diff --git a/cmd/milo/apiserver/config.go b/cmd/milo/apiserver/config.go index f9368551..72bc410b 100644 --- a/cmd/milo/apiserver/config.go +++ b/cmd/milo/apiserver/config.go @@ -45,7 +45,7 @@ import ( "go.miloapis.com/milo/internal/apiserver/admission/initializer" eventsbackend "go.miloapis.com/milo/internal/apiserver/events" - machineaccountkeysbackend "go.miloapis.com/milo/internal/apiserver/identity/machineaccountkeys" + serviceaccountkeysbackend "go.miloapis.com/milo/internal/apiserver/identity/serviceaccountkeys" sessionsbackend "go.miloapis.com/milo/internal/apiserver/identity/sessions" useridentitiesbackend "go.miloapis.com/milo/internal/apiserver/identity/useridentities" identitystorage "go.miloapis.com/milo/internal/apiserver/storage/identity" @@ -78,7 +78,7 @@ type Config struct { type ExtraConfig struct { SessionsProvider SessionsProviderConfig UserIdentitiesProvider UserIdentitiesProviderConfig - MachineAccountKeysProvider MachineAccountKeysProviderConfig + ServiceAccountKeysProvider ServiceAccountKeysProviderConfig EventsProvider EventsProviderConfig } @@ -115,8 +115,8 @@ type EventsProviderConfig struct { ForwardExtras []string } -// MachineAccountKeysProviderConfig groups configuration for the machineaccountkeys backend provider -type MachineAccountKeysProviderConfig struct { +// ServiceAccountKeysProviderConfig groups configuration for the serviceaccountkeys backend provider +type ServiceAccountKeysProviderConfig struct { URL string CAFile string ClientCertFile string @@ -220,23 +220,23 @@ func newIdentityStorageProvider(c *CompletedConfig) controlplaneapiserver.RESTSt provider.UserIdentities = backend } - if utilfeature.DefaultFeatureGate.Enabled(features.MachineAccountKeys) { - allow := make(map[string]struct{}, len(c.ExtraConfig.MachineAccountKeysProvider.ForwardExtras)) - for _, k := range c.ExtraConfig.MachineAccountKeysProvider.ForwardExtras { + if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountKeys) { + allow := make(map[string]struct{}, len(c.ExtraConfig.ServiceAccountKeysProvider.ForwardExtras)) + for _, k := range c.ExtraConfig.ServiceAccountKeysProvider.ForwardExtras { allow[k] = struct{}{} } - cfg := machineaccountkeysbackend.Config{ + cfg := serviceaccountkeysbackend.Config{ BaseConfig: c.ControlPlane.Generic.LoopbackClientConfig, - ProviderURL: c.ExtraConfig.MachineAccountKeysProvider.URL, - CAFile: c.ExtraConfig.MachineAccountKeysProvider.CAFile, - ClientCertFile: c.ExtraConfig.MachineAccountKeysProvider.ClientCertFile, - ClientKeyFile: c.ExtraConfig.MachineAccountKeysProvider.ClientKeyFile, - Timeout: time.Duration(c.ExtraConfig.MachineAccountKeysProvider.TimeoutSeconds) * time.Second, - Retries: c.ExtraConfig.MachineAccountKeysProvider.Retries, + ProviderURL: c.ExtraConfig.ServiceAccountKeysProvider.URL, + CAFile: c.ExtraConfig.ServiceAccountKeysProvider.CAFile, + ClientCertFile: c.ExtraConfig.ServiceAccountKeysProvider.ClientCertFile, + ClientKeyFile: c.ExtraConfig.ServiceAccountKeysProvider.ClientKeyFile, + Timeout: time.Duration(c.ExtraConfig.ServiceAccountKeysProvider.TimeoutSeconds) * time.Second, + Retries: c.ExtraConfig.ServiceAccountKeysProvider.Retries, ExtrasAllow: allow, } - backend, _ := machineaccountkeysbackend.NewDynamicProvider(cfg) - provider.MachineAccountKeys = backend + backend, _ := serviceaccountkeysbackend.NewDynamicProvider(cfg) + provider.ServiceAccountKeys = backend } return provider diff --git a/cmd/milo/apiserver/server.go b/cmd/milo/apiserver/server.go index 941e4ef8..31508aa0 100644 --- a/cmd/milo/apiserver/server.go +++ b/cmd/milo/apiserver/server.go @@ -68,10 +68,10 @@ var ( userIdentitiesProviderCAFile string userIdentitiesProviderClientCert string userIdentitiesProviderClientKey string - machineAccountKeysProviderURL string - machineAccountKeysProviderCAFile string - machineAccountKeysProviderClientCert string - machineAccountKeysProviderClientKey string + serviceAccountKeysProviderURL string + serviceAccountKeysProviderCAFile string + serviceAccountKeysProviderClientCert string + serviceAccountKeysProviderClientKey string eventsProviderURL string eventsProviderCAFile string eventsProviderClientCert string @@ -188,10 +188,10 @@ func NewCommand() *cobra.Command { fs.StringVar(&userIdentitiesProviderCAFile, "useridentities-provider-ca-file", "", "Path to CA file to validate useridentities provider TLS") fs.StringVar(&userIdentitiesProviderClientCert, "useridentities-provider-client-cert", "", "Client certificate for mTLS to useridentities provider") fs.StringVar(&userIdentitiesProviderClientKey, "useridentities-provider-client-key", "", "Client private key for mTLS to useridentities provider") - fs.StringVar(&machineAccountKeysProviderURL, "machineaccountkeys-provider-url", "", "Direct provider base URL for machineaccountkeys (e.g., https://zitadel-apiserver:8443)") - fs.StringVar(&machineAccountKeysProviderCAFile, "machineaccountkeys-provider-ca-file", "", "Path to CA file to validate machineaccountkeys provider TLS") - fs.StringVar(&machineAccountKeysProviderClientCert, "machineaccountkeys-provider-client-cert", "", "Client certificate for mTLS to machineaccountkeys provider") - fs.StringVar(&machineAccountKeysProviderClientKey, "machineaccountkeys-provider-client-key", "", "Client private key for mTLS to machineaccountkeys provider") + fs.StringVar(&serviceAccountKeysProviderURL, "serviceaccountkeys-provider-url", "", "Direct provider base URL for serviceaccountkeys (e.g., https://zitadel-apiserver:8443)") + fs.StringVar(&serviceAccountKeysProviderCAFile, "serviceaccountkeys-provider-ca-file", "", "Path to CA file to validate serviceaccountkeys provider TLS") + fs.StringVar(&serviceAccountKeysProviderClientCert, "serviceaccountkeys-provider-client-cert", "", "Client certificate for mTLS to serviceaccountkeys provider") + fs.StringVar(&serviceAccountKeysProviderClientKey, "serviceaccountkeys-provider-client-key", "", "Client private key for mTLS to serviceaccountkeys provider") fs.StringVar(&eventsProviderURL, "events-provider-url", "", "Activity API server URL for events storage (e.g., https://activity-apiserver.activity-system.svc:443)") fs.StringVar(&eventsProviderCAFile, "events-provider-ca-file", "", "Path to CA file to validate Activity provider TLS") fs.StringVar(&eventsProviderClientCert, "events-provider-client-cert", "", "Client certificate for mTLS to Activity provider") @@ -261,13 +261,13 @@ func Run(ctx context.Context, opts options.CompletedOptions) error { config.ExtraConfig.UserIdentitiesProvider.Retries = providerRetries config.ExtraConfig.UserIdentitiesProvider.ForwardExtras = forwardExtras - config.ExtraConfig.MachineAccountKeysProvider.URL = machineAccountKeysProviderURL - config.ExtraConfig.MachineAccountKeysProvider.CAFile = machineAccountKeysProviderCAFile - config.ExtraConfig.MachineAccountKeysProvider.ClientCertFile = machineAccountKeysProviderClientCert - config.ExtraConfig.MachineAccountKeysProvider.ClientKeyFile = machineAccountKeysProviderClientKey - config.ExtraConfig.MachineAccountKeysProvider.TimeoutSeconds = providerTimeoutSeconds - config.ExtraConfig.MachineAccountKeysProvider.Retries = providerRetries - config.ExtraConfig.MachineAccountKeysProvider.ForwardExtras = forwardExtras + config.ExtraConfig.ServiceAccountKeysProvider.URL = serviceAccountKeysProviderURL + config.ExtraConfig.ServiceAccountKeysProvider.CAFile = serviceAccountKeysProviderCAFile + config.ExtraConfig.ServiceAccountKeysProvider.ClientCertFile = serviceAccountKeysProviderClientCert + config.ExtraConfig.ServiceAccountKeysProvider.ClientKeyFile = serviceAccountKeysProviderClientKey + config.ExtraConfig.ServiceAccountKeysProvider.TimeoutSeconds = providerTimeoutSeconds + config.ExtraConfig.ServiceAccountKeysProvider.Retries = providerRetries + config.ExtraConfig.ServiceAccountKeysProvider.ForwardExtras = forwardExtras config.ExtraConfig.EventsProvider.URL = eventsProviderURL config.ExtraConfig.EventsProvider.CAFile = eventsProviderCAFile diff --git a/config/apiserver/deployment.yaml b/config/apiserver/deployment.yaml index f8de2057..7a0cd504 100644 --- a/config/apiserver/deployment.yaml +++ b/config/apiserver/deployment.yaml @@ -70,11 +70,11 @@ spec: - --useridentities-provider-ca-file=$(USERIDENTITIES_PROVIDER_CA_FILE) - --useridentities-provider-client-cert=$(USERIDENTITIES_PROVIDER_CLIENT_CERT_FILE) - --useridentities-provider-client-key=$(USERIDENTITIES_PROVIDER_CLIENT_KEY_FILE) - # MachineAccountKeys provider configuration - - --machineaccountkeys-provider-url=$(MACHINEACCOUNTKEYS_PROVIDER_URL) - - --machineaccountkeys-provider-ca-file=$(MACHINEACCOUNTKEYS_PROVIDER_CA_FILE) - - --machineaccountkeys-provider-client-cert=$(MACHINEACCOUNTKEYS_PROVIDER_CLIENT_CERT_FILE) - - --machineaccountkeys-provider-client-key=$(MACHINEACCOUNTKEYS_PROVIDER_CLIENT_KEY_FILE) + # ServiceAccountKeys provider configuration + - --serviceaccountkeys-provider-url=$(SERVICEACCOUNTKEYS_PROVIDER_URL) + - --serviceaccountkeys-provider-ca-file=$(SERVICEACCOUNTKEYS_PROVIDER_CA_FILE) + - --serviceaccountkeys-provider-client-cert=$(SERVICEACCOUNTKEYS_PROVIDER_CLIENT_CERT_FILE) + - --serviceaccountkeys-provider-client-key=$(SERVICEACCOUNTKEYS_PROVIDER_CLIENT_KEY_FILE) # Events proxy provider configuration (requires EventsProxy feature gate) - --events-provider-url=$(EVENTS_PROVIDER_URL) - --events-provider-ca-file=$(EVENTS_PROVIDER_CA_FILE) @@ -162,13 +162,13 @@ spec: value: "" - name: USERIDENTITIES_PROVIDER_CLIENT_KEY_FILE value: "" - - name: