ROX-35059: create shared master and worker service accounts

[stehessel]

Add master-node-service-account and worker-node-service-account parameters to openshift-4, openshift-4-demo, and openshift-4-perf-scale flavors and their workflow templates.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9a29bde5-667c-48fc-b975-02b0061d88cd

📥 Commits

Reviewing files that changed from the base of the PR and between a924688 and 82aa59a.

📒 Files selected for processing (3)

• chart/infra-server/static/flavors.yaml
• chart/infra-server/static/workflow-openshift-4-demo.yaml
• chart/infra-server/static/workflow-openshift-4.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• chart/infra-server/static/workflow-openshift-4.yaml
• chart/infra-server/static/workflow-openshift-4-demo.yaml
• chart/infra-server/static/flavors.yaml

---

📝 Walkthrough

Summary by CodeRabbit

• New Features
  • Added optional service-account settings for OpenShift master and worker nodes.
  • These settings now have defaults, with the option to leave them blank so the installer can create dedicated service accounts.
  • Updated the OpenShift 4 workflows to accept and pass through the new service-account values.

Walkthrough

Three OpenShift flavors (openshift-4, openshift-4-demo, openshift-4-perf-scale) in flavors.yaml gain two optional GCP service-account parameters with default email values. The corresponding Argo workflow templates (workflow-openshift-4.yaml, workflow-openshift-4-demo.yaml) add these as workflow arguments and expose them as MASTER_NODE_SERVICE_ACCOUNT and WORKER_NODE_SERVICE_ACCOUNT environment variables in the create template.

Changes

GCP Service Account Parameters for OpenShift

Layer / File(s)	Summary
Flavor parameter definitions chart/infra-server/static/flavors.yaml	Adds master-node-service-account and worker-node-service-account optional parameters with default GCP service account email addresses and help text to the openshift-4, openshift-4-demo, and openshift-4-perf-scale flavor definitions.
Workflow argument and env-var wiring chart/infra-server/static/workflow-openshift-4.yaml, chart/infra-server/static/workflow-openshift-4-demo.yaml	Adds the two new service account parameters to spec.arguments.parameters in both workflow files and injects them as MASTER_NODE_SERVICE_ACCOUNT and WORKER_NODE_SERVICE_ACCOUNT environment variables into the create template containers.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding shared master and worker service accounts.
Description check	✅ Passed	The description accurately describes the added parameters and affected flavors and workflow templates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ROX-35059/shared-master-and-worker-service-accounts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[rhacs-bot]

A single node development cluster (infra-pr-1864) was allocated in production infra for this PR.

CI will attempt to deploy quay.io/rhacs-eng/infra-server: to it.

🔌 You can connect to this cluster with:

gcloud container clusters get-credentials infra-pr-1864 --zone us-central1-a --project acs-team-temp-dev

🛠️ And pull infractl from the deployed dev infra-server with:

nohup kubectl -n infra port-forward svc/infra-server-service 8443:8443 &
make pull-infractl-from-dev-server

🔓 You must go to to export an . Your token from the prod infra instance will not work with dev environments.

🚲 You can then use the dev infra instance e.g.:

bin/infractl -k -e localhost:8443 whoami

⚠️ Any clusters that you start using your dev infra instance should have a lifespan shorter then the development cluster instance. Otherwise they will not be destroyed when the dev infra instance ceases to exist when the development cluster is deleted. ⚠️

Further Development

☕ If you make changes, you can commit and push and CI will take care of updating the development cluster.

🚀 If you only modify configuration (chart/infra-server/configuration) or templates (chart/infra-server/{static,templates}), you can get a faster update with:

make helm-deploy

Logs

Logs for the development infra depending on your @redhat.com authuser:

• authuser=0
• authuser=1
• authuser=2

Or:

kubectl -n infra logs -l app=infra-server --tail=1 -f

[tommartensen]

Let's merge and deploy this tomorrow when I have a bit more time in case things go wrong.