1 package bannerctl
2
3 import (
4 "fmt"
5
6 bannerAPI "edge-infra.dev/pkg/edge/apis/banner/v1alpha1"
7 "edge-infra.dev/pkg/k8s/konfigkonnector/apis/meta"
8 "edge-infra.dev/pkg/lib/gcp/iam"
9 "edge-infra.dev/pkg/lib/gcp/iam/roles"
10
11 "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/iam/v1beta1"
12 k8sAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/k8s/v1alpha1"
13 resourceAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/resourcemanager/v1beta1"
14
15 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
16
17 "sigs.k8s.io/controller-runtime/pkg/client"
18 )
19
20 var clusterCtlNamespace = "clusterctl"
21
22 func (r *BannerReconciler) createClusterControllerSAResources(b *bannerAPI.Banner, clusterCtlSAName string) []client.Object {
23 var objs []client.Object
24 objs = append(objs, r.createClusterControllerIAMSA(b, clusterCtlSAName))
25 for _, obj := range r.createClusterControllerIAMMembers(b, clusterCtlSAName) {
26 objs = append(objs, obj)
27 }
28 return objs
29 }
30
31 func (r *BannerReconciler) createClusterControllerIAMSA(b *bannerAPI.Banner, clusterCtlSAName string) *v1beta1.IAMServiceAccount {
32 return &v1beta1.IAMServiceAccount{
33 TypeMeta: gvkToTypeMeta(v1beta1.IAMServiceAccountGVK),
34 ObjectMeta: metav1.ObjectMeta{
35 Name: clusterCtlSAName,
36 Namespace: b.Name,
37 Annotations: map[string]string{
38 meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon,
39 },
40 OwnerReferences: r.ownerRef(b),
41 },
42
43 Spec: v1beta1.IAMServiceAccountSpec{
44 DisplayName: &clusterCtlSAName,
45 },
46 }
47 }
48
49 func (r *BannerReconciler) createClusterControllerIAMMembers(b *bannerAPI.Banner, clusterCtlSAName string) []*v1beta1.IAMPolicyMember {
50 policyMember := iam.StandardSvcAccountMember(clusterCtlSAName, b.Spec.GCP.ProjectID)
51 memberGVK := gvkToTypeMeta(v1beta1.IAMPolicyMemberGVK)
52
53 secretManagerAdmin := &v1beta1.IAMPolicyMember{
54 TypeMeta: memberGVK,
55 ObjectMeta: metav1.ObjectMeta{
56 Name: fmt.Sprintf("%s-secretadmin", clusterCtlSAName),
57 Namespace: b.Name,
58 Annotations: map[string]string{
59 meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon,
60 },
61 OwnerReferences: r.ownerRef(b),
62 },
63 Spec: v1beta1.IAMPolicyMemberSpec{
64 Member: &policyMember,
65 ResourceRef: k8sAPI.IAMResourceRef{
66 APIVersion: resourceAPI.SchemeGroupVersion.String(),
67 Kind: resourceAPI.ProjectGVK.Kind,
68 External: b.Spec.GCP.ProjectID,
69 },
70 Role: roles.SecretAdmin,
71 },
72 }
73
74 containerAdmin := &v1beta1.IAMPolicyMember{
75 TypeMeta: memberGVK,
76 ObjectMeta: metav1.ObjectMeta{
77 Name: fmt.Sprintf("%s-gke-admin", clusterCtlSAName),
78 Namespace: b.Name,
79 Annotations: map[string]string{
80 meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon,
81 },
82 OwnerReferences: r.ownerRef(b),
83 },
84 Spec: v1beta1.IAMPolicyMemberSpec{
85 Member: &policyMember,
86 ResourceRef: k8sAPI.IAMResourceRef{
87 APIVersion: resourceAPI.SchemeGroupVersion.String(),
88 Kind: resourceAPI.ProjectGVK.Kind,
89 External: b.Spec.GCP.ProjectID,
90 },
91 Role: roles.GKEAdmin,
92 },
93 }
94
95 wiMember := iam.WorkloadIdentityMember(b.Spec.GCP.ProjectID, clusterCtlNamespace, clusterCtlNamespace)
96 wiUser := &v1beta1.IAMPolicyMember{
97 TypeMeta: memberGVK,
98 ObjectMeta: metav1.ObjectMeta{
99 Name: fmt.Sprintf("%s-workload-identity-user", clusterCtlSAName),
100 Namespace: b.Name,
101 Annotations: map[string]string{
102 meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon,
103 },
104 OwnerReferences: r.ownerRef(b),
105 },
106 Spec: v1beta1.IAMPolicyMemberSpec{
107 Member: &wiMember,
108 ResourceRef: k8sAPI.IAMResourceRef{
109 APIVersion: v1beta1.SchemeGroupVersion.String(),
110 Kind: v1beta1.IAMServiceAccountGVK.Kind,
111 Name: clusterCtlSAName,
112 },
113 Role: roles.WorkloadIdentityUser,
114 },
115 }
116
117 return []*v1beta1.IAMPolicyMember{secretManagerAdmin, containerAdmin, wiUser}
118 }
119
View as plain text