MACHINEACCOUNTKEYS_PROVIDER_URL + - name: SERVICEACCOUNTKEYS_PROVIDER_URL value: "" - - name: MACHINEACCOUNTKEYS_PROVIDER_CA_FILE + - name: SERVICEACCOUNTKEYS_PROVIDER_CA_FILE value: "" - - name: MACHINEACCOUNTKEYS_PROVIDER_CLIENT_CERT_FILE + - name: SERVICEACCOUNTKEYS_PROVIDER_CLIENT_CERT_FILE value: "" - - name: MACHINEACCOUNTKEYS_PROVIDER_CLIENT_KEY_FILE + - name: SERVICEACCOUNTKEYS_PROVIDER_CLIENT_KEY_FILE value: "" # Events proxy provider configuration (requires --feature-gates=EventsProxy=true) - name: EVENTS_PROVIDER_URL diff --git a/config/components/apiserver-audit-logging/audit-policy-configmap.yaml b/config/components/apiserver-audit-logging/audit-policy-configmap.yaml index 7689fb71..52199e5f 100644 --- a/config/components/apiserver-audit-logging/audit-policy-configmap.yaml +++ b/config/components/apiserver-audit-logging/audit-policy-configmap.yaml @@ -142,13 +142,13 @@ data: - group: "" # core API group resources: ["secrets", "configmaps"] - # Log MachineAccountKey at Metadata level to redact private key from audit logs + # Log ServiceAccountKey at Metadata level to redact private key from audit logs # The privateKey is only returned in the response body on creation, so we omit # the response to prevent credential leakage in audit logs - level: Metadata resources: - group: "identity.miloapis.com" - resources: ["machineaccountkeys"] + resources: ["serviceaccountkeys"] # Log Milo API resources at RequestResponse level to capture full context - level: RequestResponse diff --git a/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml b/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml index 03be14ab..0c8ffc4d 100644 --- a/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml +++ b/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml @@ -141,7 +141,7 @@ spec: items: description: |- Subject contains a reference to the object or user identities a role binding applies to. - This can be a User, Group, or MachineAccount. + This can be a User, Group, or ServiceAccount. properties: kind: description: Kind of object being referenced. Values defined @@ -149,7 +149,7 @@ spec: enum: - User - Group - - MachineAccount + - ServiceAccount type: string name: description: |- @@ -160,7 +160,7 @@ spec: namespace: description: |- Namespace of the referenced object. - If not specified for a Group, User or MachineAccount, it is ignored. + If not specified for a Group, User or ServiceAccount, it is ignored. type: string uid: description: UID of the referenced object. Optional for system diff --git a/config/crd/bases/iam/iam.miloapis.com_machineaccounts.yaml b/config/crd/bases/iam/iam.miloapis.com_serviceaccounts.yaml similarity index 89% rename from config/crd/bases/iam/iam.miloapis.com_machineaccounts.yaml rename to config/crd/bases/iam/iam.miloapis.com_serviceaccounts.yaml index bc861b5b..35359a7b 100644 --- a/config/crd/bases/iam/iam.miloapis.com_machineaccounts.yaml +++ b/config/crd/bases/iam/iam.miloapis.com_serviceaccounts.yaml @@ -5,14 +5,14 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 discovery.miloapis.com/parent-contexts: Project - name: machineaccounts.iam.miloapis.com + name: serviceaccounts.iam.miloapis.com spec: group: iam.miloapis.com names: - kind: MachineAccount - listKind: MachineAccountList - plural: machineaccounts - singular: machineaccount + kind: ServiceAccount + listKind: ServiceAccountList + plural: serviceaccounts + singular: serviceaccount scope: Cluster versions: - additionalPrinterColumns: @@ -37,7 +37,7 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: MachineAccount is the Schema for the machine accounts API + description: ServiceAccount is the Schema for the service accounts API properties: apiVersion: description: |- @@ -57,26 +57,26 @@ spec: metadata: type: object spec: - description: MachineAccountSpec defines the desired state of MachineAccount + description: ServiceAccountSpec defines the desired state of ServiceAccount properties: state: default: Active description: |- - The state of the machine account. This state can be safely changed as needed. + The state of the service account. This state can be safely changed as needed. States: - - Active: The machine account can be used to authenticate. - - Inactive: The machine account is prohibited to be used to authenticate, and revokes all existing sessions. + - Active: The service account can be used to authenticate. + - Inactive: The service account is prohibited to be used to authenticate, and revokes all existing sessions. enum: - Active - Inactive type: string type: object status: - description: MachineAccountStatus defines the observed state of MachineAccount + description: ServiceAccountStatus defines the observed state of ServiceAccount properties: conditions: description: Conditions provide conditions that represent the current - status of the MachineAccount. + status of the ServiceAccount. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -134,12 +134,12 @@ spec: type: array email: description: |- - The computed email of the machine account following the pattern: + The computed email of the service account following the pattern: {metadata.name}@{metadata.namespace}.{project.metadata.name}.{global-suffix} type: string state: description: |- - State represents the current activation state of the machine account from the auth provider. + State represents the current activation state of the service account from the auth provider. This field tracks the state from the previous generation and is updated when state changes are successfully propagated to the auth provider. It helps optimize performance by only updating the auth provider when a state change is detected. diff --git a/config/crd/bases/iam/kustomization.yaml b/config/crd/bases/iam/kustomization.yaml index 485b046b..8f615aff 100644 --- a/config/crd/bases/iam/kustomization.yaml +++ b/config/crd/bases/iam/kustomization.yaml @@ -2,7 +2,7 @@ resources: - iam.miloapis.com_roles.yaml - iam.miloapis.com_groups.yaml - iam.miloapis.com_groupmemberships.yaml -- iam.miloapis.com_machineaccounts.yaml +- iam.miloapis.com_serviceaccounts.yaml - iam.miloapis.com_policybindings.yaml - iam.miloapis.com_protectedresources.yaml - iam.miloapis.com_users.yaml diff --git a/config/protected-resources/iam/kustomization.yaml b/config/protected-resources/iam/kustomization.yaml index 69b40ea8..f13d61ea 100644 --- a/config/protected-resources/iam/kustomization.yaml +++ b/config/protected-resources/iam/kustomization.yaml @@ -14,5 +14,5 @@ resources: - platformaccessapproval.yaml - platformaccessrejection.yaml - platforminvitation.yaml - - machineaccount.yaml + - serviceaccount.yaml diff --git a/config/protected-resources/iam/machineaccount.yaml b/config/protected-resources/iam/serviceaccount.yaml similarity index 72% rename from config/protected-resources/iam/machineaccount.yaml rename to config/protected-resources/iam/serviceaccount.yaml index 154d6c11..7998c7fd 100644 --- a/config/protected-resources/iam/machineaccount.yaml +++ b/config/protected-resources/iam/serviceaccount.yaml @@ -1,13 +1,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: ProtectedResource metadata: - name: iam.miloapis.com-machineaccount + name: iam.miloapis.com-serviceaccount spec: serviceRef: name: "iam.miloapis.com" - kind: MachineAccount - plural: machineaccounts - singular: machineaccount + kind: ServiceAccount + plural: serviceaccounts + singular: serviceaccount permissions: - list - get diff --git a/config/protected-resources/identity/kustomization.yaml b/config/protected-resources/identity/kustomization.yaml index 600a9041..20025fb6 100644 --- a/config/protected-resources/identity/kustomization.yaml +++ b/config/protected-resources/identity/kustomization.yaml @@ -4,4 +4,4 @@ kind: Kustomization resources: - session.yaml - useridentity.yaml - - machineaccountkey.yaml + - serviceaccountkey.yaml diff --git a/config/protected-resources/identity/machineaccountkey.yaml b/config/protected-resources/identity/serviceaccountkey.yaml similarity index 69% rename from config/protected-resources/identity/machineaccountkey.yaml rename to config/protected-resources/identity/serviceaccountkey.yaml index 72baf7a3..0fbcc471 100644 --- a/config/protected-resources/identity/machineaccountkey.yaml +++ b/config/protected-resources/identity/serviceaccountkey.yaml @@ -1,13 +1,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: ProtectedResource metadata: - name: identity.miloapis.com-machineaccountkey + name: identity.miloapis.com-serviceaccountkey spec: serviceRef: name: "identity.miloapis.com" - kind: MachineAccountKey - plural: machineaccountkeys - singular: machineaccountkey + kind: ServiceAccountKey + plural: serviceaccountkeys + singular: serviceaccountkey permissions: - list - get diff --git a/config/resources-metrics/iam/kustomization.yaml b/config/resources-metrics/iam/kustomization.yaml index 06e77315..fecac7f4 100644 --- a/config/resources-metrics/iam/kustomization.yaml +++ b/config/resources-metrics/iam/kustomization.yaml @@ -7,7 +7,7 @@ configMapGenerator: - users.yaml - groups.yaml - group_memberships.yaml - - machine_accounts.yaml + - service_accounts.yaml - policy_bindings.yaml - roles.yaml - user_invitations.yaml diff --git a/config/resources-metrics/iam/machine_accounts.yaml b/config/resources-metrics/iam/service_accounts.yaml similarity index 79% rename from config/resources-metrics/iam/machine_accounts.yaml rename to config/resources-metrics/iam/service_accounts.yaml index 