Merge pull request #12978 from justinsb/gce_use_serviceaccount_task

gce: Use ServiceAccount task when building model
2021-12-15 08:49:52 -08:00 · 2021-12-15 08:49:52 -08:00 · 8019c88b47
parent 711a6eb696 63e3d98443
commit 8019c88b47
7 changed files with 75 additions and 23 deletions
--- a/pkg/model/gcemodel/BUILD.bazel
+++ b/pkg/model/gcemodel/BUILD.bazel
@ -10,6 +10,7 @@ go_library(
        "external_access.go",
        "firewall.go",
        "network.go",
+        "service_accounts.go",
        "storageacl.go",
    ],
    importpath = "k8s.io/kops/pkg/model/gcemodel",
--- a/pkg/model/gcemodel/autoscalinggroup.go
+++ b/pkg/model/gcemodel/autoscalinggroup.go
@ -164,9 +164,8 @@ func (b *AutoscalingGroupModelBuilder) buildInstanceTemplate(c *fi.ModelBuilderC
 				klog.Warning("Use a pre-created Service Account with the flag: --gce-service-account=account@projectname.iam.gserviceaccount.com")
 				b.Cluster.Spec.CloudConfig.GCEServiceAccount = "default"
 			}
+			t.ServiceAccounts = append(t.ServiceAccounts, b.LinkToServiceAccount(ig))

-			klog.Infof("gsa: %v", b.Cluster.Spec.CloudConfig.GCEServiceAccount)
-			t.ServiceAccounts = []string{b.Cluster.Spec.CloudConfig.GCEServiceAccount}
 			//labels, err := b.CloudTagsForInstanceGroup(ig)
 			//if err != nil {
 			//	return fmt.Errorf("error building cloud tags: %v", err)
--- a/pkg/model/gcemodel/context.go
+++ b/pkg/model/gcemodel/context.go
@ -17,8 +17,10 @@ limitations under the License.
 package gcemodel

 import (
+	"k8s.io/klog/v2"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/model"
+	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/gce"
 	"k8s.io/kops/upup/pkg/fi/cloudup/gcetasks"
 )
@ -98,3 +100,14 @@ func (c *GCEModelContext) NetworkingIsIPAlias() bool {
 func (c *GCEModelContext) NetworkingIsGCERoutes() bool {
 	return c.Cluster.Spec.Networking != nil && c.Cluster.Spec.Networking.Kubenet != nil
 }
+
+// LinkToServiceAccount returns a link to the GCE ServiceAccount object for VMs in the given role
+func (c *GCEModelContext) LinkToServiceAccount(ig *kops.InstanceGroup) *gcetasks.ServiceAccount {
+	// This is a legacy setting because the nodes & control-plane run under the same serviceaccount
+	klog.Warningf("using legacy spec.cloudConfig.gceServiceAccount=%q setting", c.Cluster.Spec.CloudConfig.GCEServiceAccount)
+	return &gcetasks.ServiceAccount{
+		Name:   s("shared"),
+		Email:  &c.Cluster.Spec.CloudConfig.GCEServiceAccount,
+		Shared: fi.Bool(true),
+	}
+}
--- a/pkg/model/gcemodel/service_accounts.go
+++ b/pkg/model/gcemodel/service_accounts.go
@ -0,0 +1,47 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcemodel
+
+import (
+	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/upup/pkg/fi/cloudup/gcetasks"
+)
+
+// ServiceAccountsBuilder configures service accounts and grants project permissions
+type ServiceAccountsBuilder struct {
+	*GCEModelContext
+
+	Lifecycle fi.Lifecycle
+}
+
+var _ fi.ModelBuilder = &ServiceAccountsBuilder{}
+
+func (b *ServiceAccountsBuilder) Build(c *fi.ModelBuilderContext) error {
+	if b.Cluster.Spec.CloudConfig.GCEServiceAccount != "" {
+		serviceAccount := &gcetasks.ServiceAccount{
+			Name:      s("shared"),
+			Email:     &b.Cluster.Spec.CloudConfig.GCEServiceAccount,
+			Shared:    fi.Bool(true),
+			Lifecycle: b.Lifecycle,
+		}
+		c.AddTask(serviceAccount)
+
+		return nil
+	}
+
+	return nil
+}
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@ -606,6 +606,7 @@ func (c *ApplyClusterCmd) Run(ctx context.Context) error {
 				&gcemodel.NetworkModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle},
 				&gcemodel.StorageAclBuilder{GCEModelContext: gceModelContext, Cloud: cloud.(gce.GCECloud), Lifecycle: storageACLLifecycle},
 				&gcemodel.AutoscalingGroupModelBuilder{GCEModelContext: gceModelContext, BootstrapScriptBuilder: bootstrapScriptBuilder, Lifecycle: clusterLifecycle},
+				&gcemodel.ServiceAccountsBuilder{GCEModelContext: gceModelContext, Lifecycle: clusterLifecycle},
 			)
 		case kops.CloudProviderAzure:
 			azureModelContext := &azuremodel.AzureModelContext{
--- a/upup/pkg/fi/cloudup/gcetasks/instance.go
+++ b/upup/pkg/fi/cloudup/gcetasks/instance.go
@ -41,7 +41,7 @@ type Instance struct {
 	Preemptible    *bool
 	Image          *string
 	Disks          map[string]*Disk
-	ServiceAccount *string
+	ServiceAccount *ServiceAccount

