From ecf2be1d1d1ae88d3418d92b410fa36e464235bb Mon Sep 17 00:00:00 2001
From: Shadrack Nicholas <berushadrack@gmail.com>
Date: Fri, 11 Oct 2024 11:35:25 +0200
Subject: [PATCH 1/4] chore: access key and secret key can be empty if role is
 used

---
 api/v1/store.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/v1/store.go b/api/v1/store.go
index 2c6a25c..eef0c37 100644
--- a/api/v1/store.go
+++ b/api/v1/store.go
@@ -233,8 +233,8 @@ type S3Storage struct {
 	PublicBucketName string `json:"publicBucketName"`
 	Region           string `json:"region,omitempty"`
 
-	AccessKeyRef       SecretRef `json:"accessKeyRef"`
-	SecretAccessKeyRef SecretRef `json:"secretAccessKeyRef"`
+	AccessKeyRef       SecretRef `json:"accessKeyRef,omitempty"`
+	SecretAccessKeyRef SecretRef `json:"secretAccessKeyRef,omitempty"`
 }
 
 type DatabaseSpec struct {

From 8c7c2bd66714d32bca58deba8678358f6b85a845 Mon Sep 17 00:00:00 2001
From: Shadrack Nicholas <berushadrack@gmail.com>
Date: Fri, 11 Oct 2024 16:39:59 +0200
Subject: [PATCH 2/4] refactor: Update getStorage function to handle empty
 access and secret keys

---
 api/v1/env.go | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/api/v1/env.go b/api/v1/env.go
index 03451a6..4252c51 100644
--- a/api/v1/env.go
+++ b/api/v1/env.go
@@ -185,7 +185,7 @@ func (s *Store) getBlackfire() []corev1.EnvVar {
 // TODO: Minio should use bucketname before URL. So we have public.domain.com see:
 // https://min.io/docs/minio/linux/administration/object-management.html#minio-object-management-path-virtual-access
 func (s *Store) getStorage() []corev1.EnvVar {
-	return []corev1.EnvVar{
+	envVars := []corev1.EnvVar{
 		{
 			Name:  "K8S_FILESYSTEM_PUBLIC_BUCKET",
 			Value: s.Spec.S3Storage.PublicBucketName,
@@ -207,7 +207,10 @@ func (s *Store) getStorage() []corev1.EnvVar {
 			Name:  "K8S_FILESYSTEM_ENDPOINT",
 			Value: s.Spec.S3Storage.EndpointURL,
 		},
-		{
+	}
+
+	if s.Spec.S3Storage.AccessKeyRef.Name != "" {
+		envVars = append(envVars, corev1.EnvVar{
 			Name: "AWS_ACCESS_KEY_ID",
 			ValueFrom: &corev1.EnvVarSource{
 				SecretKeyRef: &corev1.SecretKeySelector{
@@ -217,8 +220,11 @@ func (s *Store) getStorage() []corev1.EnvVar {
 					Key: s.Spec.S3Storage.AccessKeyRef.Key,
 				},
 			},
-		},
-		{
+		})
+	}
+
+	if s.Spec.S3Storage.SecretAccessKeyRef.Key != "" {
+		envVars = append(envVars, corev1.EnvVar{
 			Name: "AWS_SECRET_ACCESS_KEY",
 			ValueFrom: &corev1.EnvVarSource{
 				SecretKeyRef: &corev1.SecretKeySelector{
@@ -228,8 +234,10 @@ func (s *Store) getStorage() []corev1.EnvVar {
 					Key: s.Spec.S3Storage.SecretAccessKeyRef.Key,
 				},
 			},
-		},
+		})
 	}
+
+	return envVars
 }
 
 func (s *Store) GetEnv() []corev1.EnvVar {

From bbe6190d9388398f53e1d5b70141f7727fc6291e Mon Sep 17 00:00:00 2001
From: Shadrack Nicholas <berushadrack@gmail.com>
Date: Mon, 14 Oct 2024 11:07:50 +0200
Subject: [PATCH 3/4] refactor: Update deployment functions to include service
 account name

