add IAMPolicyGenerator

2026-06-29 17:41:13 +00:00 · 2021-05-26 16:54:38 -07:00
parent 701973b73e
commit 5a2a7709a4
14 changed files with 668 additions and 17 deletions
--- a/api/builtins/IAMPolicyGenerator.go
+++ b/api/builtins/IAMPolicyGenerator.go
@@ -0,0 +1,33 @@
+// Code generated by pluginator on IAMPolicyGenerator; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/iampolicygenerator"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+type IAMPolicyGeneratorPlugin struct {
+	types.IAMPolicyGeneratorArgs
+}
+
+func (p *IAMPolicyGeneratorPlugin) Config(h *resmap.PluginHelpers, config []byte) (err error) {
+	p.IAMPolicyGeneratorArgs = types.IAMPolicyGeneratorArgs{}
+	err = yaml.Unmarshal(config, p)
+	return
+}
+
+func (p *IAMPolicyGeneratorPlugin) Generate() (resmap.ResMap, error) {
+	r := resmap.New()
+	err := r.ApplyFilter(iampolicygenerator.Filter{
+		IAMPolicyGenerator: p.IAMPolicyGeneratorArgs,
+	})
+	return r, err
+}
+
+func NewIAMPolicyGeneratorPlugin() resmap.GeneratorPlugin {
+	return &IAMPolicyGeneratorPlugin{}
+}
--- a/api/filters/iampolicygenerator/doc.go
+++ b/api/filters/iampolicygenerator/doc.go
@@ -0,0 +1,3 @@
+// Package gkesagenerator contains a kio.Filter that that generates a
+// iampolicy-related resources for a given cloud provider
+package iampolicygenerator
--- a/api/filters/iampolicygenerator/example_test.go
+++ b/api/filters/iampolicygenerator/example_test.go
@@ -0,0 +1,46 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+	"log"
+	"os"
+
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+func ExampleFilter() {
+	f := Filter{}
+	var err = yaml.Unmarshal([]byte(`
+cloud: gke
+kubernetesService: 
+  namespace: k8s-namespace
+  name: k8s-sa-name
+serviceAccount:
+  name: gsa-name
+  projectId: project-id
+`), &f)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = kio.Pipeline{
+		Inputs:  []kio.Reader{},
+		Filters: []kio.Filter{f},
+		Outputs: []kio.Writer{kio.ByteWriter{Writer: os.Stdout}},
+	}.Execute()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Output:
+	// apiVersion: v1
+	// kind: ServiceAccount
+	// metadata:
+	//   annotations:
+	//     iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+	//   name: k8s-sa-name
+	//   namespace: k8s-namespace
+}
--- a/api/filters/iampolicygenerator/iampolicygenerator.go
+++ b/api/filters/iampolicygenerator/iampolicygenerator.go
@@ -0,0 +1,55 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type Filter struct {
+	IAMPolicyGenerator types.IAMPolicyGeneratorArgs `json:",inline,omitempty" yaml:",inline,omitempty"`
+}
+
+// Filter adds a GKE service account object to nodes
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	switch f.IAMPolicyGenerator.Cloud {
+	case types.GKE:
+		IAMPolicyResources, err := f.generateGkeIAMPolicyResources()
+		if err != nil {
+			return nil, err
+		}
+		nodes = append(nodes, IAMPolicyResources...)
+	default:
+		return nil, fmt.Errorf("cloud provider %s not supported yet", f.IAMPolicyGenerator.Cloud)
+	}
+	return nodes, nil
+}
+
+func (f Filter) generateGkeIAMPolicyResources() ([]*yaml.RNode, error) {
+	var result []*yaml.RNode
+	input := fmt.Sprintf(`
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: %s@%s.iam.gserviceaccount.com
+  name: %s
+`, f.IAMPolicyGenerator.ServiceAccount.Name,
+		f.IAMPolicyGenerator.ProjectId,
+		f.IAMPolicyGenerator.KubernetesService.Name)
+
+	if f.IAMPolicyGenerator.Namespace != "" {
+		input = input + fmt.Sprintf("\n  namespace: %s", f.IAMPolicyGenerator.Namespace)
+	}
+
+	sa, err := yaml.Parse(input)
+	if err != nil {
+		return nil, err
+	}
+
+	return append(result, sa), nil
+}
--- a/api/filters/iampolicygenerator/iampolicygenerator_test.go
+++ b/api/filters/iampolicygenerator/iampolicygenerator_test.go
@@ -0,0 +1,75 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	filtertest "sigs.k8s.io/kustomize/api/testutils/filtertest"
+	"sigs.k8s.io/kustomize/api/types"
+)
+
+func TestFilter(t *testing.T) {
+	testCases := map[string]struct {
+		args     types.IAMPolicyGeneratorArgs
+		expected string
+	}{
+		"with namespace": {
+			args: types.IAMPolicyGeneratorArgs{
+				Cloud: types.GKE,
+				KubernetesService: types.KubernetesService{
+					Namespace: "k8s-namespace",
+					Name:      "k8s-sa-name",
+				},
+				ServiceAccount: types.ServiceAccount{
+					Name:      "gsa-name",
+					ProjectId: "project-id",
+				},
+			},
+			expected: `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+  name: k8s-sa-name
+  namespace: k8s-namespace
+`,
+		},
+		"without namespace": {
+			args: types.IAMPolicyGeneratorArgs{
+				Cloud: types.GKE,
+				KubernetesService: types.KubernetesService{
+					Name: "k8s-sa-name",
+				},
+				ServiceAccount: types.ServiceAccount{
+					Name:      "gsa-name",
+					ProjectId: "project-id",
+				},
+			},
+			expected: `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+  name: k8s-sa-name
+`,
+		},
+	}
+
+	for tn, tc := range testCases {
+		t.Run(tn, func(t *testing.T) {
+			f := Filter{
+				IAMPolicyGenerator: tc.args,
+			}
+			actual := filtertest.RunFilter(t, "", f)
+			if !assert.Equal(t, strings.TrimSpace(tc.expected), strings.TrimSpace(actual)) {
+				t.FailNow()
+			}
+		})
+	}
+}
--- a/api/internal/plugins/builtinhelpers/builtinplugintype_string.go
+++ b/api/internal/plugins/builtinhelpers/builtinplugintype_string.go
@@ -11,25 +11,26 @@ func _() {
 	_ = x[Unknown-0]
 	_ = x[AnnotationsTransformer-1]
 	_ = x[ConfigMapGenerator-2]
-	_ = x[HashTransformer-3]
-	_ = x[ImageTagTransformer-4]
-	_ = x[LabelTransformer-5]
-	_ = x[LegacyOrderTransformer-6]
-	_ = x[NamespaceTransformer-7]
-	_ = x[PatchJson6902Transformer-8]
-	_ = x[PatchStrategicMergeTransformer-9]
-	_ = x[PatchTransformer-10]
-	_ = x[PrefixSuffixTransformer-11]
-	_ = x[ReplicaCountTransformer-12]
-	_ = x[SecretGenerator-13]
-	_ = x[ValueAddTransformer-14]
-	_ = x[HelmChartInflationGenerator-15]
-	_ = x[ReplacementTransformer-16]
+	_ = x[IAMPolicyGenerator-3]
+	_ = x[HashTransformer-4]
+	_ = x[ImageTagTransformer-5]
+	_ = x[LabelTransformer-6]
+	_ = x[LegacyOrderTransformer-7]
+	_ = x[NamespaceTransformer-8]
+	_ = x[PatchJson6902Transformer-9]
+	_ = x[PatchStrategicMergeTransformer-10]
+	_ = x[PatchTransformer-11]
+	_ = x[PrefixSuffixTransformer-12]
+	_ = x[ReplicaCountTransformer-13]
+	_ = x[SecretGenerator-14]
+	_ = x[ValueAddTransformer-15]
+	_ = x[HelmChartInflationGenerator-16]
+	_ = x[ReplacementTransformer-17]
 }

