Merge pull request #9055 from johngmyers/gce-serviceaccount

Move GCEServiceAccount into CloudConfig
2020-05-03 21:44:26 -07:00 · 2020-05-03 21:44:26 -07:00 · 318e7faa79
parent 1620bf5ed3 843e5b9b16
commit 318e7faa79
16 changed files with 33 additions and 25 deletions
--- a/cmd/kops/create_cluster.go
+++ b/cmd/kops/create_cluster.go
@ -986,6 +986,9 @@ func RunCreateCluster(ctx context.Context, f *util.Factory, out io.Writer, c *Cr
 		cluster.Spec.Project = c.Project
 	}
 	if api.CloudProviderID(cluster.Spec.CloudProvider) == api.CloudProviderGCE {
+		if cluster.Spec.CloudConfig == nil {
+			cluster.Spec.CloudConfig = &api.CloudConfiguration{}
+		}
 		if cluster.Spec.Project == "" {
 			project, err := gce.DefaultProject()
 			if err != nil {
@ -997,16 +1000,13 @@ func RunCreateCluster(ctx context.Context, f *util.Factory, out io.Writer, c *Cr
 			}
 			cluster.Spec.Project = project
 		}
-	}
-
-	if c.GCEServiceAccount != "" {
-		klog.Infof("VMs will be configured to use specified Service Account: %v", c.GCEServiceAccount)
-		cluster.Spec.GCEServiceAccount = c.GCEServiceAccount
-	} else {
-		if api.CloudProviderID(cluster.Spec.CloudProvider) == api.CloudProviderGCE {
+		if c.GCEServiceAccount != "" {
+			klog.Infof("VMs will be configured to use specified Service Account: %v", c.GCEServiceAccount)
+			cluster.Spec.CloudConfig.GCEServiceAccount = c.GCEServiceAccount
+		} else {
 			klog.Warning("VMs will be configured to use the GCE default compute Service Account! This is an anti-pattern")
 			klog.Warning("Use a pre-create Service Account with the flag: --gce-service-account=account@projectname.iam.gserviceaccount.com")
-			cluster.Spec.GCEServiceAccount = "default"
+			cluster.Spec.CloudConfig.GCEServiceAccount = "default"
 		}
 	}

--- a/k8s/crds/kops.k8s.io_clusters.yaml
+++ b/k8s/crds/kops.k8s.io_clusters.yaml
@ -195,6 +195,10 @@ spec:
                    type: boolean
                  elbSecurityGroup:
                    type: string
+                  gceServiceAccount:
+                    description: GCEServiceAccount specifies the service account with
+                      which the GCE VM runs
+                    type: string
                  multizone:
                    description: GCE cloud-config options
                    type: boolean
@ -773,10 +777,6 @@ spec:
                      type: array
                  type: object
                type: array
-              gceServiceAccount:
-                description: GCEServiceAccount specifies the service account with
-                  which the GCE VM runs
-                type: string
              gossipConfig:
                description: GossipConfig for the cluster assuming the use of gossip
                  DNS
--- a/pkg/apis/kops/cluster.go
+++ b/pkg/apis/kops/cluster.go
@ -191,8 +191,6 @@ type ClusterSpec struct {
 	SysctlParameters []string `json:"sysctlParameters,omitempty"`
 	// RollingUpdate defines the default rolling-update settings for instance groups
 	RollingUpdate *RollingUpdate `json:"rollingUpdate,omitempty"`
-	// GCEServiceAccount specifies the service account with which the GCE VM runs
-	GCEServiceAccount string `json:"gceServiceAccount,omitempty"`
 }

 // NodeAuthorizationSpec is used to node authorization
--- a/pkg/apis/kops/componentconfig.go
+++ b/pkg/apis/kops/componentconfig.go
@ -709,6 +709,8 @@ type CloudConfiguration struct {
 	Multizone          *bool   `json:"multizone,omitempty"`
 	NodeTags           *string `json:"nodeTags,omitempty"`
 	NodeInstancePrefix *string `json:"nodeInstancePrefix,omitempty"`
+	// GCEServiceAccount specifies the service account with which the GCE VM runs
+	GCEServiceAccount string `json:"gceServiceAccount,omitempty"`
 	// AWS cloud-config options
 	DisableSecurityGroupIngress *bool   `json:"disableSecurityGroupIngress,omitempty"`
 	ElbSecurityGroup            *string `json:"elbSecurityGroup,omitempty"`
--- a/pkg/apis/kops/v1alpha2/cluster.go
+++ b/pkg/apis/kops/v1alpha2/cluster.go
@ -189,8 +189,6 @@ type ClusterSpec struct {
 	SysctlParameters []string `json:"sysctlParameters,omitempty"`
 	// RollingUpdate defines the default rolling-update settings for instance groups
 	RollingUpdate *RollingUpdate `json:"rollingUpdate,omitempty"`
-	// GCEServiceAccount specifies the service account with which the GCE VM runs
-	GCEServiceAccount string `json:"gceServiceAccount,omitempty"`
 }

