ServiceAccountName(s) replaces ServiceAccount(s)

Following in the k8s footsteps, deprecate ServiceAccount and
ServiceAccounts, replace them with ServiceAccountName and
ServiceAccountNames respectively.

ServiceAccountName and ServiceAccountNames will always take precedence over
ServiceAccount and ServiceAccounts respectively.

If ServiceAccountName is not set, the value provided by ServiceAccount will
be used instead.

ServiceAccountNames will always take precedence over ServiceAccounts.

docs/auth.md

@@ -73,7 +73,7 @@ kind: TaskRun
 metadata:
   name: build-push-task-run-2
 spec:
-  serviceAccount: build-bot
+  serviceAccountName: build-bot
   taskRef:
     name: build-push
 ```
@@ -87,7 +87,7 @@ spec:
      name: demo-pipeline
      namespace: default
    spec:
-     serviceAccount: build-bot
+     serviceAccountName: build-bot
      pipelineRef:
        name: demo-pipeline
    ```
@@ -145,7 +145,7 @@ to authenticate when retrieving any `PipelineResources`.
    metadata:
      name: build-push-task-run-2
    spec:
-     serviceAccount: build-bot
+     serviceAccountName: build-bot
      taskRef:
        name: build-push
    ```
@@ -159,7 +159,7 @@ to authenticate when retrieving any `PipelineResources`.
      name: demo-pipeline
      namespace: default
    spec:
-     serviceAccount: build-bot
+     serviceAccountName: build-bot
      pipelineRef:
        name: demo-pipeline
    ```
@@ -218,7 +218,7 @@ kind: TaskRun
 metadata:
   name: build-push-task-run-2
 spec:
-  serviceAccount: build-bot
+  serviceAccountName: build-bot
   taskRef:
     name: build-push
 ```
@@ -232,7 +232,7 @@ spec:
      name: demo-pipeline
      namespace: default
    spec:
-     serviceAccount: build-bot
+     serviceAccountName: build-bot
      pipelineRef:
        name: demo-pipeline
    ```
@@ -283,7 +283,7 @@ addition to the one described above.
    metadata:
      name: build-with-basic-auth
    spec:
-     serviceAccount: build-bot
+     serviceAccountName: build-bot
      steps:
      ...
    ```

docs/pipelineruns.md

@@ -38,11 +38,11 @@ following fields:
 
   - [`resources`](#resources) - Specifies which
     [`PipelineResources`](resources.md) to use for this `PipelineRun`.
-  - [`serviceAccount`](#service-account) - Specifies a `ServiceAccount` resource
+  - [`serviceAccountName`](#service-account) - Specifies a `ServiceAccount` resource
     object that enables your build to run with the defined authentication
     information. When a `ServiceAccount` isn't specified, the `default-service-account`
     specified in the configmap - config-defaults will be applied.
-  - [`serviceAccounts`](#service-accounts) - Specifies a list of `ServiceAccount`
+  - [`serviceAccountNames`](#service-accounts) - Specifies a list of `ServiceAccountName`
     and `PipelineTask` pairs that enable you to overwrite `ServiceAccount` for concrete `PipelineTask`.
   - [`timeout`] - Specifies timeout after which the `PipelineRun` will fail. If the value of
     `timeout` is empty, the default timeout will be applied. If the value is set to 0,
@@ -159,8 +159,8 @@ spec:
 ### Service Account
 
 Specifies the `name` of a `ServiceAccount` resource object. Use the
-`serviceAccount` field to run your `Pipeline` with the privileges of the
-specified service account. If no `serviceAccount` field is specified, your
+`serviceAccountName` field to run your `Pipeline` with the privileges of the
+specified service account. If no `serviceAccountName` field is specified, your
 resulting `TaskRuns` run using the service account specified in the ConfigMap
 `configmap-defaults` which if absent will default to
 [`default` service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server)
@@ -172,16 +172,16 @@ For examples and more information about specifying service accounts, see the
 
 ### Service Accounts
 
-Specifies the list of `ServiceAccount` and `PipelineTask` pairs. Specified
+Specifies the list of `ServiceAccountName` and `PipelineTask` pairs. Specified
 `PipelineTask` will be run with configured `ServiceAccount`,
-overwriting [`serviceAccount`](#service-account) configuration, for example:
+overwriting [`serviceAccountName`](#service-account) configuration, for example:
 
 ```yaml
 spec:
-  serviceAccount: sa-1
-  serviceAccounts:
+  serviceAccountName: sa-1
+  serviceAccountNames:
     - taskName: build-task
-      serviceAccount: sa-for-build
+      serviceAccountName: sa-for-build
 ```
 If used with this `Pipeline`, `test-task` will use the `ServiceAccount` `sa-1`, while `build-task` will use `sa-for-build`.
 