-const _BuiltinPluginType_name = "UnknownAnnotationsTransformerConfigMapGeneratorHashTransformerImageTagTransformerLabelTransformerLegacyOrderTransformerNamespaceTransformerPatchJson6902TransformerPatchStrategicMergeTransformerPatchTransformerPrefixSuffixTransformerReplicaCountTransformerSecretGeneratorValueAddTransformerHelmChartInflationGeneratorReplacementTransformer"
+const _BuiltinPluginType_name = "UnknownAnnotationsTransformerConfigMapGeneratorIAMPolicyGeneratorHashTransformerImageTagTransformerLabelTransformerLegacyOrderTransformerNamespaceTransformerPatchJson6902TransformerPatchStrategicMergeTransformerPatchTransformerPrefixSuffixTransformerReplicaCountTransformerSecretGeneratorValueAddTransformerHelmChartInflationGeneratorReplacementTransformer"

-var _BuiltinPluginType_index = [...]uint16{0, 7, 29, 47, 62, 81, 97, 119, 139, 163, 193, 209, 232, 255, 270, 289, 316, 338}
+var _BuiltinPluginType_index = [...]uint16{0, 7, 29, 47, 65, 80, 99, 115, 137, 157, 181, 211, 227, 250, 273, 288, 307, 334, 356}

 func (i BuiltinPluginType) String() string {
 	if i < 0 || i >= BuiltinPluginType(len(_BuiltinPluginType_index)-1) {
--- a/api/internal/plugins/builtinhelpers/builtins.go
+++ b/api/internal/plugins/builtinhelpers/builtins.go
@@ -15,6 +15,7 @@ const (
 	Unknown BuiltinPluginType = iota
 	AnnotationsTransformer
 	ConfigMapGenerator
+	IAMPolicyGenerator
 	HashTransformer
 	ImageTagTransformer
 	LabelTransformer
@@ -58,6 +59,7 @@ func GetBuiltinPluginType(n string) BuiltinPluginType {

