Add the serviceAccountName field to Stack.spec (#723)

<!--Thanks for your contribution. See [CONTRIBUTING](CONTRIBUTING.md)
    for Pulumi's contribution guidelines.

    Help us merge your changes more quickly by adding more details such
    as labels, milestones, and reviewers.-->

### Proposed changes

<!--Give us a brief description of what you've done and what it solves.
-->

Adds a top-level `serviceAccountName` to the Stack spec, since it is
practically a required element for every stack.
Note that the `workspaceTemplate` would take precedence.
The Workspace applies the default value of `default` if none is
specified.

Side-effect: some outdated manifests were regenerated.

### Related issues (optional)

<!--Refer to related PRs or issues: #1234, or 'Fixes #1234' or 'Closes
#1234'.
Or link to full URLs to issues or pull requests in other GitHub
repositories. -->
Closes #720

operator/api/pulumi/shared/stack_types.go

@@ -130,6 +130,10 @@ type StackSpec struct {
 	// The minimal resync frequency supported is 60 seconds. The default value for this field is 60 seconds.
 	ResyncFrequencySeconds int64 `json:"resyncFrequencySeconds,omitempty"`
 
+	// ServiceAccountName is the Kubernetes service account identity of the stack's workspace.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
 	// WorkspaceTemplate customizes the Workspace generated for this Stack. It
 	// is applied as a strategic merge patch on top of the underlying
 	// Workspace. Use this to customize the Workspace's image, resources,

operator/config/crd/bases/pulumi.com_stacks.yaml

@@ -719,6 +719,10 @@ spec:
                   (optional) SecretRefs is the secret configuration for this stack which can be specified through ResourceRef.
                   If this is omitted, secrets configuration is assumed to be checked in and taken from the source repository.
                 type: object
+              serviceAccountName:
+                description: ServiceAccountName is the Kubernetes service account
+                  identity of the stack's workspace.
+                type: string
               shallow:
                 description: |-
                   Shallow controls whether the workspace uses a shallow checkout or
@@ -10274,6 +10278,10 @@ spec:
                   (optional) SecretRefs is the secret configuration for this stack which can be specified through ResourceRef.
                   If this is omitted, secrets configuration is assumed to be checked in and taken from the source repository.
                 type: object
+              serviceAccountName:
+                description: ServiceAccountName is the Kubernetes service account
+                  identity of the stack's workspace.
+                type: string
               shallow:
                 description: |-
                   Shallow controls whether the workspace uses a shallow checkout or

operator/config/manager/manager.yaml

@@ -44,7 +44,7 @@ spec:
             - --leader-elect
             - --health-probe-bind-address=:8081
             - --program-fs-adv-addr=pulumi-kubernetes-operator.$(POD_NAMESPACE).svc.cluster.local:80
-            - --zap-log-level=error
+            - --zap-log-level=info
             - --zap-time-encoding=iso8601
           ports:
           - containerPort: 8383

operator/examples/random-yaml/stack.yaml

@@ -23,6 +23,7 @@ metadata:
   name: random-yaml
   namespace: default
 spec:
+  serviceAccountName: random-yaml
   fluxSource:
     sourceRef:
       apiVersion: source.toolkit.fluxcd.io/v1
@@ -44,6 +45,5 @@ spec:
         key: accessToken
   workspaceTemplate:
     spec:
-      serviceAccountName: random-yaml
       image: pulumi/pulumi:3.134.1-nonroot
 

operator/internal/controller/pulumi/stack_controller.go

@@ -1260,6 +1260,9 @@ func (sess *stackReconcilerSession) CreateWorkspace(ctx context.Context) error {
 // constructed a workspace from a source.
 func (sess *stackReconcilerSession) setupWorkspace(ctx context.Context) error {
 	w := sess.ws
+	if sess.stack.ServiceAccountName != "" {
+		w.Spec.ServiceAccountName = sess.stack.ServiceAccountName
+	}
 	if sess.stack.Backend != "" {
 		w.Spec.Env = append(w.Spec.Env, corev1.EnvVar{
 			Name:  "PULUMI_BACKEND_URL",

operator/internal/controller/pulumi/stack_controller_test.go

@@ -1253,6 +1253,23 @@ var _ = Describe("Stack Controller", func() {
 			})
 		})
 	})
+
+	Describe("Workspace Customization", func() {
+		useFluxSource()
+
+		When("a service account is specified", func() {
+			BeforeEach(func(ctx context.Context) {
+				obj.Spec.ServiceAccountName = "pulumi"
+			})
+			It("reconciles", func(ctx context.Context) {
+				_, err := reconcileF(ctx)
+				Expect(err).NotTo(HaveOccurred())
+				By("configuring the workspace")
+				Expect(ws).ToNot(BeNil())
+				Expect(ws.Spec.ServiceAccountName).To(Equal("pulumi"))
+			})
+		})
+	})
 })
 
 func matchEvent(reason pulumiv1.StackEventReason) gtypes.GomegaMatcher {