 	CanIPForward *bool
 	IPAddress    *Address
@ -263,7 +263,7 @@ func (e *Instance) mapToGCE(project string, ipAddressResolver func(*Address) (*s
 				scopes = append(scopes, s)
 			}
 			serviceAccounts = append(serviceAccounts, &compute.ServiceAccount{
-				Email:  fi.StringValue(e.ServiceAccount),
+				Email:  fi.StringValue(e.ServiceAccount.Email),
 				Scopes: scopes,
 			})
 		}
--- a/upup/pkg/fi/cloudup/gcetasks/instancetemplate.go
+++ b/upup/pkg/fi/cloudup/gcetasks/instancetemplate.go
@ -65,7 +65,7 @@ type InstanceTemplate struct {
 	AliasIPRanges map[string]string

 	Scopes          []string
-	ServiceAccounts []string
+	ServiceAccounts []*ServiceAccount

 	Metadata    map[string]fi.Resource
 	MachineType *string
@ -164,7 +164,9 @@ func (e *InstanceTemplate) Find(c *fi.Context) (*InstanceTemplate, error) {
 			for _, scope := range serviceAccount.Scopes {
 				actual.Scopes = append(actual.Scopes, scopeToShortForm(scope))
 			}
-			actual.ServiceAccounts = append(actual.ServiceAccounts, serviceAccount.Email)
+			actual.ServiceAccounts = append(actual.ServiceAccounts, &ServiceAccount{
+				Email: &serviceAccount.Email,
+			})
 		}

 		// When we deal with additional disks (local disks), we'll need to map them like this...
@ -306,25 +308,14 @@ func (e *InstanceTemplate) mapToGCE(project string, region string) (*compute.Ins
 			scopes = append(scopes, s)
 		}
 	}
-	serviceAccounts := []*compute.ServiceAccount{
-		{
-			Email:  e.ServiceAccounts[0],
+
+	var serviceAccounts []*compute.ServiceAccount
+	for _, sa := range e.ServiceAccounts {
+		serviceAccounts = append(serviceAccounts, &compute.ServiceAccount{
+			Email:  fi.StringValue(sa.Email),
 			Scopes: scopes,
-		},
+		})
 	}
-	// if e.ServiceAccounts != nil {
-	//	for _, s := range e.ServiceAccounts {
-	//		serviceAccounts = append(serviceAccounts, &compute.ServiceAccount{
-	//			Email:  s,
-	//			Scopes: scopes,
-	//		})
-	//	}
-	// } else {
-	//	serviceAccounts = append(serviceAccounts, &compute.ServiceAccount{
-	//		Email:  "default",
-	//		Scopes: scopes,
-	//	})
-	// }

 	var metadataItems []*compute.MetadataItems
 	for key, r := range e.Metadata {