 // NodeAuthorizationSpec is used to node authorization
--- a/pkg/apis/kops/v1alpha2/componentconfig.go
+++ b/pkg/apis/kops/v1alpha2/componentconfig.go
@ -710,6 +710,8 @@ type CloudConfiguration struct {
 	Multizone          *bool   `json:"multizone,omitempty"`
 	NodeTags           *string `json:"nodeTags,omitempty"`
 	NodeInstancePrefix *string `json:"nodeInstancePrefix,omitempty"`
+	// GCEServiceAccount specifies the service account with which the GCE VM runs
+	GCEServiceAccount string `json:"gceServiceAccount,omitempty"`
 	// AWS cloud-config options
 	DisableSecurityGroupIngress *bool   `json:"disableSecurityGroupIngress,omitempty"`
 	ElbSecurityGroup            *string `json:"elbSecurityGroup,omitempty"`
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@ -1558,6 +1558,7 @@ func autoConvert_v1alpha2_CloudConfiguration_To_kops_CloudConfiguration(in *Clou
 	out.Multizone = in.Multizone
 	out.NodeTags = in.NodeTags
 	out.NodeInstancePrefix = in.NodeInstancePrefix
+	out.GCEServiceAccount = in.GCEServiceAccount
 	out.DisableSecurityGroupIngress = in.DisableSecurityGroupIngress
 	out.ElbSecurityGroup = in.ElbSecurityGroup
 	out.VSphereUsername = in.VSphereUsername
@ -1590,6 +1591,7 @@ func autoConvert_kops_CloudConfiguration_To_v1alpha2_CloudConfiguration(in *kops
 	out.Multizone = in.Multizone
 	out.NodeTags = in.NodeTags
 	out.NodeInstancePrefix = in.NodeInstancePrefix
+	out.GCEServiceAccount = in.GCEServiceAccount
 	out.DisableSecurityGroupIngress = in.DisableSecurityGroupIngress
 	out.ElbSecurityGroup = in.ElbSecurityGroup
 	out.VSphereUsername = in.VSphereUsername
@ -2057,7 +2059,6 @@ func autoConvert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *
 	} else {
 		out.RollingUpdate = nil
 	}
-	out.GCEServiceAccount = in.GCEServiceAccount
 	return nil
 }

@ -2381,7 +2382,6 @@ func autoConvert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(in *kops.ClusterSpec,
 	} else {
 		out.RollingUpdate = nil
 	}
-	out.GCEServiceAccount = in.GCEServiceAccount
 	return nil
 }

--- a/pkg/model/gcemodel/autoscalinggroup.go
+++ b/pkg/model/gcemodel/autoscalinggroup.go
@ -139,17 +139,17 @@ func (b *AutoscalingGroupModelBuilder) Build(c *fi.ModelBuilderContext) error {
 				t.CanIPForward = fi.Bool(true)
 			}

-			if b.Cluster.Spec.GCEServiceAccount != "" {
-				klog.Infof("VMs using Service Account: %v", b.Cluster.Spec.GCEServiceAccount)
+			if b.Cluster.Spec.CloudConfig.GCEServiceAccount != "" {
+				klog.Infof("VMs using Service Account: %v", b.Cluster.Spec.CloudConfig.GCEServiceAccount)
 				// b.Cluster.Spec.GCEServiceAccount = c.GCEServiceAccount
 			} else {
 				klog.Warning("VMs will be configured to use the GCE default compute Service Account! This is an anti-pattern")
 				klog.Warning("Use a pre-created Service Account with the flag: --gce-service-account=account@projectname.iam.gserviceaccount.com")
-				b.Cluster.Spec.GCEServiceAccount = "default"
+				b.Cluster.Spec.CloudConfig.GCEServiceAccount = "default"
 			}

