Allow FedRAMP deployments to avoid default initializer identities

FedRAMP Gatekeeper can reject pods that fall back to the default service account. TidbInitializer creates a Job pod directly, so the CRD needs an explicit field that users can bind to a dedicated ServiceAccount without carrying operator-side patches.

The initializer spec now exposes serviceAccountName and passes it through to the generated Job pod template. The CRD and OpenAPI schema are updated so users can configure the field through the v1 API.

Constraint: FedRAMP block-default-service-account policy rejects implicit default service account usage
Rejected: Hardcode tidb-initializer in the manager | forces one service account name on all users and keeps requiring operator code patches
Confidence: high
Scope-risk: narrow
Directive: Keep this field as a pass-through to the Job pod spec; do not add defaulting here without checking backward compatibility
Tested: go test ./pkg/manager/member
Tested: cd pkg/apis && go test ./pingcap/v1alpha1
Tested: git diff --check

Author: tennix

manifests/crd.yaml

@@ -63536,6 +63536,8 @@ spec:
                       x-kubernetes-int-or-string: true
                     type: object
                 type: object
+              serviceAccountName:
+                type: string
               timezone:
                 type: string
               tlsClientSecretName:

manifests/crd/v1/pingcap.com_tidbinitializers.yaml

@@ -158,6 +158,8 @@ spec:
                       x-kubernetes-int-or-string: true
                     type: object
                 type: object
+              serviceAccountName:
+                type: string
               timezone:
                 type: string
               tlsClientSecretName:

pkg/apis/pingcap/v1alpha1/openapi_generated.go

@@ -73,6 +73,10 @@ type TidbInitializerSpec struct {
 	// +optional
 	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 
+	// ServiceAccountName is the name of the ServiceAccount to use to run TiDB initializer Pods.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
 	// permitHost is the host which will only be allowed to connect to the TiDB.
 	// +optional
 	PermitHost *string `json:"permitHost,omitempty"`

pkg/apis/pingcap/v1alpha1/tidbinitializer_types.go

@@ -353,6 +353,7 @@ func (m *tidbInitManager) makeTiDBInitJob(ti *v1alpha1.TidbInitializer) (*batchv
 		},
 		Spec: corev1.PodSpec{
 			ImagePullSecrets:             ti.Spec.ImagePullSecrets,
+			ServiceAccountName:           ti.Spec.ServiceAccountName,
 			SecurityContext:              ti.Spec.PodSecurityContext,
 			AutomountServiceAccountToken: pointer.BoolPtr(false),
 			InitContainers: []corev1.Container{

pkg/manager/member/tidb_init_manager.go

@@ -143,6 +143,21 @@ func TestMakeTiDBInitJobDisablesServiceAccountTokenAutomount(t *testing.T) {
 	g.Expect(*job.Spec.Template.Spec.AutomountServiceAccountToken).To(BeFalse())
 }
 
+func TestMakeTiDBInitJobUsesServiceAccountName(t *testing.T) {
+	g := NewGomegaWithT(t)
+	tim, _, indexers := newFakeTiDBInitManager()
+	ti := newTidbInitializerForTiDB()
+	ti.Spec.ServiceAccountName = "tidb-initializer"
+	tc := newTidbClusterForTiDB()
+
+	err := indexers.tc.Add(tc)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	job, err := tim.makeTiDBInitJob(ti)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(job.Spec.Template.Spec.ServiceAccountName).To(Equal("tidb-initializer"))
+}
+
 func newFakeTiDBInitManager() (*tidbInitManager, *tidbMemberManager, *fakeIndexers) {
 	tmm, _, _, indexers := newFakeTiDBMemberManager()
 	indexers.job = tmm.deps.KubeInformerFactory.Batch().V1().Jobs().Informer().GetIndexer()