11b3c4f1..1dd6e65e 100644 --- a/config/resources-metrics/iam/machine_accounts.yaml +++ b/config/resources-metrics/iam/service_accounts.yaml @@ -3,12 +3,12 @@ spec: resources: - groupVersionKind: group: "iam.miloapis.com" - kind: "MachineAccount" + kind: "ServiceAccount" version: "v1alpha1" labelsFromPath: name: [metadata, name] namespace: [metadata, namespace] - metricNamePrefix: milo_machine_accounts + metricNamePrefix: milo_service_accounts metrics: - name: "info" each: @@ -20,4 +20,4 @@ spec: each: type: Gauge gauge: - path: [metadata, creationTimestamp] \ No newline at end of file + path: [metadata, creationTimestamp] diff --git a/config/resources-metrics/identity/kustomization.yaml b/config/resources-metrics/identity/kustomization.yaml index de9c25ee..27766af2 100644 --- a/config/resources-metrics/identity/kustomization.yaml +++ b/config/resources-metrics/identity/kustomization.yaml @@ -4,7 +4,7 @@ kind: Component configMapGenerator: - name: milo-identity-resource-metrics files: - - machine_account_keys.yaml + - service_account_keys.yaml options: labels: telemetry.datumapis.com/core-resource-metrics-config: "true" diff --git a/config/resources-metrics/identity/machine_account_keys.yaml b/config/resources-metrics/identity/service_account_keys.yaml similarity index 86% rename from config/resources-metrics/identity/machine_account_keys.yaml rename to config/resources-metrics/identity/service_account_keys.yaml index 9ebbc86f..19b1de92 100644 --- a/config/resources-metrics/identity/machine_account_keys.yaml +++ b/config/resources-metrics/identity/service_account_keys.yaml @@ -3,12 +3,12 @@ spec: resources: - groupVersionKind: group: "identity.miloapis.com" - kind: "MachineAccountKey" + kind: "ServiceAccountKey" version: "v1alpha1" labelsFromPath: name: [metadata, name] namespace: [metadata, namespace] - metricNamePrefix: milo_machine_account_keys + metricNamePrefix: milo_service_account_keys metrics: - name: "info" each: diff --git a/config/roles/iam-machine-accounts-admin.yaml b/config/roles/iam-machine-accounts-admin.yaml deleted file mode 100644 index 78ea9fb8..00000000 --- a/config/roles/iam-machine-accounts-admin.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: iam.miloapis.com/v1alpha1 -kind: Role -metadata: - name: iam-machine-accounts-admin - annotations: - kubernetes.io/display-name: IAM Machine Accounts Admin - kubernetes.io/description: "Full access to machine accounts." -spec: - launchStage: Beta - inheritedRoles: - - name: iam-machine-accounts-editor diff --git a/config/roles/iam-machine-accounts-editor.yaml b/config/roles/iam-machine-accounts-editor.yaml deleted file mode 100644 index 405d0015..00000000 --- a/config/roles/iam-machine-accounts-editor.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: iam.miloapis.com/v1alpha1 -kind: Role -metadata: - name: iam-machine-accounts-editor - annotations: - kubernetes.io/display-name: IAM Machine Accounts Editor - kubernetes.io/description: "Allows editing machine accounts." -spec: - launchStage: Beta - inheritedRoles: - - name: iam-machine-accounts-viewer - includedPermissions: - - iam.miloapis.com/machineaccounts.create - - iam.miloapis.com/machineaccounts.update - - iam.miloapis.com/machineaccounts.patch - - iam.miloapis.com/machineaccounts.delete diff --git a/config/roles/iam-machine-accounts-viewer.yaml b/config/roles/iam-machine-accounts-viewer.yaml deleted file mode 100644 index e79a8228..00000000 --- a/config/roles/iam-machine-accounts-viewer.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: iam.miloapis.com/v1alpha1 -kind: Role -metadata: - name: iam-machine-accounts-viewer - annotations: - kubernetes.io/display-name: IAM Machine Accounts Viewer - kubernetes.io/description: "Allows viewing machine accounts." -spec: - launchStage: Beta - includedPermissions: - - iam.miloapis.com/machineaccounts.get - - iam.miloapis.com/machineaccounts.list - - iam.miloapis.com/machineaccounts.watch diff --git a/config/roles/iam-service-accounts-admin.yaml b/config/roles/iam-service-accounts-admin.yaml new file mode 100644 index 00000000..b4e341ab --- /dev/null +++ b/config/roles/iam-service-accounts-admin.yaml @@ -0,0 +1,11 @@ +apiVersion: iam.miloapis.com/v1alpha1 +kind: Role +metadata: + name: iam-service-accounts-admin + annotations: + kubernetes.io/display-name: IAM Service Accounts Admin + kubernetes.io/description: "Full access to service accounts." +spec: + launchStage: Beta + inheritedRoles: + - name: iam-service-accounts-editor diff --git a/config/roles/iam-service-accounts-editor.yaml b/config/roles/iam-service-accounts-editor.yaml new file mode 100644 index 00000000..45de08be --- /dev/null +++ b/config/roles/iam-service-accounts-editor.yaml @@ -0,0 +1,16 @@ +apiVersion: iam.miloapis.com/v1alpha1 +kind: Role +metadata: + name: iam-service-accounts-editor + annotations: + kubernetes.io/display-name: IAM Service Accounts Editor + kubernetes.io/description: "Allows editing service accounts." +spec: + launchStage: Beta + inheritedRoles: + - name: iam-service-accounts-viewer + includedPermissions: + - iam.miloapis.com/serviceaccounts.create + - iam.miloapis.com/serviceaccounts.update + - iam.miloapis.com/serviceaccounts.patch + - iam.miloapis.com/serviceaccounts.delete diff --git a/config/roles/iam-service-accounts-viewer.yaml b/config/roles/iam-service-accounts-viewer.yaml new file mode 100644 index 00000000..6b6df2bc --- /dev/null +++ b/config/roles/iam-service-accounts-viewer.yaml @@ -0,0 +1,13 @@ +apiVersion: iam.miloapis.com/v1alpha1 +kind: Role +metadata: + name: iam-service-accounts-viewer + annotations: + kubernetes.io/display-name: IAM Service Accounts Viewer + kubernetes.io/description: "Allows viewing service accounts." +spec: + launchStage: Beta + includedPermissions: + - iam.miloapis.com/serviceaccounts.get + - iam.miloapis.com/serviceaccounts.list + - iam.miloapis.com/serviceaccounts.watch diff --git a/config/roles/identity-machine-account-keys-admin.yaml b/config/roles/identity-machine-account-keys-admin.yaml deleted file mode 100644 index 7367ca51..00000000 --- a/config/roles/identity-machine-account-keys-admin.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: iam.miloapis.com/v1alpha1 -kind: Role -metadata: - name: identity-machine-account-keys-admin - annotations: - kubernetes.io/display-name: Identity Machine Account Keys Admin - kubernetes.io/description: "Full access to machine account keys." -spec: - launchStage: Beta - inheritedRoles: - - name: identity-machine-account-keys-editor diff --git a/config/roles/identity-machine-account-keys-editor.yaml b/config/roles/identity-machine-account-keys-editor.yaml deleted file mode 100644 index ff0447c4..00000000 --- a/config/roles/identity-machine-account-keys-editor.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: iam.miloapis.com/v1alpha1 -kind: Role -metadata: - name: identity-machine-account-keys-editor - annotations: - kubernetes.io/display-name: Identity Machine Account Keys Editor - kubernetes.io/description: "Allows editing machine account keys." -spec: - launchStage: Beta - inheritedRoles: - - name: identity-machine-account-keys-viewer - includedPermissions: - - identity.miloapis.com/machineaccountkeys.create - - identity.miloapis.com/machineaccountkeys.update - - identity.miloapis.com/machineaccountkeys.patch - - identity.miloapis.com/machineaccountkeys.delete diff --git a/config/roles/identity-machine-account-keys-viewer.yaml b/config/roles/identity-machine-account-keys-viewer.yaml deleted file mode 100644 index 3b21ef6c..00000000 --- a/config/roles/identity-machine-account-keys-viewer.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: iam.miloapis.com/v1alpha1 -kind: Role -metadata: - name: identity-machine-account-keys-viewer - annotations: - kubernetes.io/display-name: Identity Machine Account Keys Viewer - kubernetes.io/description: "Allows viewing machine account keys." -spec: - launchStage: Beta - includedPermissions: - - identity.miloapis.com/machineaccountkeys.get - - identity.miloapis.com/machineaccountkeys.list - - identity.miloapis.com/machineaccountkeys.watch diff --git a/config/roles/identity-service-account-keys-admin.yaml b/config/roles/identity-service-account-keys-admin.yaml new file mode 100644 index 00000000..f5891365 --- /dev/null +++ b/config/roles/identity-service-account-keys-admin.yaml @@ -0,0 +1,11 @@ +apiVersion: iam.miloapis.com/v1alpha1 +kind: Role +metadata: + name: identity-service-account-keys-admin + annotations: + kubernetes.io/display-name: Identity Service Account Keys Admin + kubernetes.io/description: "Full access to service account keys." +spec: + launchStage: Beta + inheritedRoles: + - name: identity-service-account-keys-editor diff --git a/config/roles/identity-service-account-keys-editor.yaml b/config/roles/identity-service-account-keys-editor.yaml new file mode 100644 index 00000000..53042958 --- /dev/null +++ b/config/roles/identity-service-account-keys-editor.yaml @@ -0,0 +1,16 @@ +apiVersion: iam.miloapis.com/v1alpha1 +kind: Role +metadata: + name: identity-service-account-keys-editor + annotations: + kubernetes.io/display-name: Identity Service Account Keys Editor + kubernetes.io/description: "Allows editing service account keys." +spec: + launchStage: Beta + inheritedRoles: + - name: identity-service-account-keys-viewer + includedPermissions: + - identity.miloapis.com/serviceaccountkeys.create + - identity.miloapis.com/serviceaccountkeys.update + - identity.miloapis.com/serviceaccountkeys.patch + - identity.miloapis.com/serviceaccountkeys.delete diff --git a/config/roles/identity-service-account-keys-viewer.yaml b/config/roles/identity-service-account-keys-viewer.yaml new file mode 100644 index 00000000..ead4fa36 --- /dev/null +++ b/config/roles/identity-service-account-keys-viewer.yaml @@ -0,0 +1,13 @@ +apiVersion: iam.miloapis.com/v1alpha1 +kind: Role +metadata: + name: identity-service-account-keys-viewer + annotations: + kubernetes.io/display-name: Identity Service Account Keys Viewer + kubernetes.io/description: "Allows viewing service account keys." +spec: + launchStage: Beta + includedPermissions: + - identity.miloapis.com/serviceaccountkeys.get + - identity.miloapis.com/serviceaccountkeys.list + - identity.miloapis.com/serviceaccountkeys.watch diff --git a/config/roles/kustomization.yaml b/config/roles/kustomization.yaml index 73b43978..3287df61 100644 --- a/config/roles/kustomization.yaml +++ b/config/roles/kustomization.yaml @@ -71,9 +71,9 @@ resources: - notes-creator-editor.yaml - notes-admin.yaml - identity-user-session-viewer.yaml - - iam-machine-accounts-viewer.yaml - - iam-machine-accounts-editor.yaml - - iam-machine-accounts-admin.yaml - - identity-machine-account-keys-viewer.yaml - - identity-machine-account-keys-editor.yaml - - identity-machine-account-keys-admin.yaml + - iam-service-accounts-viewer.yaml + - iam-service-accounts-editor.yaml + - iam-service-accounts-admin.yaml + - identity-service-account-keys-viewer.yaml + - identity-service-account-keys-editor.yaml + - identity-service-account-keys-admin.yaml diff --git a/config/samples/iam/v1alpha1/machineaccount.yaml b/config/samples/iam/v1alpha1/serviceaccount.yaml similarity index 63% rename from config/samples/iam/v1alpha1/machineaccount.yaml rename to config/samples/iam/v1alpha1/serviceaccount.yaml index 9be0a33e..28c9c66e 100644 --- a/config/samples/iam/v1alpha1/machineaccount.yaml +++ b/config/samples/iam/v1alpha1/serviceaccount.yaml @@ -1,7 +1,7 @@ apiVersion: iam.miloapis.com/v1alpha1 -kind: MachineAccount +kind: ServiceAccount metadata: - name: example-machine-account + name: example-service-account namespace: default spec: state: Active diff --git a/config/samples/identity/v1alpha1/machineaccountkey.yaml b/config/samples/identity/v1alpha1/serviceaccountkey.yaml similarity index 71% rename from config/samples/identity/v1alpha1/machineaccountkey.yaml rename to config/samples/identity/v1alpha1/serviceaccountkey.yaml index 5d717fb0..4136011b 100644 --- a/config/samples/identity/v1alpha1/machineaccountkey.yaml +++ b/config/samples/identity/v1alpha1/serviceaccountkey.yaml @@ -1,10 +1,10 @@ apiVersion: identity.miloapis.com/v1alpha1 -kind: MachineAccountKey +kind: ServiceAccountKey metadata: - name: example-machine-account-key-32 + name: example-service-account-key-32 namespace: default spec: - machineAccountUserName: example-machine-account + serviceAccountUserName: example-service-account # If not specified, the key will never expire. # expirationDate: "2026-03-25T10:18:48Z" # If not specified, an auto-generated public key will be created. diff --git a/internal/apiserver/identity/machineaccountkeys/dynamic.go b/internal/apiserver/identity/serviceaccountkeys/dynamic.go similarity index 84% rename from internal/apiserver/identity/machineaccountkeys/dynamic.go rename to internal/apiserver/identity/serviceaccountkeys/dynamic.go index 7205c06c..42bd982d 100644 --- a/internal/apiserver/identity/machineaccountkeys/dynamic.go +++ b/internal/apiserver/identity/serviceaccountkeys/dynamic.go @@ -1,4 +1,4 @@ -package machineaccountkeys +package serviceaccountkeys import ( "context" @@ -20,7 +20,7 @@ import ( "k8s.io/client-go/transport" ) -// Config controls how the provider talks to the remote machineaccountkeys API **always via a remote URL**. +// Config controls how the provider talks to the remote serviceaccountkeys API **always via a remote URL**. type Config struct { BaseConfig *rest.Config @@ -37,7 +37,7 @@ type Config struct { } // DynamicProvider implements Backend by proxying to a remote auth-provider -// that serves the machineaccountkeys API (e.g. auth-provider-zitadel). +// that serves the serviceaccountkeys API (e.g. auth-provider-zitadel). type DynamicProvider struct { base *rest.Config gvr schema.GroupVersionResource @@ -75,7 +75,7 @@ func NewDynamicProvider(cfg Config) (*DynamicProvider, error) { base.Timeout = cfg.Timeout } - gvr := identityv1alpha1.SchemeGroupVersion.WithResource("machineaccountkeys") + gvr := identityv1alpha1.SchemeGroupVersion.WithResource("serviceaccountkeys") return &DynamicProvider{ base: base, @@ -127,7 +127,7 @@ func (b *DynamicProvider) filterExtras(src map[string][]string) map[string][]str // ---- Public API (implements Backend) ---- -func (b *DynamicProvider) CreateMachineAccountKey(ctx context.Context, _ authuser.Info, key *identityv1alpha1.MachineAccountKey, opts *metav1.CreateOptions) (*identityv1alpha1.MachineAccountKey, error) { +func (b *DynamicProvider) CreateServiceAccountKey(ctx context.Context, _ authuser.Info, key *identityv1alpha1.ServiceAccountKey, opts *metav1.CreateOptions) (*identityv1alpha1.ServiceAccountKey, error) { dyn, err := b.dynForUser(ctx) if err != nil { return nil, err @@ -139,7 +139,7 @@ func (b *DynamicProvider) CreateMachineAccountKey(ctx context.Context, _ authuse // Convert to unstructured for the dynamic client uobj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(key) if err != nil { - return nil, fmt.Errorf("failed to convert MachineAccountKey to unstructured: %w", err) + return nil, fmt.Errorf("failed to convert ServiceAccountKey to unstructured: %w", err) } var lastErr error @@ -154,14 +154,14 @@ func (b *DynamicProvider) CreateMachineAccountKey(ctx context.Context, _ authuse return nil, lastErr } - out := new(identityv1alpha1.MachineAccountKey) + out := new(identityv1alpha1.ServiceAccountKey) if err := runtime.DefaultUnstructuredConverter.FromUnstructured(created.UnstructuredContent(), out); err != nil { return nil, err } return out, nil } -func (b *DynamicProvider) ListMachineAccountKeys(ctx context.Context, _ authuser.Info, opts *metav1.ListOptions) (*identityv1alpha1.MachineAccountKeyList, error) { +func (b *DynamicProvider) ListServiceAccountKeys(ctx context.Context, _ authuser.Info, opts *metav1.ListOptions) (*identityv1alpha1.ServiceAccountKeyList, error) { if opts == nil { opts = &metav1.ListOptions{} } @@ -180,14 +180,14 @@ func (b *DynamicProvider) ListMachineAccountKeys(ctx context.Context, _ authuser if lastErr != nil { return nil, lastErr } - out := new(identityv1alpha1.MachineAccountKeyList) + out := new(identityv1alpha1.ServiceAccountKeyList) if err := runtime.DefaultUnstructuredConverter.FromUnstructured(ul.UnstructuredContent(), out); err != nil { return nil, err } return out, nil } -func (b *DynamicProvider) GetMachineAccountKey(ctx context.Context, _ authuser.Info, name string) (*identityv1alpha1.MachineAccountKey, error) { +func (b *DynamicProvider) GetServiceAccountKey(ctx context.Context, _ authuser.Info, name string) (*identityv1alpha1.ServiceAccountKey, error) { dyn, err := b.dynForUser(ctx) if err != nil { return nil, err @@ -203,14 +203,14 @@ func (b *DynamicProvider) GetMachineAccountKey(ctx context.Context, _ authuser.I if lastErr != nil { return nil, lastErr } - out := new(identityv1alpha1.MachineAccountKey) + out := new(identityv1alpha1.ServiceAccountKey) if err := runtime.DefaultUnstructuredConverter.FromUnstructured(uobj.UnstructuredContent(), out); err != nil { return nil, err } return out, nil } -func (b *DynamicProvider) DeleteMachineAccountKey(ctx context.Context, _ authuser.Info, name string) error { +func (b *DynamicProvider) DeleteServiceAccountKey(ctx context.Context, _ authuser.Info, name string) error { dyn, err := b.dynForUser(ctx) if err != nil { return err diff --git a/internal/apiserver/identity/machineaccountkeys/rest.go b/internal/apiserver/identity/serviceaccountkeys/rest.go similarity index 61% rename from internal/apiserver/identity/machineaccountkeys/rest.go rename to internal/apiserver/identity/serviceaccountkeys/rest.go index 4c75290e..aa5a3a89 100644 --- a/internal/apiserver/identity/machineaccountkeys/rest.go +++ b/internal/apiserver/identity/serviceaccountkeys/rest.go @@ -1,4 +1,4 @@ -package machineaccountkeys +package serviceaccountkeys import ( "context" @@ -19,10 +19,10 @@ import ( // Backend is the interface that the REST handler delegates all operations to. // Implementations proxy requests to the auth-provider (e.g. Zitadel) service. type Backend interface { - CreateMachineAccountKey(ctx context.Context, u authuser.Info, key *identityv1alpha1.MachineAccountKey, opts *metav1.CreateOptions) (*identityv1alpha1.MachineAccountKey, error) - ListMachineAccountKeys(ctx context.Context, u authuser.Info, opts *metav1.ListOptions) (*identityv1alpha1.MachineAccountKeyList, error) - GetMachineAccountKey(ctx context.Context, u authuser.Info, name string) (*identityv1alpha1.MachineAccountKey, error) - DeleteMachineAccountKey(ctx context.Context, u authuser.Info, name string) error + CreateServiceAccountKey(ctx context.Context, u authuser.Info, key *identityv1alpha1.ServiceAccountKey, opts *metav1.CreateOptions) (*identityv1alpha1.ServiceAccountKey, error) + ListServiceAccountKeys(ctx context.Context, u authuser.Info, opts *metav1.ListOptions) (*identityv1alpha1.ServiceAccountKeyList, error) + GetServiceAccountKey(ctx context.Context, u authuser.Info, name string) (*identityv1alpha1.ServiceAccountKey, error) + DeleteServiceAccountKey(ctx context.Context, u authuser.Info, name string) error } type REST struct { @@ -39,10 +39,10 @@ var _ rest.SingularNameProvider = &REST{} func NewREST(b Backend) *REST { return &REST{backend: b} } -func (r *REST) GetSingularName() string { return "machineaccountkey" } +func (r *REST) GetSingularName() string { return "serviceaccountkey" } func (r *REST) NamespaceScoped() bool { return false } -func (r *REST) New() runtime.Object { return &identityv1alpha1.MachineAccountKey{} } -func (r *REST) NewList() runtime.Object { return &identityv1alpha1.MachineAccountKeyList{} } +func (r *REST) New() runtime.Object { return &identityv1alpha1.ServiceAccountKey{} } +func (r *REST) NewList() runtime.Object { return &identityv1alpha1.ServiceAccountKeyList{} } func (r *REST) Create( ctx context.Context, @@ -52,17 +52,17 @@ func (r *REST) Create( ) (runtime.Object, error) { logger := klog.FromContext(ctx) u, _ := apirequest.UserFrom(ctx) - key, ok := obj.