 var GeneratorFactories = map[BuiltinPluginType]func() resmap.GeneratorPlugin{
 	ConfigMapGenerator:          builtins.NewConfigMapGeneratorPlugin,
+	IAMPolicyGenerator:          builtins.NewIAMPolicyGeneratorPlugin,
 	SecretGenerator:             builtins.NewSecretGeneratorPlugin,
 	HelmChartInflationGenerator: builtins.NewHelmChartInflationGeneratorPlugin,
 }
--- a/api/krusty/iampolicygenerator_test.go
+++ b/api/krusty/iampolicygenerator_test.go
@@ -0,0 +1,124 @@
+package krusty_test
+
+import (
+	"testing"
+
+	kusttest_test "sigs.k8s.io/kustomize/api/testutils/kusttest"
+)
+
+func TestGkeGenerator(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t)
+	defer th.Reset()
+
+	th.WriteK(".", `
+generators:
+- |-
+  apiVersion: builtin
+  kind: IAMPolicyGenerator
+  metadata:
+    name: my-gke-generator
+  cloud: gke
+  kubernetesService:
+    name: k8s-sa-name
+  serviceAccount:
+    name: gsa-name
+    projectId: project-id
+`)
+	expected := `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+  name: k8s-sa-name
+`
+	m := th.Run(".", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, expected)
+}
+
+func TestGkeGeneratorWithNamespace(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t)
+	defer th.Reset()
+
+	th.WriteK(".", `
+generators:
+- |-
+  apiVersion: builtin
+  kind: IAMPolicyGenerator
+  metadata:
+    name: my-gke-generator
+  cloud: gke
+  kubernetesService: 
+    namespace: k8s-namespace
+    name: k8s-sa-name
+  serviceAccount:
+    name: gsa-name
+    projectId: project-id
+`)
+	expected := `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+  name: k8s-sa-name
+  namespace: k8s-namespace
+`
+	m := th.Run(".", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, expected)
+}
+
+func TestGkeGeneratorWithTwo(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t)
+	defer th.Reset()
+
+	th.WriteK(".", `
+generators:
+- gkegenerator1.yaml
+- gkegenerator2.yaml
+`)
+
+	th.WriteF("gkegenerator1.yaml", `
+apiVersion: builtin
+kind: IAMPolicyGenerator
+metadata:
+  name: my-gke-generator1
+cloud: gke
+kubernetesService: 
+  namespace: k8s-namespace-1
+  name: k8s-sa-name-1
+serviceAccount:
+  name: gsa-name-1
+  projectId: project-id-1
+`)
+	th.WriteF("gkegenerator2.yaml", `
+apiVersion: builtin
+kind: IAMPolicyGenerator
+metadata:
+  name: my-gke-generator2
+cloud: gke
+kubernetesService:
+  name: k8s-sa-name-2
+serviceAccount:
+  name: gsa-name-2
+  projectId: project-id-2
+`)
+	expected := `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name-1@project-id-1.iam.gserviceaccount.com
+  name: k8s-sa-name-1
+  namespace: k8s-namespace-1
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name-2@project-id-2.iam.gserviceaccount.com
+  name: k8s-sa-name-2
+`
+	m := th.Run(".", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, expected)
+}
--- a/api/types/genargs.go
+++ b/api/types/genargs.go
@@ -39,7 +39,7 @@ func (g *GenArgs) ShouldAddHashSuffixToName() bool {

 // Behavior returns Behavior field of GeneratorArgs
 func (g *GenArgs) Behavior() GenerationBehavior {
-	if g.args == nil {
+	if g == nil || g.args == nil {
 		return BehaviorUnspecified
 	}
 	return NewGenerationBehavior(g.args.Behavior)
--- a/api/types/iampolicygenerator.go
+++ b/api/types/iampolicygenerator.go
@@ -0,0 +1,36 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+type Cloud string
+
+const GKE Cloud = "gke"
+
+// IAMPolicyGeneratorArgs contains arguments to generate a GKE service account resource.
+type IAMPolicyGeneratorArgs struct {
+	// which cloud provider to generate for (e.g. "gke")
+	Cloud `json:"cloud" yaml:"cloud"`
+
+	// information about the kubernetes cluster for this object
+	KubernetesService `json:"kubernetesService" yaml:"kubernetesService"`
+
+	// information about the service account and project
+	ServiceAccount `json:"serviceAccount" yaml:"serviceAccount"`
+}
+
+type KubernetesService struct {
+	// the name used for the Kubernetes service account
+	Name string `json:"name" yaml:"name"`
+
+	// the name of the Kubernetes namespace for this object
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+}
+
+type ServiceAccount struct {
+	// the name of the new cloud provider service account
+	Name string `json:"name" yaml:"name"`
+
+	// The ID of the project
+	ProjectId string `json:"projectId" yaml:"projectId"`
+}