docs/taskruns.md

@@ -44,7 +44,7 @@ following fields:
       the [`Task`](tasks.md) you want to run
 - Optional:
 
-  - [`serviceAccount`](#service-account) - Specifies a `ServiceAccount` resource
+  - [`serviceAccountName`](#service-account) - Specifies a `ServiceAccount` resource
     object that enables your build to run with the defined authentication
     information. When a `ServiceAccount` isn't specified, the `default-service-account`
     specified in the configmap - config-defaults will be applied.
@@ -156,9 +156,9 @@ default, if `default-timeout-minutes` is set to 0.
 ### Service Account
 
 Specifies the `name` of a `ServiceAccount` resource object. Use the
-`serviceAccount` field to run your `Task` with the privileges of the specified
-service account. If no `serviceAccount` field is specified, your `Task` runs
-using the  service account specified in the ConfigMap `configmap-defaults`
+`serviceAccountName` field to run your `Task` with the privileges of the specified
+service account. If no `serviceAccountName` field is specified, your `Task` runs
+using the service account specified in the ConfigMap `configmap-defaults`
 which if absent will default to
 [`default` service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server)
 that is in the [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
@@ -520,7 +520,7 @@ kind: TaskRun
 metadata:
   name: test-task-with-serviceaccount-git-ssh
 spec:
-  serviceAccount: test-task-robot-git-ssh
+  serviceAccountName: test-task-robot-git-ssh
   inputs:
     resources:
       - name: workspace
@@ -532,7 +532,7 @@ spec:
       args: ["-c", "cat README.md"]
 ```
 
-Where `serviceAccount: test-build-robot-git-ssh` references the following
+Where `serviceAccountName: test-build-robot-git-ssh` references the following
 `ServiceAccount`:
 
