package bannerctl import ( "fmt" bannerAPI "edge-infra.dev/pkg/edge/apis/banner/v1alpha1" "edge-infra.dev/pkg/k8s/konfigkonnector/apis/meta" "edge-infra.dev/pkg/lib/gcp/iam" "edge-infra.dev/pkg/lib/gcp/iam/roles" "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/iam/v1beta1" k8sAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/k8s/v1alpha1" resourceAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/resourcemanager/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" ) var clusterCtlNamespace = "clusterctl" func (r *BannerReconciler) createClusterControllerSAResources(b *bannerAPI.Banner, clusterCtlSAName string) []client.Object { var objs []client.Object objs = append(objs, r.createClusterControllerIAMSA(b, clusterCtlSAName)) for _, obj := range r.createClusterControllerIAMMembers(b, clusterCtlSAName) { objs = append(objs, obj) } return objs } func (r *BannerReconciler) createClusterControllerIAMSA(b *bannerAPI.Banner, clusterCtlSAName string) *v1beta1.IAMServiceAccount { return &v1beta1.IAMServiceAccount{ TypeMeta: gvkToTypeMeta(v1beta1.IAMServiceAccountGVK), ObjectMeta: metav1.ObjectMeta{ Name: clusterCtlSAName, Namespace: b.Name, Annotations: map[string]string{ meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon, }, OwnerReferences: r.ownerRef(b), }, // note: annotations Spec: v1beta1.IAMServiceAccountSpec{ DisplayName: &clusterCtlSAName, }, } } func (r *BannerReconciler) createClusterControllerIAMMembers(b *bannerAPI.Banner, clusterCtlSAName string) []*v1beta1.IAMPolicyMember { policyMember := iam.StandardSvcAccountMember(clusterCtlSAName, b.Spec.GCP.ProjectID) memberGVK := gvkToTypeMeta(v1beta1.IAMPolicyMemberGVK) secretManagerAdmin := &v1beta1.IAMPolicyMember{ TypeMeta: memberGVK, ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("%s-secretadmin", clusterCtlSAName), Namespace: b.Name, Annotations: map[string]string{ meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon, }, OwnerReferences: r.ownerRef(b), }, Spec: v1beta1.IAMPolicyMemberSpec{ Member: &policyMember, ResourceRef: k8sAPI.IAMResourceRef{ APIVersion: resourceAPI.SchemeGroupVersion.String(), Kind: resourceAPI.ProjectGVK.Kind, External: b.Spec.GCP.ProjectID, }, Role: roles.SecretAdmin, }, } containerAdmin := &v1beta1.IAMPolicyMember{ TypeMeta: memberGVK, ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("%s-gke-admin", clusterCtlSAName), Namespace: b.Name, Annotations: map[string]string{ meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon, }, OwnerReferences: r.ownerRef(b), }, Spec: v1beta1.IAMPolicyMemberSpec{ Member: &policyMember, ResourceRef: k8sAPI.IAMResourceRef{ APIVersion: resourceAPI.SchemeGroupVersion.String(), Kind: resourceAPI.ProjectGVK.Kind, External: b.Spec.GCP.ProjectID, }, Role: roles.GKEAdmin, }, } wiMember := iam.WorkloadIdentityMember(b.Spec.GCP.ProjectID, clusterCtlNamespace, clusterCtlNamespace) wiUser := &v1beta1.IAMPolicyMember{ TypeMeta: memberGVK, ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("%s-workload-identity-user", clusterCtlSAName), Namespace: b.Name, Annotations: map[string]string{ meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon, }, OwnerReferences: r.ownerRef(b), }, Spec: v1beta1.IAMPolicyMemberSpec{ Member: &wiMember, ResourceRef: k8sAPI.IAMResourceRef{ APIVersion: v1beta1.SchemeGroupVersion.String(), Kind: v1beta1.IAMServiceAccountGVK.Kind, Name: clusterCtlSAName, }, Role: roles.WorkloadIdentityUser, }, } return []*v1beta1.IAMPolicyMember{secretManagerAdmin, containerAdmin, wiUser} }