Merge pull request #3914 from natasha41575/GkeServiceAccountGenerator

Gke service account generator

Makefile

@@ -131,6 +131,7 @@ pSrc=plugin/builtin
 _builtinplugins = \
  AnnotationsTransformer.go \
  ConfigMapGenerator.go \
+ IAMPolicyGenerator.go \
  HashTransformer.go \
  ImageTagTransformer.go \
  LabelTransformer.go \
@@ -158,6 +159,7 @@ builtinplugins = $(patsubst %,$(pGen)/%,$(_builtinplugins))
 # that file, will be recreated.
 $(pGen)/AnnotationsTransformer.go: $(pSrc)/annotationstransformer/AnnotationsTransformer.go
 $(pGen)/ConfigMapGenerator.go: $(pSrc)/configmapgenerator/ConfigMapGenerator.go
+$(pGen)/GkeSaGenerator.go: $(pSrc)/gkesagenerator/GkeSaGenerator.go
 $(pGen)/HashTransformer.go: $(pSrc)/hashtransformer/HashTransformer.go
 $(pGen)/ImageTagTransformer.go: $(pSrc)/imagetagtransformer/ImageTagTransformer.go
 $(pGen)/LabelTransformer.go: $(pSrc)/labeltransformer/LabelTransformer.go

api/filters/iampolicygenerator/doc.go

@@ -0,0 +1,3 @@
+// Package gkesagenerator contains a kio.Filter that that generates a
+// iampolicy-related resources for a given cloud provider
+package iampolicygenerator

api/filters/iampolicygenerator/example_test.go

@@ -0,0 +1,46 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+ "log"
+ "os"
+
+ "sigs.k8s.io/kustomize/kyaml/kio"
+ "sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+func ExampleFilter() {
+ f := Filter{}
+ var err = yaml.Unmarshal([]byte(`
+cloud: gke
+kubernetesService: 
+ namespace: k8s-namespace
+ name: k8s-sa-name
+serviceAccount:
+ name: gsa-name
+ projectId: project-id
+`), &f)
+ if err != nil {
+ log.Fatal(err)
+ }
+
+ err = kio.Pipeline{
+ Inputs: []kio.Reader{},
+ Filters: []kio.Filter{f},
+ Outputs: []kio.Writer{kio.ByteWriter{Writer: os.Stdout}},
+ }.Execute()
+ if err != nil {
+ log.Fatal(err)
+ }
+
+ // Output:
+ // apiVersion: v1
+ // kind: ServiceAccount
+ // metadata:
+ // annotations:
+ // iam.gke.io/gcp-service-account: [email protected]
+ // name: k8s-sa-name
+ // namespace: k8s-namespace
+}

api/filters/iampolicygenerator/iampolicygenerator.go

@@ -0,0 +1,55 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+ "fmt"
+
+ "sigs.k8s.io/kustomize/api/types"
+ "sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type Filter struct {
+ IAMPolicyGenerator types.IAMPolicyGeneratorArgs `json:",inline,omitempty" yaml:",inline,omitempty"`
+}
+
+// Filter adds a GKE service account object to nodes
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+ switch f.IAMPolicyGenerator.Cloud {
+ case types.GKE:
+ IAMPolicyResources, err := f.generateGkeIAMPolicyResources()
+ if err != nil {
+ return nil, err
+ }
+ nodes = append(nodes, IAMPolicyResources...)
+ default:
+ return nil, fmt.Errorf("cloud provider %s not supported yet", f.IAMPolicyGenerator.Cloud)
+ }
+ return nodes, nil
+}
+
+func (f Filter) generateGkeIAMPolicyResources() ([]*yaml.RNode, error) {
+ var result []*yaml.RNode
+ input := fmt.Sprintf(`
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ annotations:
+ iam.gke.io/gcp-service-account: %s@%s.iam.gserviceaccount.com
+ name: %s
+`, f.IAMPolicyGenerator.ServiceAccount.Name,
+ f.IAMPolicyGenerator.ProjectId,
+ f.IAMPolicyGenerator.KubernetesService.Name)
+
+ if f.IAMPolicyGenerator.Namespace != "" {
+ input = input + fmt.Sprintf("\n namespace: %s", f.IAMPolicyGenerator.Namespace)
+ }
+
+ sa, err := yaml.Parse(input)
+ if err != nil {
+ return nil, err
+ }
+
+ return append(result, sa), nil
+}

api/filters/iampolicygenerator/iampolicygenerator_test.go

@@ -0,0 +1,75 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+ "strings"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+ filtertest "sigs.k8s.io/kustomize/api/testutils/filtertest"
+ "sigs.k8s.io/kustomize/api/types"
+)
+
+func TestFilter(t *testing.T) {
+ testCases := map[string]struct {
+ args types.IAMPolicyGeneratorArgs
+ expected string
+ }{
+ "with namespace": {
+ args: types.IAMPolicyGeneratorArgs{
+ Cloud: types.GKE,
+ KubernetesService: types.KubernetesService{
+ Namespace: "k8s-namespace",
+ Name: "k8s-sa-name",
+ },
+ ServiceAccount: types.ServiceAccount{
+ Name: "gsa-name",
+ ProjectId: "project-id",
+ },
+ },
+ expected: `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ annotations:
+ iam.gke.io/gcp-service-account: [email protected]
+ name: k8s-sa-name
+ namespace: k8s-namespace
+`,
+ },
+ "without namespace": {
+ args: types.IAMPolicyGeneratorArgs{
+ Cloud: types.GKE,
+ KubernetesService: types.KubernetesService{
+ Name: "k8s-sa-name",
+ },
+ ServiceAccount: types.ServiceAccount{
+ Name: "gsa-name",
+ ProjectId: "project-id",
+ },
+ },
+ expected: `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ annotations:
+ iam.gke.io/gcp-service-account: [email protected]
+ name: k8s-sa-name
+`,
+ },
+ }
+
+ for tn, tc := range testCases {
+ t.Run(tn, func(t *testing.T) {
+ f := Filter{
+ IAMPolicyGenerator: tc.args,
+ }
+ actual := filtertest.RunFilter(t, "", f)
+ if !assert.Equal(t, strings.TrimSpace(tc.expected), strings.TrimSpace(actual)) {
+ t.FailNow()
+ }
+ })
+ }
+}

api/internal/plugins/builtinhelpers/builtins.go

@@ -15,6 +15,7 @@ const (
  Unknown BuiltinPluginType = iota
  AnnotationsTransformer
  ConfigMapGenerator
+ IAMPolicyGenerator
  HashTransformer
  ImageTagTransformer
  LabelTransformer
@@ -58,6 +59,7 @@ func GetBuiltinPluginType(n string) BuiltinPluginType {
 
 var GeneratorFactories = map[BuiltinPluginType]func() resmap.GeneratorPlugin{
  ConfigMapGenerator: builtins.NewConfigMapGeneratorPlugin,
+ IAMPolicyGenerator: builtins.NewIAMPolicyGeneratorPlugin,
  SecretGenerator: builtins.NewSecretGeneratorPlugin,
  HelmChartInflationGenerator: builtins.NewHelmChartInflationGeneratorPlugin,
 }