---
 internal/deployment/admin.go      |  2 ++
 internal/deployment/storefront.go |  1 +
 internal/deployment/worker.go     |  1 +
 internal/job/migration.go         |  1 +
 internal/job/setup.go             |  1 +
 internal/util/serviceaccount.go   | 11 +++++++++++
 6 files changed, 17 insertions(+)
 create mode 100644 internal/util/serviceaccount.go

diff --git a/internal/deployment/admin.go b/internal/deployment/admin.go
index 1b8e2e3..fc2daa7 100644
--- a/internal/deployment/admin.go
+++ b/internal/deployment/admin.go
@@ -93,6 +93,7 @@ func AdminDeployment(store *v1.Store) *appsv1.Deployment {
 		Spec: appsv1.DeploymentSpec{
 			ProgressDeadlineSeconds: &store.Spec.Container.ProgressDeadlineSeconds,
 			Replicas:                &store.Spec.Container.Replicas,
+
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{
 					"app": appName,
@@ -121,6 +122,7 @@ func AdminDeployment(store *v1.Store) *appsv1.Deployment {
 					ImagePullSecrets:          store.Spec.Container.ImagePullSecrets,
 					RestartPolicy:             store.Spec.Container.RestartPolicy,
 					Containers:                containers,
+					ServiceAccountName:        util.GetServiceAccountName(store),
 					SecurityContext:           store.Spec.Container.SecurityContext,
 				},
 			},
diff --git a/internal/deployment/storefront.go b/internal/deployment/storefront.go
index e650e8e..96d6219 100644
--- a/internal/deployment/storefront.go
+++ b/internal/deployment/storefront.go
@@ -123,6 +123,7 @@ func StorefrontDeployment(store *v1.Store) *appsv1.Deployment {
 					ImagePullSecrets:          store.Spec.Container.ImagePullSecrets,
 					RestartPolicy:             store.Spec.Container.RestartPolicy,
 					Containers:                containers,
+					ServiceAccountName:        util.GetServiceAccountName(store),
 					SecurityContext:           store.Spec.Container.SecurityContext,
 				},
 			},
diff --git a/internal/deployment/worker.go b/internal/deployment/worker.go
index 8c54f9a..edea296 100644
--- a/internal/deployment/worker.go
+++ b/internal/deployment/worker.go
@@ -105,6 +105,7 @@ func WorkerDeployment(store *v1.Store) *appsv1.Deployment {
 					ImagePullSecrets:          store.Spec.Container.ImagePullSecrets,
 					RestartPolicy:             store.Spec.Container.RestartPolicy,
 					Containers:                containers,
+					ServiceAccountName:        util.GetServiceAccountName(store),
 					SecurityContext:           store.Spec.Container.SecurityContext,
 				},
 			},
diff --git a/internal/job/migration.go b/internal/job/migration.go
index f9b9b79..6292895 100644
--- a/internal/job/migration.go
+++ b/internal/job/migration.go
@@ -99,6 +99,7 @@ func MigrationJob(store *v1.Store) *batchv1.Job {
 					ImagePullSecrets:          store.Spec.Container.ImagePullSecrets,
 					RestartPolicy:             "Never",
 					Containers:                containers,
+					ServiceAccountName:        util.GetServiceAccountName(store),
 					SecurityContext:           store.Spec.Container.SecurityContext,
 				},
 			},
diff --git a/internal/job/setup.go b/internal/job/setup.go
index 4adbf91..b8b1163 100644
--- a/internal/job/setup.go
+++ b/internal/job/setup.go
@@ -102,6 +102,7 @@ func SetupJob(store *v1.Store) *batchv1.Job {
 					ImagePullSecrets:          store.Spec.Container.ImagePullSecrets,
 					RestartPolicy:             "Never",
 					Containers:                containers,
+					ServiceAccountName:        util.GetServiceAccountName(store),
 					SecurityContext:           store.Spec.Container.SecurityContext,
 				},
 			},
diff --git a/internal/util/serviceaccount.go b/internal/util/serviceaccount.go
new file mode 100644
index 0000000..15dab45
--- /dev/null
+++ b/internal/util/serviceaccount.go
@@ -0,0 +1,11 @@
+package util
+
+import (
+	"fmt"
+
+	v1 "github.com/shopware/shopware-operator/api/v1"
+)
+
+func GetServiceAccountName(store *v1.Store) string {
+	return fmt.Sprintf("%s-store-sa", store.Name)
+}