(*identityv1alpha1.MachineAccountKey) + key, ok := obj.(*identityv1alpha1.ServiceAccountKey) if !ok { - return nil, apierrors.NewBadRequest("not a MachineAccountKey") + return nil, apierrors.NewBadRequest("not a ServiceAccountKey") } - logger.V(4).Info("Creating machine account key", "name", key.Name, "machineAccount", key.Spec.MachineAccountUserName) - res, err := r.backend.CreateMachineAccountKey(ctx, u, key, opts) + logger.V(4).Info("Creating service account key", "name", key.Name, "serviceAccount", key.Spec.ServiceAccountUserName) + res, err := r.backend.CreateServiceAccountKey(ctx, u, key, opts) if err != nil { - logger.Error(err, "Create machine account key failed", "name", key.Name) + logger.Error(err, "Create service account key failed", "name", key.Name) return nil, err } - logger.V(4).Info("Created machine account key", "name", res.Name, "authProviderKeyID", res.Status.AuthProviderKeyID) + logger.V(4).Info("Created service account key", "name", res.Name, "authProviderKeyID", res.Status.AuthProviderKeyID) return res, nil } @@ -75,17 +75,17 @@ func (r *REST) List(ctx context.Context, opts *metainternalversion.ListOptions) uid = u.GetUID() groups = u.GetGroups() } - logger.V(4).Info("Listing machine account keys", "username", username, "uid", uid, "groups", groups) + logger.V(4).Info("Listing service account keys", "username", username, "uid", uid, "groups", groups) lo := metav1.ListOptions{} if opts != nil && opts.FieldSelector != nil && !opts.FieldSelector.Empty() { lo.FieldSelector = opts.FieldSelector.String() } - res, err := r.backend.ListMachineAccountKeys(ctx, u, &lo) + res, err := r.backend.ListServiceAccountKeys(ctx, u, &lo) if err != nil { - logger.Error(err, "List machine account keys failed") + logger.Error(err, "List service account keys failed") return nil, err } - logger.V(4).Info("Listed machine account keys", "count", len(res.Items)) + logger.V(4).Info("Listed service account keys", "count", len(res.Items)) return res, nil } @@ -97,13 +97,13 @@ func (r *REST) Get(ctx context.Context, name string, _ *metav1.GetOptions) (runt username = u.GetName() uid = u.GetUID() } - logger.V(4).Info("Getting machine account key", "name", name, "username", username, "uid", uid) - res, err := r.backend.GetMachineAccountKey(ctx, u, name) + logger.V(4).Info("Getting service account key", "name", name, "username", username, "uid", uid) + res, err := r.backend.GetServiceAccountKey(ctx, u, name) if err != nil { - logger.Error(err, "Get machine account key failed", "name", name) + logger.Error(err, "Get service account key failed", "name", name) return nil, err } - logger.V(4).Info("Got machine account key", "name", name, "authProviderKeyID", res.Status.AuthProviderKeyID) + logger.V(4).Info("Got service account key", "name", name, "authProviderKeyID", res.Status.AuthProviderKeyID) return res, nil } @@ -115,12 +115,12 @@ func (r *REST) Delete(ctx context.Context, name string, _ rest.ValidateObjectFun username = u.GetName() uid = u.GetUID() } - logger.V(4).Info("Deleting machine account key", "name", name, "username", username, "uid", uid) - if err := r.backend.DeleteMachineAccountKey(ctx, u, name); err != nil { - logger.Error(err, "Delete machine account key failed", "name", name) + logger.V(4).Info("Deleting service account key", "name", name, "username", username, "uid", uid) + if err := r.backend.DeleteServiceAccountKey(ctx, u, name); err != nil { + logger.Error(err, "Delete service account key failed", "name", name) return nil, false, err } - logger.V(4).Info("Deleted machine account key", "name", name) + logger.V(4).Info("Deleted service account key", "name", name) return &metav1.Status{Status: metav1.StatusSuccess}, true, nil } @@ -131,34 +131,34 @@ func (r *REST) ConvertToTable(ctx context.Context, object runtime.Object, tableO table := &metav1.Table{ ColumnDefinitions: []metav1.TableColumnDefinition{ {Name: "Name", Type: "string"}, - {Name: "Machine Account", Type: "string"}, + {Name: "Service Account", Type: "string"}, {Name: "Key ID", Type: "string"}, {Name: "Age", Type: "date"}, {Name: "Expires", Type: "string"}, }, } - appendRow := func(mak *identityv1alpha1.MachineAccountKey) { + appendRow := func(sak *identityv1alpha1.ServiceAccountKey) { age := metav1.Now().Rfc3339Copy() - if !mak.CreationTimestamp.IsZero() { - age = mak.CreationTimestamp + if !sak.CreationTimestamp.IsZero() { + age = sak.CreationTimestamp } expiresStr := "" - if mak.Spec.ExpirationDate != nil { - expiresStr = mak.Spec.ExpirationDate.Time.Format(time.RFC3339) + if sak.Spec.ExpirationDate != nil { + expiresStr = sak.Spec.ExpirationDate.Time.Format(time.RFC3339) } table.Rows = append(table.Rows, metav1.TableRow{ - Cells: []interface{}{mak.Name, mak.Spec.MachineAccountUserName, mak.Status.AuthProviderKeyID, age.Time.Format(time.RFC3339), expiresStr}, - Object: runtime.RawExtension{Object: mak}, + Cells: []interface{}{sak.Name, sak.Spec.ServiceAccountUserName, sak.Status.AuthProviderKeyID, age.Time.Format(time.RFC3339), expiresStr}, + Object: runtime.RawExtension{Object: sak}, }) } switch obj := object.(type) { - case *identityv1alpha1.MachineAccountKeyList: + case *identityv1alpha1.ServiceAccountKeyList: for i := range obj.Items { appendRow(&obj.Items[i]) } - case *identityv1alpha1.MachineAccountKey: + case *identityv1alpha1.ServiceAccountKey: appendRow(obj) default: return nil, nil diff --git a/internal/apiserver/storage/identity/storageprovider.go b/internal/apiserver/storage/identity/storageprovider.go index 90544896..55886be5 100644 --- a/internal/apiserver/storage/identity/storageprovider.go +++ b/internal/apiserver/storage/identity/storageprovider.go @@ -9,7 +9,7 @@ import ( "k8s.io/kubernetes/pkg/api/legacyscheme" controlplaneapiserver "k8s.io/kubernetes/pkg/controlplane/apiserver" - machineaccountkeysregistry "go.miloapis.com/milo/internal/apiserver/identity/machineaccountkeys" + serviceaccountkeysregistry "go.miloapis.com/milo/internal/apiserver/identity/serviceaccountkeys" sessionsregistry "go.miloapis.com/milo/internal/apiserver/identity/sessions" useridentitiesregistry "go.miloapis.com/milo/internal/apiserver/identity/useridentities" identityv1alpha1 "go.miloapis.com/milo/pkg/apis/identity/v1alpha1" @@ -18,7 +18,7 @@ import ( type StorageProvider struct { Sessions sessionsregistry.Backend UserIdentities useridentitiesregistry.Backend - MachineAccountKeys machineaccountkeysregistry.Backend + ServiceAccountKeys serviceaccountkeysregistry.Backend } func (p StorageProvider) GroupName() string { return identityv1alpha1.SchemeGroupVersion.Group } @@ -35,9 +35,9 @@ func (p StorageProvider) NewRESTStorage( ) storage := map[string]rest.Storage{ - "sessions": sessionsregistry.NewREST(p.Sessions), - "useridentities": useridentitiesregistry.NewREST(p.UserIdentities), - "machineaccountkeys": machineaccountkeysregistry.NewREST(p.MachineAccountKeys), + "sessions": sessionsregistry.NewREST(p.Sessions), + "useridentities": useridentitiesregistry.NewREST(p.UserIdentities), + "serviceaccountkeys": serviceaccountkeysregistry.NewREST(p.ServiceAccountKeys), } apiGroupInfo.VersionedResourcesStorageMap = map[string]map[string]rest.Storage{ diff --git a/pkg/apis/iam/v1alpha1/policybinding_types.go b/pkg/apis/iam/v1alpha1/policybinding_types.go index 00bfb681..c3fc63fb 100644 --- a/pkg/apis/iam/v1alpha1/policybinding_types.go +++ b/pkg/apis/iam/v1alpha1/policybinding_types.go @@ -16,13 +16,13 @@ type RoleReference struct { } // Subject contains a reference to the object or user identities a role binding applies to. -// This can be a User, Group, or MachineAccount. +// This can be a User, Group, or ServiceAccount. // +k8s:deepcopy-gen=true // +kubebuilder:validation:XValidation:rule="(self.kind == 'Group' && has(self.name) && self.name.startsWith('system:')) || (has(self.uid) && size(self.uid) > 0)",message="UID is required for all subjects except system groups (groups with names starting with 'system:')" type Subject struct { // Kind of object being referenced. Values defined in Kind constants. // +kubebuilder:validation:Required - // +kubebuilder:validation:Enum=User;Group;MachineAccount + // +kubebuilder:validation:Enum=User;Group;ServiceAccount Kind string `json:"kind"` // Name of the object being referenced. A special group name of // "system:authenticated-users" can be used to refer to all authenticated @@ -30,7 +30,7 @@ type Subject struct { // +kubebuilder:validation:Required Name string `json:"name"` // Namespace of the referenced object. - // If