 ```yaml
@@ -564,8 +564,8 @@ data:
 ```
 
 Specifies the `name` of a `ServiceAccount` resource object. Use the
-`serviceAccount` field to run your `Task` with the privileges of the specified
-service account. If no `serviceAccount` field is specified, your `Task` runs
+`serviceAccountName` field to run your `Task` with the privileges of the specified
+service account. If no `serviceAccountName` field is specified, your `Task` runs
 using the
 [`default` service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server)
 that is in the

pkg/apis/pipeline/v1alpha1/pipelinerun_defaults.go

@@ -44,7 +44,7 @@ func (prs *PipelineRunSpec) SetDefaults(ctx context.Context) {
 	}
 
 	defaultSA := cfg.Defaults.DefaultServiceAccount
-	if prs.ServiceAccount == "" && defaultSA != "" {
-		prs.ServiceAccount = defaultSA
+	if prs.ServiceAccountName == "" && defaultSA != "" {
+		prs.ServiceAccountName = defaultSA
 	}
 }

pkg/apis/pipeline/v1alpha1/pipelinerun_defaults_test.go

@@ -132,9 +132,9 @@ func TestPipelineRunDefaulting(t *testing.T) {
 		},
 		want: &v1alpha1.PipelineRun{
 			Spec: v1alpha1.PipelineRunSpec{
-				PipelineRef:    v1alpha1.PipelineRef{Name: "foo"},
-				Timeout:        &metav1.Duration{Duration: 5 * time.Minute},
-				ServiceAccount: "tekton",
+				PipelineRef:        v1alpha1.PipelineRef{Name: "foo"},
+				Timeout:            &metav1.Duration{Duration: 5 * time.Minute},
+				ServiceAccountName: "tekton",
 			},
 		},
 		wc: func(ctx context.Context) context.Context {

pkg/apis/pipeline/v1alpha1/pipelinerun_types.go

@@ -55,9 +55,15 @@ type PipelineRunSpec struct {
 	// Params is a list of parameter names and values.
 	Params []Param `json:"params,omitempty"`
 	// +optional
-	ServiceAccount string `json:"serviceAccount"`
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+	// DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+	// Deprecated: Use serviceAccountName instead.
 	// +optional
-	ServiceAccounts []PipelineRunSpecServiceAccount `json:"serviceAccounts,omitempty"`
+	DeprecatedServiceAccount string `json:"serviceAccount,omitempty"`
+	// +optional
+	DeprecatedServiceAccounts []DeprecatedPipelineRunSpecServiceAccount `json:"serviceAccounts,omitempty"`
+	// +optional
+	ServiceAccountNames []PipelineRunSpecServiceAccountName `json:"serviceAccountNames,omitempty"`
 	// Deprecation Notice: The field Results will be removed in v0.8.0
 	// and should not be used. Plan to have this field removed before upgradring
 	// to v0.8.0.
@@ -165,10 +171,21 @@ func (pr *PipelineRunStatus) InitializeConditions() {
 	pipelineRunCondSet.Manage(pr).InitializeConditions()
 }
 
-// PipelineRunSpecServiceAccount can be used to configure specific ServiceAccount for a concrete Task
-type PipelineRunSpecServiceAccount struct {
-	TaskName       string `json:"taskName,omitempty"`
-	ServiceAccount string `json:"serviceAccount,omitempty"`
+// DeprecatedPipelineRunSpecServiceAccount can be used to configure specific
+// ServiceAccount for a concrete Task
+// Deprecated: Use pipelineRunSpecServiceAccountName instead.
+type DeprecatedPipelineRunSpecServiceAccount struct {
+	TaskName string `json:"taskName,omitempty"`
+	// DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+	// Deprecated: Use serviceAccountName instead.
+	DeprecatedServiceAccount string `json:"serviceAccount,omitempty"`
+}
+
+// PipelineRunSpecServiceAccountName can be used to configure specific
+// ServiceAccountName for a concrete Task
+type PipelineRunSpecServiceAccountName struct {
+	TaskName           string `json:"taskName,omitempty"`
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 // SetCondition sets the condition, unsetting previous conditions with the same
@@ -272,3 +289,23 @@ func (pr *PipelineRun) IsTimedOut() bool {
 	}
 	return false
 }
+
+// GetServiceAccountName returns the service account name for a given
+// PipelineTask if configured, otherwise it returns the PipelineRun's serviceAccountName.
+func (pr *PipelineRun) GetServiceAccountName(pipelineTaskName string) string {
+	serviceAccountName := pr.Spec.ServiceAccountName
+	if serviceAccountName == "" {
+		serviceAccountName = pr.Spec.DeprecatedServiceAccount
+	}
+	for _, sa := range pr.Spec.DeprecatedServiceAccounts {
+		if sa.TaskName == pipelineTaskName {
+			serviceAccountName = sa.DeprecatedServiceAccount
+		}
+	}
+	for _, sa := range pr.Spec.ServiceAccountNames {
+		if sa.TaskName == pipelineTaskName {
+			serviceAccountName = sa.ServiceAccountName
+		}
+	}
+	return serviceAccountName
+}

pkg/apis/pipeline/v1alpha1/pipelinerun_types_test.go

@@ -217,3 +217,57 @@ func TestPipelineRunHasTimedOut(t *testing.T) {
 		})
 	}
 }
+
+func TestPipelineRunGetServiceAccountName(t *testing.T) {
+	for _, tt := range []struct {
+		name    string
+		pr      *v1alpha1.PipelineRun
