package bannerctl import ( "fmt" bannerAPI "edge-infra.dev/pkg/edge/apis/banner/v1alpha1" "edge-infra.dev/pkg/k8s/konfigkonnector/apis/meta" "edge-infra.dev/pkg/lib/gcp/iam" "edge-infra.dev/pkg/lib/gcp/iam/roles" "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/iam/v1beta1" k8sAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/k8s/v1alpha1" resourceAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/resourcemanager/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" ) var syncedObjectCtlNamespace = "syncedobjectctl" func (r *BannerReconciler) createSyncedObjectCtlSAResources(b *bannerAPI.Banner, syncedObjectCtlSAName string) []client.Object { var objs []client.Object objs = append(objs, r.createSyncedObjectCtlIAMSA(b, syncedObjectCtlSAName)) for _, obj := range r.createSyncedObjectCtlIAMMembers(b, syncedObjectCtlSAName) { objs = append(objs, obj) } return objs } func (r *BannerReconciler) createSyncedObjectCtlIAMSA(b *bannerAPI.Banner, syncedObjectCtlSAName string) *v1beta1.IAMServiceAccount { return &v1beta1.IAMServiceAccount{ TypeMeta: gvkToTypeMeta(v1beta1.IAMServiceAccountGVK), ObjectMeta: metav1.ObjectMeta{ Name: syncedObjectCtlSAName, Namespace: b.Name, Annotations: map[string]string{ meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon, }, OwnerReferences: r.ownerRef(b), }, // note: annotations Spec: v1beta1.IAMServiceAccountSpec{ DisplayName: &syncedObjectCtlSAName, }, } } func (r *BannerReconciler) createSyncedObjectCtlIAMMembers(b *bannerAPI.Banner, syncedObjectCtlSAName string) []*v1beta1.IAMPolicyMember { policyMember := iam.StandardSvcAccountMember(syncedObjectCtlSAName, b.Spec.GCP.ProjectID) memberGVK := gvkToTypeMeta(v1beta1.IAMPolicyMemberGVK) pubsubPublisher := &v1beta1.IAMPolicyMember{ TypeMeta: memberGVK, ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("%s-pubsub-publisher", syncedObjectCtlSAName), Namespace: b.Name, Annotations: map[string]string{ meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon, }, OwnerReferences: r.ownerRef(b), }, Spec: v1beta1.IAMPolicyMemberSpec{ Member: &policyMember, ResourceRef: k8sAPI.IAMResourceRef{ APIVersion: resourceAPI.SchemeGroupVersion.String(), Kind: resourceAPI.ProjectGVK.Kind, External: r.ForemanProjectID, }, Role: roles.PubsubPublisher, }, } pubsubSubscriber := &v1beta1.IAMPolicyMember{ TypeMeta: memberGVK, ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("%s-pubsub-subscriber", syncedObjectCtlSAName), Namespace: b.Name, Annotations: map[string]string{ meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon, }, OwnerReferences: r.ownerRef(b), }, Spec: v1beta1.IAMPolicyMemberSpec{ Member: &policyMember, ResourceRef: k8sAPI.IAMResourceRef{ APIVersion: resourceAPI.SchemeGroupVersion.String(), Kind: resourceAPI.ProjectGVK.Kind, External: r.ForemanProjectID, }, Role: roles.PubsubSubscriber, }, } wiMember := iam.WorkloadIdentityMember(b.Spec.GCP.ProjectID, syncedObjectCtlNamespace, syncedObjectCtlNamespace) wiUser := &v1beta1.IAMPolicyMember{ TypeMeta: memberGVK, ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("%s-workload-identity-user", syncedObjectCtlSAName), Namespace: b.Name, Annotations: map[string]string{ meta.DeletionPolicyAnnotation: meta.DeletionPolicyAbandon, }, OwnerReferences: r.ownerRef(b), }, Spec: v1beta1.IAMPolicyMemberSpec{ Member: &wiMember, ResourceRef: k8sAPI.IAMResourceRef{ APIVersion: v1beta1.SchemeGroupVersion.String(), Kind: v1beta1.IAMServiceAccountGVK.Kind, Name: syncedObjectCtlSAName, }, Role: roles.WorkloadIdentityUser, }, } return []*v1beta1.IAMPolicyMember{pubsubPublisher, pubsubSubscriber, wiUser} }