not specified for a Group, User or MachineAccount, it is ignored. + // If not specified for a Group, User or ServiceAccount, it is ignored. // +kubebuilder:validation:Optional Namespace string `json:"namespace,omitempty"` // UID of the referenced object. Optional for system groups (groups with names starting with "system:"). diff --git a/pkg/apis/iam/v1alpha1/register.go b/pkg/apis/iam/v1alpha1/register.go index 5a00f729..b8a4037d 100644 --- a/pkg/apis/iam/v1alpha1/register.go +++ b/pkg/apis/iam/v1alpha1/register.go @@ -33,8 +33,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &UserList{}, &ProtectedResource{}, &ProtectedResourceList{}, - &MachineAccount{}, - &MachineAccountList{}, + &ServiceAccount{}, + &ServiceAccountList{}, &UserPreference{}, &UserPreferenceList{}, &UserDeactivation{}, diff --git a/pkg/apis/iam/v1alpha1/machineaccount_types.go b/pkg/apis/iam/v1alpha1/serviceaccount_types.go similarity index 70% rename from pkg/apis/iam/v1alpha1/machineaccount_types.go rename to pkg/apis/iam/v1alpha1/serviceaccount_types.go index ba9cecfd..f54735b2 100644 --- a/pkg/apis/iam/v1alpha1/machineaccount_types.go +++ b/pkg/apis/iam/v1alpha1/serviceaccount_types.go @@ -8,7 +8,7 @@ import ( // +kubebuilder:subresource:status // +kubebuilder:object:root=true -// MachineAccount is the Schema for the machine accounts API +// ServiceAccount is the Schema for the service accounts API // +kubebuilder:printcolumn:name="Email",type="string",JSONPath=".status.email" // +kubebuilder:printcolumn:name="Description",type="string",JSONPath=".metadata.annotations['kubernetes\\.io/description']" // +kubebuilder:printcolumn:name="State",type="string",JSONPath=".spec.state" @@ -17,49 +17,49 @@ import ( // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:resource:scope=Cluster // +kubebuilder:metadata:annotations="discovery.miloapis.com/parent-contexts=Project" -type MachineAccount struct { +type ServiceAccount struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - Spec MachineAccountSpec `json:"spec,omitempty"` - Status MachineAccountStatus `json:"status,omitempty"` + Spec ServiceAccountSpec `json:"spec,omitempty"` + Status ServiceAccountStatus `json:"status,omitempty"` } -// MachineAccountSpec defines the desired state of MachineAccount -type MachineAccountSpec struct { - // The state of the machine account. This state can be safely changed as needed. +// ServiceAccountSpec defines the desired state of ServiceAccount +type ServiceAccountSpec struct { + // The state of the service account. This state can be safely changed as needed. // States: - // - Active: The machine account can be used to authenticate. - // - Inactive: The machine account is prohibited to be used to authenticate, and revokes all existing sessions. + // - Active: The service account can be used to authenticate. + // - Inactive: The service account is prohibited to be used to authenticate, and revokes all existing sessions. // +kubebuilder:validation:Enum=Active;Inactive // +kubebuilder:default=Active // +kubebuilder:validation:Optional State string `json:"state,omitempty"` } -// MachineAccountStatus defines the observed state of MachineAccount -type MachineAccountStatus struct { - // The computed email of the machine account following the pattern: +// ServiceAccountStatus defines the observed state of ServiceAccount +type ServiceAccountStatus struct { + // The computed email of the service account following the pattern: // {metadata.name}@{metadata.namespace}.{project.metadata.name}.{global-suffix} Email string `json:"email,omitempty"` - // State represents the current activation state of the machine account from the auth provider. + // State represents the current activation state of the service account from the auth provider. // This field tracks the state from the previous generation and is updated when state changes // are successfully propagated to the auth provider. It helps optimize performance by only // updating the auth provider when a state change is detected. // +kubebuilder:validation:Enum=Active;Inactive State string `json:"state,omitempty"` - // Conditions provide conditions that represent the current status of the MachineAccount. + // Conditions provide conditions that represent the current status of the ServiceAccount. Conditions []metav1.Condition `json:"conditions,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:object:root=true -// MachineAccountList contains a list of MachineAccount -type MachineAccountList struct { +// ServiceAccountList contains a list of ServiceAccount +type ServiceAccountList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` - Items []MachineAccount `json:"items"` + Items []ServiceAccount `json:"items"` } diff --git a/pkg/apis/iam/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/iam/v1alpha1/zz_generated.deepcopy.go index fc6e024d..be9292cc 100644 --- a/pkg/apis/iam/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/iam/v1alpha1/zz_generated.deepcopy.go @@ -202,102 +202,6 @@ func (in *GroupStatus) DeepCopy() *GroupStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *MachineAccount) DeepCopyInto(out *MachineAccount) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec - in.Status.DeepCopyInto(&out.Status) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineAccount. -func (in *MachineAccount) DeepCopy() *MachineAccount { - if in == nil { - return nil - } - out := new(MachineAccount) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *MachineAccount) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *MachineAccountList) DeepCopyInto(out *MachineAccountList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]MachineAccount, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineAccountList. -func (in *MachineAccountList) DeepCopy() *MachineAccountList { - if in == nil { - return nil - } - out := new(MachineAccountList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *MachineAccountList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *MachineAccountSpec) DeepCopyInto(out *MachineAccountSpec) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineAccountSpec. -func (in *MachineAccountSpec) DeepCopy() *MachineAccountSpec { - if in == nil { - return nil - } - out := new(MachineAccountSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *MachineAccountStatus) DeepCopyInto(out *MachineAccountStatus) { - *out = *in - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]v1.Condition, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineAccountStatus. -func (in *MachineAccountStatus) DeepCopy() *MachineAccountStatus { - if in == nil { - return nil - } - out := new(MachineAccountStatus) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ParentResourceRef) DeepCopyInto(out *ParentResourceRef) { *out = *in @@ -994,6 +898,102 @@ func (in *ScopedRoleReference) DeepCopy() *ScopedRoleReference { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceAccount) DeepCopyInto(out *ServiceAccount) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccount. +func (in *ServiceAccount) DeepCopy() *ServiceAccount { + if in == nil { + return nil + } + out := new(ServiceAccount) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ServiceAccount) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceAccountList) DeepCopyInto(out *ServiceAccountList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ServiceAccount, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountList. +func (in *ServiceAccountList) DeepCopy() *ServiceAccountList { + if in == nil { + return nil + } + out := new(ServiceAccountList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ServiceAccountList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceAccountSpec) DeepCopyInto(out *ServiceAccountSpec) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountSpec. +func (in *ServiceAccountSpec) DeepCopy() *ServiceAccountSpec { + if in == nil { + return nil + } + out := new(ServiceAccountSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceAccountStatus) DeepCopyInto(out *ServiceAccountStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountStatus. +func (in *ServiceAccountStatus) DeepCopy() *ServiceAccountStatus { + if in == nil { + return nil + } + out := new(ServiceAccountStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceReference) DeepCopyInto(out *ServiceReference) { *out = *in diff --git a/pkg/apis/identity/scheme.go b/pkg/apis/identity/scheme.go index 8f4e8878..1e360d0b 100644 --- a/pkg/apis/identity/scheme.go +++ b/pkg/apis/identity/scheme.go @@ -11,17 +11,17 @@ import ( func Install(scheme *runtime.Scheme) { v1alpha1.AddToScheme(scheme) - // Register valid field selectors for MachineAccountKey so the generic API + // Register valid field selectors for ServiceAccountKey so the generic API // server passes them through to the REST handler instead of rejecting them. _ = scheme.AddFieldLabelConversionFunc( schema.GroupVersionKind{ Group: v1alpha1.SchemeGroupVersion.Group, Version: v1alpha1.SchemeGroupVersion.Version, - Kind: "MachineAccountKey", + Kind: "ServiceAccountKey", }, func(label, value string) (string, string, error) { switch label { - case "spec.machineAccountUserName", "metadata.name", "metadata.namespace": + case "spec.serviceAccountUserName", "metadata.name", "metadata.namespace": return label, value, nil default: return "", "", nil diff --git a/pkg/apis/identity/v1alpha1/register.go b/pkg/apis/identity/v1alpha1/register.go index f838b1eb..a3434285 100644 --- a/pkg/apis/identity/v1alpha1/register.go +++ b/pkg/apis/identity/v1alpha1/register.go @@ -33,8 +33,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &SessionList{}, &UserIdentity{}, &UserIdentityList{}, - &MachineAccountKey{}, - &MachineAccountKeyList{}, + &ServiceAccountKey{}, + &ServiceAccountKeyList{}, } scheme.AddKnownTypes(SchemeGroupVersion, types...) @@ -42,8 +42,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { Group: SchemeGroupVersion.Group, Version: runtime.APIVersionInternal, }, - &MachineAccountKey{}, - &MachineAccountKeyList{}, + &ServiceAccountKey{}, + &ServiceAccountKeyList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) diff --git a/pkg/apis/identity/v1alpha1/machineaccountkey_types.go b/pkg/apis/identity/v1alpha1/serviceaccountkey_types.go similarity index 67% rename from pkg/apis/identity/v1alpha1/machineaccountkey_types.go rename to pkg/apis/identity/v1alpha1/serviceaccountkey_types.go index ea3fee88..75f15e47 100644 --- a/pkg/apis/identity/v1alpha1/machineaccountkey_types.go +++ b/pkg/apis/identity/v1alpha1/serviceaccountkey_types.go @@ -9,41 +9,41 @@ import ( // +kubebuilder:object:root=true // +kubebuilder:storageversion -// MachineAccountKey is the Schema for the machineaccountkeys API -// +kubebuilder:printcolumn:name="Machine Account",type="string",JSONPath=".spec.machineAccountName" +// ServiceAccountKey is the Schema for the serviceaccountkeys API +// +kubebuilder:printcolumn:name="Service Account",type="string",JSONPath=".spec.serviceAccountUserName" // +kubebuilder:printcolumn:name="Expiration Date",type="string",JSONPath=".spec.expirationDate" // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:selectablefield:JSONPath=".spec.machineAccountName" +// +kubebuilder:selectablefield:JSONPath=".spec.serviceAccountUserName" // +kubebuilder:resource:scope=Namespaced // +kubebuilder:metadata:annotations="discovery.miloapis.com/parent-contexts=Project" -type MachineAccountKey struct { +type ServiceAccountKey struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - Spec MachineAccountKeySpec `json:"spec,omitempty"` - Status MachineAccountKeyStatus `json:"status,omitempty"` + Spec ServiceAccountKeySpec `json:"spec,omitempty"` + Status ServiceAccountKeyStatus `json:"status,omitempty"` } -// MachineAccountKeySpec defines the desired state of MachineAccountKey -type MachineAccountKeySpec struct { - // MachineAccountUserName is the email address of the MachineAccount that owns this key. +// ServiceAccountKeySpec defines the desired state of ServiceAccountKey +type ServiceAccountKeySpec struct { + // ServiceAccountUserName is the email address of the ServiceAccount that owns this key. // +kubebuilder:validation:Required - MachineAccountUserName string `json:"machineAccountUserName"` + ServiceAccountUserName string `json:"serviceAccountUserName"` - // ExpirationDate is the date and time when the MachineAccountKey will expire. - // If not specified, the MachineAccountKey will never expire. + // ExpirationDate is the date and time when the ServiceAccountKey will expire. + // If not specified, the ServiceAccountKey will never expire. // +kubebuilder:validation:Optional ExpirationDate *metav1.Time `json:"expirationDate,omitempty"` - // PublicKey is the public key of the MachineAccountKey. - // If not specified, the MachineAccountKey will be created with an auto-generated public key. + // PublicKey is the public key of the ServiceAccountKey. + // If not specified, the ServiceAccountKey will be created with an auto-generated public key. // +kubebuilder:validation:Optional PublicKey string `json:"publicKey,omitempty"` } -// MachineAccountKeyStatus defines the observed state of MachineAccountKey -type MachineAccountKeyStatus struct { +// ServiceAccountKeyStatus defines the observed state of ServiceAccountKey +type ServiceAccountKeyStatus struct { // AuthProviderKeyID is the unique identifier for the key in the auth provider. // This field is populated by the controller after the key is created in the auth provider. // For example, when using Zitadel, a typical value might be: "326102453042806786" @@ -55,13 +55,13 @@ type MachineAccountKeyStatus struct { // bug in the server implementation. // // Note: The private key is NOT logged in API server audit logs. The audit policy - // is configured to log MachineAccountKey resources at the Metadata level only, + // is configured to log ServiceAccountKey resources at the Metadata level only, // which redacts the response body containing the private key. // // +kubebuilder:validation:Optional PrivateKey string `json:"privateKey,omitempty"` - // Conditions provide conditions that represent the current status of the MachineAccountKey. + // Conditions provide conditions that represent the current status of the ServiceAccountKey. // +kubebuilder:default={{type: "Ready", status: "Unknown", reason: "Unknown", message: "Waiting for control plane to reconcile", lastTransitionTime: "1970-01-01T00:00:00Z"}} // +kubebuilder:validation:Optional // +listType=map @@ -72,9 +72,9 @@ type MachineAccountKeyStatus struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:object:root=true -// MachineAccountKeyList contains a list of MachineAccountKey -type MachineAccountKeyList struct { +// ServiceAccountKeyList contains a list of ServiceAccountKey +type ServiceAccountKeyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` - Items []MachineAccountKey `json:"items"` + Items []ServiceAccountKey `json:"items"` } diff --git a/pkg/apis/identity/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/identity/v1alpha1/zz_generated.deepcopy.go index 201cfb2d..3ce37e86 100644 --- a/pkg/apis/identity/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/identity/v1alpha1/zz_generated.deepcopy.go @@ -10,7 +10,7 @@ import ( ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *MachineAccountKey) DeepCopyInto(out *MachineAccountKey) { +func (in *ServiceAccountKey) DeepCopyInto(out *ServiceAccountKey) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) @@ -18,18 +18,18 @@ func (in *MachineAccountKey) DeepCopyInto(out *MachineAccountKey) { in.Status.DeepCopyInto(&out.Status) } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineAccountKey. -func (in *MachineAccountKey) DeepCopy() *MachineAccountKey { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountKey. +func (in *ServiceAccountKey) DeepCopy() *ServiceAccountKey { if in == nil { return nil } - out := new(MachineAccountKey) + out := new(ServiceAccountKey) in.DeepCopyInto(out) return out } // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *MachineAccountKey) DeepCopyObject() runtime.Object { +func (in *ServiceAccountKey) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { return c } @@ -37,31 +37,31 @@ func (in *MachineAccountKey) DeepCopyObject() runtime.Object { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *MachineAccountKeyList) DeepCopyInto(out *MachineAccountKeyList) { +func (in *ServiceAccountKeyList) DeepCopyInto(out *ServiceAccountKeyList) { *out = *in out.TypeMeta = in.TypeMeta in.ListMeta.DeepCopyInto(&out.ListMeta) if in.Items != nil { in, out := &in.Items, &out.Items - *out = make([]MachineAccountKey, len(*in)) + *out = make([]ServiceAccountKey, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineAccountKeyList. -func (in *MachineAccountKeyList) DeepCopy() *MachineAccountKeyList { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountKeyList. +func (in *ServiceAccountKeyList) DeepCopy() *ServiceAccountKeyList { if in == nil { return nil } - out := new(MachineAccountKeyList) + out := new(ServiceAccountKeyList) in.DeepCopyInto(out) return out } // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *MachineAccountKeyList) DeepCopyObject() runtime.Object { +func (in *ServiceAccountKeyList) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { return c } @@ -69,7 +69,7 @@ func (in *MachineAccountKeyList) DeepCopyObject() runtime.Object { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *MachineAccountKeySpec) DeepCopyInto(out *MachineAccountKeySpec) { +func (in *ServiceAccountKeySpec) DeepCopyInto(out *ServiceAccountKeySpec) { *out = *in if in.ExpirationDate != nil { in, out := &in.ExpirationDate, &out.ExpirationDate @@ -77,18 +77,18 @@ func (in *MachineAccountKeySpec) DeepCopyInto(out *MachineAccountKeySpec) { } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineAccountKeySpec. -func (in *MachineAccountKeySpec) DeepCopy() *MachineAccountKeySpec { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountKeySpec. +func (in *ServiceAccountKeySpec) DeepCopy() *ServiceAccountKeySpec { if in == nil { return nil } - out := new(MachineAccountKeySpec) + out := new(ServiceAccountKeySpec) in.DeepCopyInto(out) return out } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *MachineAccountKeyStatus) DeepCopyInto(out *MachineAccountKeyStatus) { +func (in *ServiceAccountKeyStatus) DeepCopyInto(out *ServiceAccountKeyStatus) { *out = *in if in.Conditions != nil { in, out := &in.Conditions, &out.Conditions @@ -99,12 +99,12 @@ func (in *MachineAccountKeyStatus) DeepCopyInto(out *MachineAccountKeyStatus) { } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineAccountKeyStatus. -func (in *MachineAccountKeyStatus) DeepCopy() *MachineAccountKeyStatus { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountKeyStatus. +func (in *ServiceAccountKeyStatus) DeepCopy() *ServiceAccountKeyStatus { if in == nil { return nil } - out := new(MachineAccountKeyStatus) + out := new(ServiceAccountKeyStatus) in.DeepCopyInto(out) return