From cfd1cc07d8a607bdfbb956df40d23b94455c4876 Mon Sep 17 00:00:00 2001
From: Shadrack Nicholas <berushadrack@gmail.com>
Date: Mon, 14 Oct 2024 17:15:23 +0200
Subject: [PATCH 4/4] chore: optionally use a service account name

---
 api/v1/store.go                   |  1 +
 internal/deployment/admin.go      |  9 +++++++--
 internal/deployment/storefront.go |  9 +++++++--
 internal/deployment/worker.go     |  9 +++++++--
 internal/job/migration.go         |  9 +++++++--
 internal/job/setup.go             |  9 +++++++--
 internal/util/serviceaccount.go   | 11 -----------
 7 files changed, 36 insertions(+), 21 deletions(-)
 delete mode 100644 internal/util/serviceaccount.go

diff --git a/api/v1/store.go b/api/v1/store.go
index eef0c37..a1069b3 100644
--- a/api/v1/store.go
+++ b/api/v1/store.go
@@ -37,6 +37,7 @@ type StoreSpec struct {
 	Otel                    OtelSpec      `json:"otel,omitempty"`
 	FPM                     FPMSpec       `json:"fpm,omitempty"`
 	HorizontalPodAutoscaler HPASpec       `json:"horizontalPodAutoscaler,omitempty"`
+	ServiceAccountName      string        `json:"serviceAccountName,omitempty"`
 
 	// +kubebuilder:default=false
 	DisableChecks bool `json:"disableChecks,omitempty"`
diff --git a/internal/deployment/admin.go b/internal/deployment/admin.go
index fc2daa7..fb1e356 100644
--- a/internal/deployment/admin.go
+++ b/internal/deployment/admin.go
@@ -79,7 +79,7 @@ func AdminDeployment(store *v1.Store) *appsv1.Deployment {
 		Resources: store.Spec.Container.Resources,
 	})
 
-	return &appsv1.Deployment{
+	deployment := &appsv1.Deployment{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Deployment",
 			APIVersion: "apps/v1",
@@ -122,12 +122,17 @@ func AdminDeployment(store *v1.Store) *appsv1.Deployment {
 					ImagePullSecrets:          store.Spec.Container.ImagePullSecrets,
 					RestartPolicy:             store.Spec.Container.RestartPolicy,
 					Containers:                containers,
-					ServiceAccountName:        util.GetServiceAccountName(store),
 					SecurityContext:           store.Spec.Container.SecurityContext,
 				},
 			},
 		},
 	}
+
+	if store.Spec.ServiceAccountName != "" {
+		deployment.Spec.Template.Spec.ServiceAccountName = store.Spec.ServiceAccountName
+	}
+
+	return deployment
 }
 
 func GetAdminDeploymentName(store *v1.Store) string {
diff --git a/internal/deployment/storefront.go b/internal/deployment/storefront.go
index 96d6219..3c012d6 100644
--- a/internal/deployment/storefront.go
+++ b/internal/deployment/storefront.go
@@ -81,7 +81,7 @@ func StorefrontDeployment(store *v1.Store) *appsv1.Deployment {
 		Resources: store.Spec.Container.Resources,
 	})
 
-	return &appsv1.Deployment{
+	deployment := &appsv1.Deployment{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Deployment",
 			APIVersion: "apps/v1",
@@ -123,12 +123,17 @@ func StorefrontDeployment(store *v1.Store) *appsv1.Deployment {
 					ImagePullSecrets:          store.Spec.Container.ImagePullSecrets,
 					RestartPolicy:             store.Spec.Container.RestartPolicy,
 					Containers:                containers,
-					ServiceAccountName:        util.GetServiceAccountName(store),
 					SecurityContext:           store.Spec.Container.SecurityContext,
 				},
 			},
 		},
 	}
+
+	if store.Spec.ServiceAccountName != "" {
+		deployment.Spec.Template.Spec.ServiceAccountName = store.Spec.ServiceAccountName
+	}
+
+	return deployment
 }
 
 func GetStorefrontDeploymentName(store *v1.Store) string {
diff --git a/internal/deployment/worker.go b/internal/deployment/worker.go
index edea296..0a1d4f8 100644
--- a/internal/deployment/worker.go
+++ b/internal/deployment/worker.go
@@ -63,7 +63,7 @@ func WorkerDeployment(store *v1.Store) *appsv1.Deployment {
 		Resources: store.Spec.Container.Resources,
 	})
 
