Add serviceAccountName to TidbInitializer

docs/api-references/docs.md

@@ -2664,6 +2664,18 @@ Kubernetes core/v1.PullPolicy
 </tr>
 <tr>
 <td>
+<code>serviceAccountName</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ServiceAccountName is the name of the ServiceAccount to use to run TiDB initializer Pods.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>permitHost</code></br>
 <em>
 string
@@ -27273,6 +27285,18 @@ Kubernetes core/v1.PullPolicy
 </tr>
 <tr>
 <td>
+<code>serviceAccountName</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ServiceAccountName is the name of the ServiceAccount to use to run TiDB initializer Pods.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>permitHost</code></br>
 <em>
 string

manifests/crd.yaml

@@ -63536,6 +63536,8 @@ spec:
                       x-kubernetes-int-or-string: true
                     type: object
                 type: object
+              serviceAccountName:
+                type: string
               timezone:
                 type: string
               tlsClientSecretName:

manifests/crd/v1/pingcap.com_tidbinitializers.yaml

@@ -158,6 +158,8 @@ spec:
                       x-kubernetes-int-or-string: true
                     type: object
                 type: object
+              serviceAccountName:
+                type: string
               timezone:
                 type: string
               tlsClientSecretName:

pkg/apis/pingcap/v1alpha1/tidbinitializer_types.go

@@ -73,6 +73,10 @@ type TidbInitializerSpec struct {
 	// +optional
 	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 
+	// ServiceAccountName is the name of the ServiceAccount to use to run TiDB initializer Pods.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
 	// permitHost is the host which will only be allowed to connect to the TiDB.
 	// +optional
 	PermitHost *string `json:"permitHost,omitempty"`

pkg/manager/member/tidb_init_manager.go

@@ -353,6 +353,7 @@ func (m *tidbInitManager) makeTiDBInitJob(ti *v1alpha1.TidbInitializer) (*batchv
 		},
 		Spec: corev1.PodSpec{
 			ImagePullSecrets:             ti.Spec.ImagePullSecrets,
+			ServiceAccountName:           ti.Spec.ServiceAccountName,
 			SecurityContext:              ti.Spec.PodSecurityContext,
 			AutomountServiceAccountToken: pointer.BoolPtr(false),
 			InitContainers: []corev1.Container{

pkg/manager/member/tidb_init_manager_test.go

@@ -143,6 +143,21 @@ func TestMakeTiDBInitJobDisablesServiceAccountTokenAutomount(t *testing.T) {
 	g.Expect(*job.Spec.Template.Spec.AutomountServiceAccountToken).To(BeFalse())
 }
 
+func TestMakeTiDBInitJobUsesServiceAccountName(t *testing.T) {
+	g := NewGomegaWithT(t)
+	tim, _, indexers := newFakeTiDBInitManager()
+	ti := newTidbInitializerForTiDB()
+	ti.Spec.ServiceAccountName = "tidb-initializer"
+	tc := newTidbClusterForTiDB()
+
+	err := indexers.tc.Add(tc)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	job, err := tim.makeTiDBInitJob(ti)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(job.Spec.Template.Spec.ServiceAccountName).To(Equal("tidb-initializer"))
+}
+
 func newFakeTiDBInitManager() (*tidbInitManager, *tidbMemberManager, *fakeIndexers) {
 	tmm, _, _, indexers := newFakeTiDBMemberManager()
 	indexers.job = tmm.deps.KubeInformerFactory.Batch().V1().Jobs().Informer().GetIndexer()