-
Notifications
You must be signed in to change notification settings - Fork 54
/
service_account.go
124 lines (102 loc) · 3.5 KB
/
service_account.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package helpers
import (
"context"
"fmt"
"time"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes/scheme"
controllerruntime "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
. "github.com/onsi/ginkgo/v2" //lint:ignore ST1001 this is a test file
. "github.com/onsi/gomega" //lint:ignore ST1001 this is a test file
)
type ServiceAccountFactory struct {
k8sClient client.Client
rootNamespace string
}
func NewServiceAccountFactory(rootNamespace string) *ServiceAccountFactory {
GinkgoHelper()
config, err := controllerruntime.GetConfig()
Expect(err).NotTo(HaveOccurred())
k8sClient, err := client.New(config, client.Options{Scheme: scheme.Scheme})
Expect(err).NotTo(HaveOccurred())
return &ServiceAccountFactory{
k8sClient: k8sClient,
rootNamespace: rootNamespace,
}
}
func (f *ServiceAccountFactory) CreateServiceAccount(name string) string {
GinkgoHelper()
_, serviceAccountToken := f.createServiceAccount(name)
return serviceAccountToken
}
func (f *ServiceAccountFactory) CreateAdminServiceAccount(adminServiceAccount string) string {
GinkgoHelper()
serviceAccount, adminServiceAccountToken := f.createServiceAccount(adminServiceAccount)
adminRoleBinding := &rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Namespace: f.rootNamespace,
Name: adminServiceAccount,
Annotations: map[string]string{
"cloudfoundry.org/propagate-cf-role": "true",
},
},
Subjects: []rbacv1.Subject{{
Kind: rbacv1.ServiceAccountKind,
Name: adminServiceAccount,
Namespace: f.rootNamespace,
}},
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",
Name: "korifi-controllers-admin",
},
}
Expect(controllerutil.SetOwnerReference(serviceAccount, adminRoleBinding, scheme.Scheme)).To(Succeed())
Expect(f.k8sClient.Create(context.Background(), adminRoleBinding)).To(Succeed())
return adminServiceAccountToken
}
func (f *ServiceAccountFactory) createServiceAccount(name string) (*corev1.ServiceAccount, string) {
GinkgoHelper()
serviceAccount := &corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Namespace: f.rootNamespace,
Name: name,
},
}
Expect(f.k8sClient.Create(context.Background(), serviceAccount)).To(Succeed())
serviceAccountSecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: f.rootNamespace,
Name: name,
Annotations: map[string]string{
corev1.ServiceAccountNameKey: name,
},
},
Type: corev1.SecretTypeServiceAccountToken,
}
Expect(f.k8sClient.Create(context.Background(), serviceAccountSecret)).To(Succeed())
Eventually(func(g Gomega) {
g.Expect(f.k8sClient.Get(
context.Background(),
client.ObjectKeyFromObject(serviceAccountSecret),
serviceAccountSecret,
)).To(Succeed())
g.Expect(serviceAccountSecret.Data).To(HaveKey(corev1.ServiceAccountTokenKey))
}).WithTimeout(10 * time.Second).Should(Succeed())
return serviceAccount, string(serviceAccountSecret.Data[corev1.ServiceAccountTokenKey])
}
func (f *ServiceAccountFactory) DeleteServiceAccount(name string) {
GinkgoHelper()
Expect(f.k8sClient.Delete(context.Background(), &corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Namespace: f.rootNamespace,
Name: name,
},
})).To(Succeed())
}
func (f *ServiceAccountFactory) FullyQualifiedName(svcAcctName string) string {
return fmt.Sprintf("system:serviceaccount:%s:%s", f.rootNamespace, svcAcctName)
}