios

Signed-off-by: Tiger Kaovilai <[email protected]>
@kaovilai kaovilai force-pushed the fix-serviceaccount-annotations-3607 branch from 5970407 to e910a91 Compare July 8, 2025 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anik120 anik120 Awaiting requested review from anik120

@oceanc80 oceanc80 Awaiting requested review from oceanc80

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
ok-to-test Indicates a non-member PR verified by an org member that is safe to test.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ServiceAccount annotations are not preserved during CSV update
2 participants
@kaovilai @grokspawn