-			klog.Infof("gsa: %v", b.Cluster.Spec.GCEServiceAccount)
-			t.ServiceAccounts = []string{b.Cluster.Spec.GCEServiceAccount}
+			klog.Infof("gsa: %v", b.Cluster.Spec.CloudConfig.GCEServiceAccount)
+			t.ServiceAccounts = []string{b.Cluster.Spec.CloudConfig.GCEServiceAccount}
 			//labels, err := b.CloudTagsForInstanceGroup(ig)
 			//if err != nil {
 			//	return fmt.Errorf("error building cloud tags: %v", err)
--- a/tests/integration/create_cluster/gce_byo_sa/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/gce_byo_sa/expected-v1alpha2.yaml
@ -9,6 +9,8 @@ spec:
  authorization:
    rbac: {}
  channel: stable
+  cloudConfig:
+    gceServiceAccount: test-account@testproject.iam.gserviceaccount.com
  cloudProvider: gce
  configBase: memfs://tests/gce.example.com
  containerRuntime: docker
@ -25,7 +27,6 @@ spec:
      name: a
    memoryRequest: 100Mi
    name: events
-  gceServiceAccount: test-account@testproject.iam.gserviceaccount.com
  iam:
    allowContainerRegistry: true
    legacy: false
--- a/tests/integration/create_cluster/ha_gce/expected-v1alpha2.yaml
+++ b/tests/integration/create_cluster/ha_gce/expected-v1alpha2.yaml
@ -9,6 +9,8 @@ spec:
  authorization:
    rbac: {}
  channel: stable
+  cloudConfig:
+    gceServiceAccount: default
  cloudProvider: gce
  configBase: memfs://tests/ha-gce.example.com
  containerRuntime: docker
@ -33,7 +35,6 @@ spec:
      name: c
    memoryRequest: 100Mi
    name: events
-  gceServiceAccount: default
  iam:
    allowContainerRegistry: true
    legacy: false
--- a/tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-a-ha-gce-example-com_metadata_startup-script
+++ b/tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-a-ha-gce-example-com_metadata_startup-script
@ -130,6 +130,7 @@ ensure-install-dir

 cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC'
 cloudConfig:
+  gceServiceAccount: default
  multizone: true
  nodeTags: ha-gce-example-com-k8s-io-role-node
 containerRuntime: docker
--- a/tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-b-ha-gce-example-com_metadata_startup-script
+++ b/tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-b-ha-gce-example-com_metadata_startup-script
@ -130,6 +130,7 @@ ensure-install-dir

 cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC'
 cloudConfig:
+  gceServiceAccount: default
  multizone: true
  nodeTags: ha-gce-example-com-k8s-io-role-node
 containerRuntime: docker
--- a/tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-c-ha-gce-example-com_metadata_startup-script
+++ b/tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-c-ha-gce-example-com_metadata_startup-script
@ -130,6 +130,7 @@ ensure-install-dir

 cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC'
 cloudConfig:
+  gceServiceAccount: default
  multizone: true
  nodeTags: ha-gce-example-com-k8s-io-role-node
 containerRuntime: docker
--- a/tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_nodes-ha-gce-example-com_metadata_startup-script
+++ b/tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_nodes-ha-gce-example-com_metadata_startup-script
@ -130,6 +130,7 @@ ensure-install-dir

 cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC'
 cloudConfig:
+  gceServiceAccount: default
  multizone: true
  nodeTags: ha-gce-example-com-k8s-io-role-node
 containerRuntime: docker
--- a/tests/integration/update_cluster/minimal_gce/data/google_compute_instance_template_master-us-test1-a-minimal-gce-example-com_metadata_startup-script
+++ b/tests/integration/update_cluster/minimal_gce/data/google_compute_instance_template_master-us-test1-a-minimal-gce-example-com_metadata_startup-script
@ -130,6 +130,7 @@ ensure-install-dir

 cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC'
 cloudConfig:
+  gceServiceAccount: default
  multizone: true
  nodeTags: minimal-gce-example-com-k8s-io-role-node
 containerRuntime: docker
--- a/tests/integration/update_cluster/minimal_gce/data/google_compute_instance_template_nodes-minimal-gce-example-com_metadata_startup-script
+++ b/tests/integration/update_cluster/minimal_gce/data/google_compute_instance_template_nodes-minimal-gce-example-com_metadata_startup-script
@ -130,6 +130,7 @@ ensure-install-dir

 cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC'
 cloudConfig:
+  gceServiceAccount: default
  multizone: true
  nodeTags: minimal-gce-example-com-k8s-io-role-node
 containerRuntime: docker