-	return &appsv1.Deployment{
+	deployment := &appsv1.Deployment{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Deployment",
 			APIVersion: "apps/v1",
@@ -105,12 +105,17 @@ func WorkerDeployment(store *v1.Store) *appsv1.Deployment {
 					ImagePullSecrets:          store.Spec.Container.ImagePullSecrets,
 					RestartPolicy:             store.Spec.Container.RestartPolicy,
 					Containers:                containers,
-					ServiceAccountName:        util.GetServiceAccountName(store),
 					SecurityContext:           store.Spec.Container.SecurityContext,
 				},
 			},
 		},
 	}
+
+	if store.Spec.ServiceAccountName != "" {
+		deployment.Spec.Template.Spec.ServiceAccountName = store.Spec.ServiceAccountName
+	}
+
+	return deployment
 }
 
 func GetWorkerDeploymentName(store *v1.Store) string {
diff --git a/internal/job/migration.go b/internal/job/migration.go
index 6292895..39b049f 100644
--- a/internal/job/migration.go
+++ b/internal/job/migration.go
@@ -74,7 +74,7 @@ func MigrationJob(store *v1.Store) *batchv1.Job {
 		Env:             store.GetEnv(),
 	})
 
-	return &batchv1.Job{
+	job := &batchv1.Job{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Job",
 			APIVersion: "batch/v1"},
@@ -99,12 +99,17 @@ func MigrationJob(store *v1.Store) *batchv1.Job {
 					ImagePullSecrets:          store.Spec.Container.ImagePullSecrets,
 					RestartPolicy:             "Never",
 					Containers:                containers,
-					ServiceAccountName:        util.GetServiceAccountName(store),
 					SecurityContext:           store.Spec.Container.SecurityContext,
 				},
 			},
 		},
 	}
+
+	if store.Spec.ServiceAccountName != "" {
+		job.Spec.Template.Spec.ServiceAccountName = store.Spec.ServiceAccountName
+	}
+
+	return job
 }
 
 func MigrateJobName(store *v1.Store) string {
diff --git a/internal/job/setup.go b/internal/job/setup.go
index b8b1163..21eea3b 100644
--- a/internal/job/setup.go
+++ b/internal/job/setup.go
@@ -76,7 +76,7 @@ func SetupJob(store *v1.Store) *batchv1.Job {
 		Env:             envs,
 	})
 
-	return &batchv1.Job{
+	job := &batchv1.Job{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Job",
 			APIVersion: "batch/v1",
@@ -102,12 +102,17 @@ func SetupJob(store *v1.Store) *batchv1.Job {
 					ImagePullSecrets:          store.Spec.Container.ImagePullSecrets,
 					RestartPolicy:             "Never",
 					Containers:                containers,
-					ServiceAccountName:        util.GetServiceAccountName(store),
 					SecurityContext:           store.Spec.Container.SecurityContext,
 				},
 			},
 		},
 	}
+
+	if store.Spec.ServiceAccountName != "" {
+		job.Spec.Template.Spec.ServiceAccountName = store.Spec.ServiceAccountName
+	}
+
+	return job
 }
 
 func GetSetupJobName(store *v1.Store) string {
diff --git a/internal/util/serviceaccount.go b/internal/util/serviceaccount.go
deleted file mode 100644
index 15dab45..0000000
--- a/internal/util/serviceaccount.go
+++ /dev/null
@@ -1,11 +0,0 @@
-package util
-
-import (
-	"fmt"
-
-	v1 "github.com/shopware/shopware-operator/api/v1"
-)
-
-func GetServiceAccountName(store *v1.Store) string {
-	return fmt.Sprintf("%s-store-sa", store.Name)
-}