out } diff --git a/pkg/apis/identity/v1alpha1/zz_generated.openapi.go b/pkg/apis/identity/v1alpha1/zz_generated.openapi.go index f858ae4b..5d9e30d4 100644 --- a/pkg/apis/identity/v1alpha1/zz_generated.openapi.go +++ b/pkg/apis/identity/v1alpha1/zz_generated.openapi.go @@ -14,10 +14,10 @@ import ( func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition { return map[string]common.OpenAPIDefinition{ - "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.MachineAccountKey": schema_pkg_apis_identity_v1alpha1_MachineAccountKey(ref), - "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.MachineAccountKeyList": schema_pkg_apis_identity_v1alpha1_MachineAccountKeyList(ref), - "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.MachineAccountKeySpec": schema_pkg_apis_identity_v1alpha1_MachineAccountKeySpec(ref), - "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.MachineAccountKeyStatus": schema_pkg_apis_identity_v1alpha1_MachineAccountKeyStatus(ref), + "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.ServiceAccountKey": schema_pkg_apis_identity_v1alpha1_ServiceAccountKey(ref), + "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.ServiceAccountKeyList": schema_pkg_apis_identity_v1alpha1_ServiceAccountKeyList(ref), + "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.ServiceAccountKeySpec": schema_pkg_apis_identity_v1alpha1_ServiceAccountKeySpec(ref), + "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.ServiceAccountKeyStatus": schema_pkg_apis_identity_v1alpha1_ServiceAccountKeyStatus(ref), "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.Session": schema_pkg_apis_identity_v1alpha1_Session(ref), "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.SessionList": schema_pkg_apis_identity_v1alpha1_SessionList(ref), "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.SessionStatus": schema_pkg_apis_identity_v1alpha1_SessionStatus(ref), @@ -27,11 +27,11 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA } } -func schema_pkg_apis_identity_v1alpha1_MachineAccountKey(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_pkg_apis_identity_v1alpha1_ServiceAccountKey(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineAccountKey is the Schema for the machineaccountkeys API", + Description: "ServiceAccountKey is the Schema for the serviceaccountkeys API", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -57,28 +57,28 @@ func schema_pkg_apis_identity_v1alpha1_MachineAccountKey(ref common.ReferenceCal "spec": { SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("go.miloapis.com/milo/pkg/apis/identity/v1alpha1.MachineAccountKeySpec"), + Ref: ref("go.miloapis.com/milo/pkg/apis/identity/v1alpha1.ServiceAccountKeySpec"), }, }, "status": { SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("go.miloapis.com/milo/pkg/apis/identity/v1alpha1.MachineAccountKeyStatus"), + Ref: ref("go.miloapis.com/milo/pkg/apis/identity/v1alpha1.ServiceAccountKeyStatus"), }, }, }, }, }, Dependencies: []string{ - "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.MachineAccountKeySpec", "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.MachineAccountKeyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.ServiceAccountKeySpec", "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.ServiceAccountKeyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_pkg_apis_identity_v1alpha1_MachineAccountKeyList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_pkg_apis_identity_v1alpha1_ServiceAccountKeyList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineAccountKeyList contains a list of MachineAccountKey", + Description: "ServiceAccountKeyList contains a list of ServiceAccountKey", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -108,7 +108,7 @@ func schema_pkg_apis_identity_v1alpha1_MachineAccountKeyList(ref common.Referenc Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("go.miloapis.com/milo/pkg/apis/identity/v1alpha1.MachineAccountKey"), + Ref: ref("go.miloapis.com/milo/pkg/apis/identity/v1alpha1.ServiceAccountKey"), }, }, }, @@ -119,20 +119,20 @@ func schema_pkg_apis_identity_v1alpha1_MachineAccountKeyList(ref common.Referenc }, }, Dependencies: []string{ - "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.MachineAccountKey", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + "go.miloapis.com/milo/pkg/apis/identity/v1alpha1.ServiceAccountKey", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_pkg_apis_identity_v1alpha1_MachineAccountKeySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_pkg_apis_identity_v1alpha1_ServiceAccountKeySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineAccountKeySpec defines the desired state of MachineAccountKey", + Description: "ServiceAccountKeySpec defines the desired state of ServiceAccountKey", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "machineAccountUserName": { + "serviceAccountUserName": { SchemaProps: spec.SchemaProps{ - Description: "MachineAccountUserName is the email address of the MachineAccount that owns this key.", + Description: "ServiceAccountUserName is the email address of the ServiceAccount that owns this key.", Default: "", Type: []string{"string"}, Format: "", @@ -140,19 +140,19 @@ func schema_pkg_apis_identity_v1alpha1_MachineAccountKeySpec(ref common.Referenc }, "expirationDate": { SchemaProps: spec.SchemaProps{ - Description: "ExpirationDate is the date and time when the MachineAccountKey will expire. If not specified, the MachineAccountKey will never expire.", + Description: "ExpirationDate is the date and time when the ServiceAccountKey will expire. If not specified, the ServiceAccountKey will never expire.", Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), }, }, "publicKey": { SchemaProps: spec.SchemaProps{ - Description: "PublicKey is the public key of the MachineAccountKey. If not specified, the MachineAccountKey will be created with an auto-generated public key.", + Description: "PublicKey is the public key of the ServiceAccountKey. If not specified, the ServiceAccountKey will be created with an auto-generated public key.", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"machineAccountUserName"}, + Required: []string{"serviceAccountUserName"}, }, }, Dependencies: []string{ @@ -160,11 +160,11 @@ func schema_pkg_apis_identity_v1alpha1_MachineAccountKeySpec(ref common.Referenc } } -func schema_pkg_apis_identity_v1alpha1_MachineAccountKeyStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_pkg_apis_identity_v1alpha1_ServiceAccountKeyStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineAccountKeyStatus defines the observed state of MachineAccountKey", + Description: "ServiceAccountKeyStatus defines the observed state of ServiceAccountKey", Type: []string{"object"}, Properties: map[string]spec.Schema{ "authProviderKeyID": { @@ -176,7 +176,7 @@ func schema_pkg_apis_identity_v1alpha1_MachineAccountKeyStatus(ref common.Refere }, "privateKey": { SchemaProps: spec.SchemaProps{ - Description: "PrivateKey contains the PEM-encoded RSA private key generated during resource creation. This field is populated only in the creation response and is never persisted to etcd. Any value present on a GET or LIST response indicates a bug in the server implementation.\n\nNote: The private key is NOT logged in API server audit logs. The audit policy is configured to log MachineAccountKey resources at the Metadata level only, which redacts the response body containing the private key.", + Description: "PrivateKey contains the PEM-encoded RSA private key generated during resource creation. This field is populated only in the creation response and is never persisted to etcd. Any value present on a GET or LIST response indicates a bug in the server implementation.\n\nNote: The private key is NOT logged in API server audit logs. The audit policy is configured to log ServiceAccountKey resources at the Metadata level only, which redacts the response body containing the private key.", Type: []string{"string"}, Format: "", }, @@ -191,7 +191,7 @@ func schema_pkg_apis_identity_v1alpha1_MachineAccountKeyStatus(ref common.Refere }, }, SchemaProps: spec.SchemaProps{ - Description: "Conditions provide conditions that represent the current status of the MachineAccountKey.", + Description: "Conditions provide conditions that represent the current status of the ServiceAccountKey.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ diff --git a/pkg/features/features.go b/pkg/features/features.go index 68c4cb40..e6e95e8e 100644 --- a/pkg/features/features.go +++ b/pkg/features/features.go @@ -59,12 +59,12 @@ const ( // alpha: v0.1.0 DiscoveryContextFilter featuregate.Feature = "DiscoveryContextFilter" - // MachineAccountKeys enables the identity.miloapis.com/v1alpha1 MachineAccountKey - // virtual API that proxies to an external identity provider for machine account key management. + // ServiceAccountKeys enables the identity.miloapis.com/v1alpha1 ServiceAccountKey + // virtual API that proxies to an external identity provider for service account key management. // // owner: @datum-cloud/platform // alpha: v0.1.0 - MachineAccountKeys featuregate.Feature = "MachineAccountKeys" + ServiceAccountKeys featuregate.Feature = "ServiceAccountKeys" ) func init() { @@ -82,7 +82,7 @@ var defaultFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{ Default: false, PreRelease: featuregate.Alpha, }, - MachineAccountKeys: { + ServiceAccountKeys: { Default: false, PreRelease: featuregate.Alpha, },