From 94049e66fb887ad6cc34aebfcfbfef922353cee7 Mon Sep 17 00:00:00 2001
From: Michal Kuratczyk <michal.kuratczyk@broadcom.com>
Date: Mon, 5 May 2025 17:08:21 +0200
Subject: [PATCH 1/2] Remove serviceaccount permissions

Not needed since k8s peer discovery doesn't
call the Kubernetes API
---
 config/rbac/role.yaml                     | 1 -
 controllers/rabbitmqcluster_controller.go | 1 -
 internal/resource/statefulset.go          | 1 -
 internal/resource/statefulset_test.go     | 2 +-
 4 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 837112d85..7e8a6ed60 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -18,7 +18,6 @@ rules:
   - configmaps
   - persistentvolumeclaims
   - secrets
-  - serviceaccounts
   - services
   verbs:
   - create
diff --git a/controllers/rabbitmqcluster_controller.go b/controllers/rabbitmqcluster_controller.go
index 71498ca54..44feda418 100644
--- a/controllers/rabbitmqcluster_controller.go
+++ b/controllers/rabbitmqcluster_controller.go
@@ -85,7 +85,6 @@ type RabbitmqClusterReconciler struct {
 // +kubebuilder:rbac:groups=rabbitmq.com,resources=rabbitmqclusters/status,verbs=get;update
 // +kubebuilder:rbac:groups=rabbitmq.com,resources=rabbitmqclusters/finalizers,verbs=update
 // +kubebuilder:rbac:groups="",resources=events,verbs=get;create;patch
-// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update
diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
index 1159a2a10..ec280b21d 100644
--- a/internal/resource/statefulset.go
+++ b/internal/resource/statefulset.go
@@ -574,7 +574,6 @@ func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[st
 			},
 			ImagePullSecrets:              builder.Instance.Spec.ImagePullSecrets,
 			TerminationGracePeriodSeconds: builder.Instance.Spec.TerminationGracePeriodSeconds,
-			ServiceAccountName:            builder.Instance.ChildResourceName(serviceAccountName),
 			AutomountServiceAccountToken:  ptr.To(true),
 			Affinity:                      builder.Instance.Spec.Affinity,
 			Tolerations:                   builder.Instance.Spec.Tolerations,
diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
index 6c55610ad..901c21ca3 100644
--- a/internal/resource/statefulset_test.go
+++ b/internal/resource/statefulset_test.go
@@ -1340,7 +1340,7 @@ default_pass = {{ .Data.data.password }}
 			stsBuilder := builder.StatefulSet()
 			Expect(stsBuilder.Update(statefulSet)).To(Succeed())
 
-			Expect(statefulSet.Spec.Template.Spec.ServiceAccountName).To(Equal(instance.ChildResourceName("server")))
+			Expect(statefulSet.Spec.Template.Spec.ServiceAccountName).To(BeEmpty())
 		})
 
 		It("mounts the service account in its pods", func() {

From e350a5f62e3cb8621b26511c87d6604789f88c3d Mon Sep 17 00:00:00 2001
From: Michal Kuratczyk <michal.kuratczyk@broadcom.com>
Date: Mon, 5 May 2025 17:25:16 +0200
Subject: [PATCH 2/2] Remove old k8s peer discovery settings

---
 docs/examples/ipv6/rabbitmq.yaml    | 2 --
 internal/resource/configmap.go      | 4 +---
 internal/resource/configmap_test.go | 2 --
 3 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/docs/examples/ipv6/rabbitmq.yaml b/docs/examples/ipv6/rabbitmq.yaml
index 0cef3326e..e82c49962 100644
--- a/docs/examples/ipv6/rabbitmq.yaml
+++ b/docs/examples/ipv6/rabbitmq.yaml
@@ -12,8 +12,6 @@ spec:
     envConfig: |
         SERVER_ADDITIONAL_ERL_ARGS="-kernel inetrc '/etc/rabbitmq/erl_inetrc'  -proto_dist inet6_tcp"
         RABBITMQ_CTL_ERL_ARGS="-proto_dist inet6_tcp"
-    additionalConfig: |
-      cluster_formation.k8s.host = kubernetes.default.svc.cluster.local
   replicas: 1
   service:
     ipFamilyPolicy: "PreferDualStack"
diff --git a/internal/resource/configmap.go b/internal/resource/configmap.go
index 710e7f5dd..5326abce9 100644
--- a/internal/resource/configmap.go
+++ b/internal/resource/configmap.go
@@ -32,9 +32,7 @@ const (
 queue_master_locator = min-masters
 disk_free_limit.absolute = 2GB
 cluster_partition_handling = pause_minority
-cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s
-cluster_formation.k8s.host = kubernetes.default
-cluster_formation.k8s.address_type = hostname`
+cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s`
 
 	defaultTLSConf = `
 ssl_options.certfile = /etc/rabbitmq-tls/tls.crt
diff --git a/internal/resource/configmap_test.go b/internal/resource/configmap_test.go
index dffc2edec..43b417352 100644
--- a/internal/resource/configmap_test.go
+++ b/internal/resource/configmap_test.go
@@ -33,8 +33,6 @@ queue_master_locator                       = min-masters
 disk_free_limit.absolute                   = 2GB
 cluster_partition_handling                 = pause_minority
 cluster_formation.peer_discovery_backend   = rabbit_peer_discovery_k8s
-cluster_formation.k8s.host                 = kubernetes.default
-cluster_formation.k8s.address_type         = hostname
 cluster_formation.target_cluster_size_hint = 1
 cluster_name                               = ` + instanceName + `
 auth_mechanisms.1                          = PLAIN