1 package bannerctl
2
3 import (
4 "fmt"
5
6 bannerAPI "edge-infra.dev/pkg/edge/apis/banner/v1alpha1"
7 "edge-infra.dev/pkg/k8s/konfigkonnector/apis/meta"
8 "edge-infra.dev/pkg/lib/gcp/iam"
9 "edge-infra.dev/pkg/lib/gcp/iam/roles"
10
11 "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/iam/v1beta1"
12 k8sAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/k8s/v1alpha1"
13 resourceAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/resourcemanager/v1beta1"
14
15 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
16
17 "sigs.k8s.io/controller-runtime/pkg/client"
18 )
19
20 var syncedObjectCtlNamespace = "syncedobjectctl"
21
22 func (r *BannerReconciler) createSyncedObjectCtlSAResources(b *bannerAPI.Banner, syncedObjectCtlSAName string) []client.Object {
23 var objs []client.Object
24 objs = append(objs, r.createSyncedObjectCtlIAMSA(b, syncedObjectCtlSAName))
25 for _, obj := range r.createSyncedObjectCtlIAMMembers(b, syncedObjectCtlSAName) {
26 objs = append(objs, obj)
27 }
28 return objs
29 }
30
31 func (r *BannerReconciler) createSyncedObjectCtlIAMSA(b *bannerAPI.Banner, syncedObjectCtlSAName string) *v1beta1.IAMServiceAccount {
32 return &v1beta1.IAMServiceAccount{
33 TypeMeta: gvkToTypeMeta(v1beta1.IAMServiceAccountGVK),
34 ObjectMeta: metav1.ObjectMeta{
35 Name: syncedObjectCtlSAName,
36 Namespace: b.Name,
37 Annotations: map[string]string{
38 meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon,
39 },
40 OwnerReferences: r.ownerRef(b),
41 },
42
43 Spec: v1beta1.IAMServiceAccountSpec{
44 DisplayName: &syncedObjectCtlSAName,
45 },
46 }
47 }
48
49 func (r *BannerReconciler) createSyncedObjectCtlIAMMembers(b *bannerAPI.Banner, syncedObjectCtlSAName string) []*v1beta1.IAMPolicyMember {
50 policyMember := iam.StandardSvcAccountMember(syncedObjectCtlSAName, b.Spec.GCP.ProjectID)
51 memberGVK := gvkToTypeMeta(v1beta1.IAMPolicyMemberGVK)
52
53 pubsubPublisher := &v1beta1.IAMPolicyMember{
54 TypeMeta: memberGVK,
55 ObjectMeta: metav1.ObjectMeta{
56 Name: fmt.Sprintf("%s-pubsub-publisher", syncedObjectCtlSAName),
57 Namespace: b.Name,
58 Annotations: map[string]string{
59 meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon,
60 },
61 OwnerReferences: r.ownerRef(b),
62 },
63 Spec: v1beta1.IAMPolicyMemberSpec{
64 Member: &policyMember,
65 ResourceRef: k8sAPI.IAMResourceRef{
66 APIVersion: resourceAPI.SchemeGroupVersion.String(),
67 Kind: resourceAPI.ProjectGVK.Kind,
68 External: r.ForemanProjectID,
69 },
70 Role: roles.PubsubPublisher,
71 },
72 }
73
74 pubsubSubscriber := &v1beta1.IAMPolicyMember{
75 TypeMeta: memberGVK,
76 ObjectMeta: metav1.ObjectMeta{
77 Name: fmt.Sprintf("%s-pubsub-subscriber", syncedObjectCtlSAName),
78 Namespace: b.Name,
79 Annotations: map[string]string{
80 meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon,
81 },
82 OwnerReferences: r.ownerRef(b),
83 },
84 Spec: v1beta1.IAMPolicyMemberSpec{
85 Member: &policyMember,
86 ResourceRef: k8sAPI.IAMResourceRef{
87 APIVersion: resourceAPI.SchemeGroupVersion.String(),
88 Kind: resourceAPI.ProjectGVK.Kind,
89 External: r.ForemanProjectID,
90 },
91 Role: roles.PubsubSubscriber,
92 },
93 }
94
95 wiMember := iam.WorkloadIdentityMember(b.Spec.GCP.ProjectID, syncedObjectCtlNamespace, syncedObjectCtlNamespace)
96 wiUser := &v1beta1.IAMPolicyMember{
97 TypeMeta: memberGVK,
98 ObjectMeta: metav1.ObjectMeta{
99 Name: fmt.Sprintf("%s-workload-identity-user", syncedObjectCtlSAName),
100 Namespace: b.Name,
101 Annotations: map[string]string{
102 meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon,
103 },
104 OwnerReferences: r.ownerRef(b),
105 },
106 Spec: v1beta1.IAMPolicyMemberSpec{
107 Member: &wiMember,
108 ResourceRef: k8sAPI.IAMResourceRef{
109 APIVersion: v1beta1.SchemeGroupVersion.String(),
110 Kind: v1beta1.IAMServiceAccountGVK.Kind,
111 Name: syncedObjectCtlSAName,
112 },
113 Role: roles.WorkloadIdentityUser,
114 },
115 }
116
117 return []*v1beta1.IAMPolicyMember{pubsubPublisher, pubsubSubscriber, wiUser}
118 }
119
View as plain text