+		saNames map[string]string
+	}{
+		{
+			"default SA",
+			tb.PipelineRun("pr", "ns",
+				tb.PipelineRunSpec("prs",
+					tb.PipelineRunServiceAccountName("defaultSA"),
+					tb.PipelineRunServiceAccountNameTask("taskName", "taskSA"))),
+			map[string]string{
+				"unknown":  "defaultSA",
+				"taskName": "taskSA",
+			},
+		},
+		{
+			"deprecated default SA",
+			tb.PipelineRun("pr", "ns",
+				tb.PipelineRunSpec("prs",
+					tb.PipelineRunDeprecatedServiceAccountName("", "deprecatedSA"),
+					tb.PipelineRunDeprecatedServiceAccountTask("taskName", "deprecatedTaskSA"))),
+			map[string]string{
+				"unknown":  "deprecatedSA",
+				"taskName": "deprecatedTaskSA",
+			},
+		},
+		{
+			"mixed default SA",
+			tb.PipelineRun("defaultSA", "defaultSA",
+				tb.PipelineRunSpec("defaultSA",
+					tb.PipelineRunDeprecatedServiceAccountName("defaultSA", "deprecatedSA"),
+					tb.PipelineRunServiceAccountNameTask("task1", "task1SA"),
+					tb.PipelineRunServiceAccountNameTask("task2", "task2SA"),
+					tb.PipelineRunDeprecatedServiceAccountTask("deprecatedTask3", "deprecatedTask3SA"),
+					tb.PipelineRunDeprecatedServiceAccountTask("task2", "deprecated"))),
+			map[string]string{
+				"unknown":         "defaultSA",
+				"task1":           "task1SA",
+				"task2":           "task2SA",
+				"deprecatedTask3": "deprecatedTask3SA",
+			},
+		},
+	} {
+		for taskName, expected := range tt.saNames {
+			sa := tt.pr.GetServiceAccountName(taskName)
+			if expected != sa {
+				t.Errorf("%s: wrong service account: got: %v, want: %v", tt.name, sa, expected)
+			}
+		}
+	}
+}

pkg/apis/pipeline/v1alpha1/pipelinerun_validation_test.go

@@ -60,7 +60,7 @@ func TestPipelineRun_Invalidate(t *testing.T) {
 					Name: "pipelinelineName",
 				},
 				Spec: v1alpha1.PipelineRunSpec{
-					ServiceAccount: "foo",
+					ServiceAccountName: "foo",
 				},
 			},
 			want: apis.ErrMissingField("spec.pipelineRef.name, spec.pipelineSpec"),

pkg/apis/pipeline/v1alpha1/taskrun_defaults.go

@@ -48,7 +48,7 @@ func (trs *TaskRunSpec) SetDefaults(ctx context.Context) {
 	}
 
 	defaultSA := cfg.Defaults.DefaultServiceAccount
-	if trs.ServiceAccount == "" && defaultSA != "" {
-		trs.ServiceAccount = defaultSA
+	if trs.ServiceAccountName == "" && defaultSA != "" {
+		trs.ServiceAccountName = defaultSA
 	}
 }

pkg/apis/pipeline/v1alpha1/taskrun_defaults_test.go

@@ -155,9 +155,9 @@ func TestTaskRunDefaulting(t *testing.T) {
 		},
 		want: &v1alpha1.TaskRun{
 			Spec: v1alpha1.TaskRunSpec{
-				TaskRef:        &v1alpha1.TaskRef{Name: "foo", Kind: v1alpha1.NamespacedTaskKind},
-				Timeout:        &metav1.Duration{Duration: 5 * time.Minute},
-				ServiceAccount: "tekton",
+				TaskRef:            &v1alpha1.TaskRef{Name: "foo", Kind: v1alpha1.NamespacedTaskKind},
+				Timeout:            &metav1.Duration{Duration: 5 * time.Minute},
+				ServiceAccountName: "tekton",
 			},
 		},
 		wc: func(ctx context.Context) context.Context {

pkg/apis/pipeline/v1alpha1/taskrun_types.go

@@ -42,7 +42,11 @@ type TaskRunSpec struct {
 	// +optional
 	Results *Results `json:"results,omitempty"`
 	// +optional
-	ServiceAccount string `json:"serviceAccount,omitempty"`
+	ServiceAccountName string `json:"serviceAccountName"`
+	// DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+	// Deprecated: Use serviceAccountName instead.
+	// +optional
+	DeprecatedServiceAccount string `json:"serviceAccount,omitempty"`
 	// no more than one of the TaskRef and TaskSpec may be specified.
 	// +optional
 	TaskRef *TaskRef `json:"taskRef,omitempty"`
@@ -290,3 +294,11 @@ func (tr *TaskRun) GetRunKey() string {
 	// The address of the pointer is a threadsafe unique identifier for the taskrun
 	return fmt.Sprintf("%s/%p", "TaskRun", tr)
 }
+
+func (tr *TaskRun) GetServiceAccountName() string {
+	name := tr.Spec.ServiceAccountName
+	if name == "" {
+		name = tr.Spec.DeprecatedServiceAccount
+	}
+	return name
+}

pkg/apis/pipeline/v1alpha1/taskrun_types_test.go

@@ -152,3 +152,30 @@ func TestTaskRunHasStarted(t *testing.T) {
 		})
 	}
 }
+
+func TestTaskRunGetServiceAccountName(t *testing.T) {
+	for _, tt := range []struct {
+		name       string
+		tr         *v1alpha1.TaskRun
+		expectedSA string
+	}{{
+		"service account",
+		tb.TaskRun("name", "ns", tb.TaskRunSpec(tb.TaskRunServiceAccountName("defaultSA"))),
+		"defaultSA",
+	},
+		{
+			"deprecated SA",
+			tb.TaskRun("name", "ns", tb.TaskRunSpec(tb.TaskRunDeprecatedServiceAccount("", "deprecatedSA"))),
+			"deprecatedSA",
+		},
+		{
+			"both SA",
+			tb.TaskRun("name", "ns", tb.TaskRunSpec(tb.TaskRunDeprecatedServiceAccount("defaultSA", "deprecatedSA"))),
+			"defaultSA",
+		},
+	} {
+		if e, a := tt.expectedSA, tt.tr.GetServiceAccountName(); e != a {
+			t.Errorf("%s: wrong service account name: got: %q want: %q", tt.name, a, e)
+		}
+	}
+}