top-level serviceAccountName

operator/api/pulumi/shared/stack_types.go

@@ -130,6 +130,10 @@ type StackSpec struct {
 	// The minimal resync frequency supported is 60 seconds. The default value for this field is 60 seconds.
 	ResyncFrequencySeconds int64 `json:"resyncFrequencySeconds,omitempty"`
 
+	// ServiceAccountName is the Kubernetes service account identity of the stack's workspace.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
 	// WorkspaceTemplate customizes the Workspace generated for this Stack. It
 	// is applied as a strategic merge patch on top of the underlying
 	// Workspace. Use this to customize the Workspace's image, resources,

operator/config/crd/bases/pulumi.com_stacks.yaml

@@ -719,6 +719,10 @@ spec:
                   (optional) SecretRefs is the secret configuration for this stack which can be specified through ResourceRef.
                   If this is omitted, secrets configuration is assumed to be checked in and taken from the source repository.
                 type: object
+              serviceAccountName:
+                description: ServiceAccountName is the Kubernetes service account
+                  identity of the stack's workspace.
+                type: string
               shallow:
                 description: |-
                   Shallow controls whether the workspace uses a shallow checkout or
@@ -10274,6 +10278,10 @@ spec:
                   (optional) SecretRefs is the secret configuration for this stack which can be specified through ResourceRef.
                   If this is omitted, secrets configuration is assumed to be checked in and taken from the source repository.
                 type: object
+              serviceAccountName:
+                description: ServiceAccountName is the Kubernetes service account
+                  identity of the stack's workspace.
+                type: string
               shallow:
                 description: |-
                   Shallow controls whether the workspace uses a shallow checkout or

operator/config/manager/manager.yaml

@@ -44,7 +44,7 @@ spec:
             - --leader-elect
             - --health-probe-bind-address=:8081
             - --program-fs-adv-addr=pulumi-kubernetes-operator.$(POD_NAMESPACE).svc.cluster.local:80
-            - --zap-log-level=error
+            - --zap-log-level=info
             - --zap-time-encoding=iso8601
           ports:
           - containerPort: 8383

operator/examples/random-yaml/stack.yaml

@@ -23,6 +23,7 @@ metadata:
   name: random-yaml
   namespace: default
 spec:
+  serviceAccountName: random-yaml
   fluxSource:
     sourceRef:
       apiVersion: source.toolkit.fluxcd.io/v1
@@ -44,6 +45,5 @@ spec:
         key: accessToken
   workspaceTemplate:
     spec:
-      serviceAccountName: random-yaml
       image: pulumi/pulumi:3.134.1-nonroot
 

operator/internal/controller/pulumi/stack_controller.go

@@ -1260,6 +1260,9 @@ func (sess *stackReconcilerSession) CreateWorkspace(ctx context.Context) error {
 // constructed a workspace from a source.
 func (sess *stackReconcilerSession) setupWorkspace(ctx context.Context) error {
 	w := sess.ws
+	if sess.stack.ServiceAccountName != "" {
+		w.Spec.ServiceAccountName = sess.stack.ServiceAccountName
+	}
 	if sess.stack.Backend != "" {
 		w.Spec.Env = append(w.Spec.Env, corev1.EnvVar{
 			Name:  "PULUMI_BACKEND_URL",

operator/internal/controller/pulumi/stack_controller_test.go

@@ -1253,6 +1253,23 @@ var _ = Describe("Stack Controller", func() {
 			})
 		})
 	})
+
+	FDescribe("Workspace Customization", func() {
+		useFluxSource()
+
+		When("a service account is specified", func() {
+			BeforeEach(func(ctx context.Context) {
+				obj.Spec.ServiceAccountName = "pulumi"
+			})
+			It("reconciles", func(ctx context.Context) {
+				_, err := reconcileF(ctx)
+				Expect(err).NotTo(HaveOccurred())
+				By("configuring the workspace")
+				Expect(ws).ToNot(BeNil())
+				Expect(ws.Spec.ServiceAccountName).To(Equal("pulumi"))
+			})
+		})
+	})
 })
 
 func matchEvent(reason pulumiv1.StackEventReason) gtypes.GomegaMatcher {