From c8a191b76e62bcd79a4668bb3c5df2142964ab1a Mon Sep 17 00:00:00 2001
From: Stuart Douglas <stuart.w.douglas@gmail.com>
Date: Tue, 3 Dec 2024 18:13:30 +1100
Subject: [PATCH] feat: use one ServiceAccount per module (#3578)

Per deployment is to granular for our security use cases.
---
 Dockerfile                                          |  1 +
 backend/provisioner/runner_scaling_provisioner.go   |  1 +
 .../provisioner/scaling/k8sscaling/k8s_scaling.go   | 13 ++++++++-----
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 937e237401..5a7e956317 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -29,6 +29,7 @@ ENV PATH="$PATH:/root"
 # Service-specific configurations
 EXPOSE 8891
 EXPOSE 8892
+EXPOSE 8893
 
 # Environment variables for all (most) services
 ENV FTL_ENDPOINT="http://host.docker.internal:8892"
diff --git a/backend/provisioner/runner_scaling_provisioner.go b/backend/provisioner/runner_scaling_provisioner.go
index 1df0486076..bba3f552be 100644
--- a/backend/provisioner/runner_scaling_provisioner.go
+++ b/backend/provisioner/runner_scaling_provisioner.go
@@ -50,6 +50,7 @@ func provisionRunner(scaling scaling.RunnerScaling, client ftlv1connect.Controll
 		logger.Debugf("provisioning runner: %s.%s for deployment %s", module, id, deployment)
 		err = scaling.StartDeployment(ctx, module, deployment, schema)
 		if err != nil {
+			logger.Infof("failed to start deployment: %v", err)
 			return nil, fmt.Errorf("failed to start deployment: %w", err)
 		}
 		endpoint, err := scaling.GetEndpointForDeployment(ctx, module, deployment)
diff --git a/backend/provisioner/scaling/k8sscaling/k8s_scaling.go b/backend/provisioner/scaling/k8sscaling/k8s_scaling.go
index 60a8fafd4c..3d10bdb326 100644
--- a/backend/provisioner/scaling/k8sscaling/k8s_scaling.go
+++ b/backend/provisioner/scaling/k8sscaling/k8s_scaling.go
@@ -322,8 +322,9 @@ func (r *k8sScaling) handleNewDeployment(ctx context.Context, module string, nam
 	// Now create a ServiceAccount, we mostly need this for Istio but we create it for all deployments
 	// To keep things consistent
 	serviceAccountClient := r.client.CoreV1().ServiceAccounts(r.namespace)
-	serviceAccount, err := serviceAccountClient.Get(ctx, name, v1.GetOptions{})
+	serviceAccount, err := serviceAccountClient.Get(ctx, module, v1.GetOptions{})
 	if err != nil {
+		//TODO: implement cleanup for Service Accounts of modules that are completly removed
 		if !errors.IsNotFound(err) {
 			return fmt.Errorf("failed to get service account %s: %w", name, err)
 		}
@@ -332,9 +333,11 @@ func (r *k8sScaling) handleNewDeployment(ctx context.Context, module string, nam
 		if err != nil {
 			return fmt.Errorf("failed to decode service account from configMap %s: %w", configMapName, err)
 		}
-		serviceAccount.Name = name
-		serviceAccount.OwnerReferences = []v1.OwnerReference{{APIVersion: "v1", Kind: "service", Name: name, UID: service.UID}}
-		addLabels(&serviceAccount.ObjectMeta, module, name)
+		serviceAccount.Name = module
+		if serviceAccount.Labels == nil {
+			serviceAccount.Labels = map[string]string{}
+		}
+		serviceAccount.Labels[moduleLabel] = module
 		_, err = serviceAccountClient.Create(ctx, serviceAccount, v1.CreateOptions{})
 		if err != nil {
 			return fmt.Errorf("failed to create service account%s: %w", name, err)
@@ -403,7 +406,7 @@ func (r *k8sScaling) handleNewDeployment(ctx context.Context, module string, nam
 		deployment.Spec.Template.ObjectMeta.Labels = map[string]string{}
 	}
 
-	deployment.Spec.Template.Spec.ServiceAccountName = name
+	deployment.Spec.Template.Spec.ServiceAccountName = module
 	changes, err := r.syncDeployment(ctx, thisImage, deployment, 1)
 
 	if err != nil {