Skip to content

Add serviceAccountName to TidbInitializer#6872

Merged
ti-chi-bot[bot] merged 1 commit into
release-1.xfrom
fix-tidb-initializer-service-account
May 9, 2026
Merged

Add serviceAccountName to TidbInitializer#6872
ti-chi-bot[bot] merged 1 commit into
release-1.xfrom
fix-tidb-initializer-service-account

Conversation

@tennix
Copy link
Copy Markdown
Member

@tennix tennix commented Apr 29, 2026

What problem does this PR solve?

FedRAMP Gatekeeper block-default-service-account policy rejects pods that use the default ServiceAccount. The TidbInitializer Job pod did not expose a way to set spec.serviceAccountName, so users had to patch operator code or rely on the default ServiceAccount.

What is changed and how does it work?

This adds spec.serviceAccountName to TidbInitializerSpec and passes it through to the generated initializer Job pod template.

The CRD/OpenAPI schema is updated so users can configure:

spec:
  serviceAccountName: tidb-initializer

Check List

Tests

  • Unit test

Side effects

  • No side effects

Release note

Add serviceAccountName support to TidbInitializer.

Verification

  • go test ./pkg/manager/member
  • cd pkg/apis && go test ./pingcap/v1alpha1
  • git diff --check

@ti-chi-bot ti-chi-bot Bot requested a review from shonge April 29, 2026 21:57
@ti-chi-bot ti-chi-bot Bot added the size/M label Apr 29, 2026
@tennix
Allow FedRAMP deployments to avoid default initializer identities
ef083f7 
FedRAMP Gatekeeper can reject pods that fall back to the default service account. TidbInitializer creates a Job pod directly, so the CRD needs an explicit field that users can bind to a dedicated ServiceAccount without carrying operator-side patches.

The initializer spec now exposes serviceAccountName and passes it through to the generated Job pod template. The CRD and OpenAPI schema are updated so users can configure the field through the v1 API.

Constraint: FedRAMP block-default-service-account policy rejects implicit default service account usage
Rejected: Hardcode tidb-initializer in the manager | forces one service account name on all users and keeps requiring operator code patches
Confidence: high
Scope-risk: narrow
Directive: Keep this field as a pass-through to the Job pod spec; do not add defaulting here without checking backward compatibility
Tested: go test ./pkg/manager/member
Tested: cd pkg/apis && go test ./pingcap/v1alpha1
Tested: git diff --check
@tennix tennix force-pushed the fix-tidb-initializer-service-account branch from 7c4cb09 to ef083f7 Compare April 29, 2026 22:31
@tennix
Copy link
Copy Markdown
Member Author

tennix commented Apr 30, 2026

/test pull-e2e-kind-basic
/test pull-e2e-kind-br
/test pull-e2e-kind-scale-simultaneously
/test pull-e2e-kind-serial
/test pull-e2e-kind-tidbcluster

@tennix
Copy link
Copy Markdown
Member Author

tennix commented May 8, 2026

/retest

@tennix
Copy link
Copy Markdown
Member Author

tennix commented May 8, 2026

/test pull-e2e-kind-tidbcluster

@liubog2008
Copy link
Copy Markdown
Member

liubog2008 commented May 9, 2026

/lgtm
/cherry-pick release-1.6

@ti-chi-bot
Copy link
Copy Markdown
Member

ti-chi-bot commented May 9, 2026

@liubog2008: once the present PR merges, I will cherry-pick it on top of release-1.6 in the new PR and assign it to you.

Details

In response to this:

/lgtm
/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@ti-chi-bot
Copy link
Copy Markdown
Contributor

ti-chi-bot Bot commented May 9, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liubog2008

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot Bot added the lgtm label May 9, 2026
@ti-chi-bot
Copy link
Copy Markdown
Contributor

ti-chi-bot Bot commented May 9, 2026

[LGTM Timeline notifier]

Timeline:

  • 2026-05-09 01:23:02.89715247 +0000 UTC m=+490055.770502442: ☑️ agreed by liubog2008.

@ti-chi-bot ti-chi-bot Bot added the approved label May 9, 2026
@ti-chi-bot ti-chi-bot Bot merged commit def3ef0 into release-1.x May 9, 2026
15 checks passed
@ti-chi-bot ti-chi-bot Bot deleted the fix-tidb-initializer-service-account branch May 9, 2026 01:29
@ti-chi-bot
Copy link
Copy Markdown
Member

ti-chi-bot commented May 9, 2026

@liubog2008: new pull request created to branch release-1.6: #6881.

Details

In response to this:

/lgtm
/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@ti-chi-bot ti-chi-bot mentioned this pull request May 9, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shonge shonge Awaiting requested review from shonge

Assignees

No one assigned

Labels

approved lgtm size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tennix @liubog2008 @ti-chi-bot