Per workspace backup SA

A SA is created for every backup workspace to avoid ownership conflict.

Signed-off-by: Ales Raszka <[email protected]>

Author: Allda

controllers/backupcronjob/backupcronjob_controller.go

@@ -347,7 +347,7 @@ func (r *BackupCronJobReconciler) createBackupJob(
 		Spec: batchv1.JobSpec{
 			Template: corev1.PodTemplateSpec{
 				Spec: corev1.PodSpec{
-					ServiceAccountName: JobRunnerSAName,
+					ServiceAccountName: JobRunnerSAName + "-" + workspace.Status.DevWorkspaceId,
 					RestartPolicy:      corev1.RestartPolicyNever,
 					SecurityContext: &corev1.PodSecurityContext{
 						FSGroup: ptr.To[int64](0),

controllers/backupcronjob/rbac.go

@@ -37,7 +37,7 @@ func (r *BackupCronJobReconciler) ensureJobRunnerRBAC(ctx context.Context, works
 	)
 
 	sa := &corev1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{Name: JobRunnerSAName, Namespace: workspace.Namespace, Labels: map[string]string{
+		ObjectMeta: metav1.ObjectMeta{Name: JobRunnerSAName + "-" + workspace.Status.DevWorkspaceId, Namespace: workspace.Namespace, Labels: map[string]string{
 			constants.DevWorkspaceIDLabel:          workspace.Status.DevWorkspaceId,
 			constants.DevWorkspaceWatchSecretLabel: "true",
 		}},
@@ -47,6 +47,7 @@ func (r *BackupCronJobReconciler) ensureJobRunnerRBAC(ctx context.Context, works
 	if err := controllerutil.SetControllerReference(workspace, sa, r.Scheme); err != nil {
 		return err
 	}
+
 	if _, err := controllerutil.CreateOrUpdate(ctx, r.Client, sa, func() error { return nil }); err != nil {
 		return fmt.Errorf("ensuring ServiceAccount: %w", err)
 	}