refactor(iam,identity): rename MachineAccount to ServiceAccount

cmd/milo/apiserver/config.go

@@ -45,7 +45,7 @@ import (
 
 	"go.miloapis.com/milo/internal/apiserver/admission/initializer"
 	eventsbackend "go.miloapis.com/milo/internal/apiserver/events"
-	machineaccountkeysbackend "go.miloapis.com/milo/internal/apiserver/identity/machineaccountkeys"
+	serviceaccountkeysbackend "go.miloapis.com/milo/internal/apiserver/identity/serviceaccountkeys"
 	sessionsbackend "go.miloapis.com/milo/internal/apiserver/identity/sessions"
 	useridentitiesbackend "go.miloapis.com/milo/internal/apiserver/identity/useridentities"
 	identitystorage "go.miloapis.com/milo/internal/apiserver/storage/identity"
@@ -78,7 +78,7 @@ type Config struct {
 type ExtraConfig struct {
 	SessionsProvider           SessionsProviderConfig
 	UserIdentitiesProvider     UserIdentitiesProviderConfig
-	MachineAccountKeysProvider MachineAccountKeysProviderConfig
+	ServiceAccountKeysProvider ServiceAccountKeysProviderConfig
 	EventsProvider             EventsProviderConfig
 }
 
@@ -115,8 +115,8 @@ type EventsProviderConfig struct {
 	ForwardExtras  []string
 }
 
-// MachineAccountKeysProviderConfig groups configuration for the machineaccountkeys backend provider
-type MachineAccountKeysProviderConfig struct {
+// ServiceAccountKeysProviderConfig groups configuration for the serviceaccountkeys backend provider
+type ServiceAccountKeysProviderConfig struct {
 	URL            string
 	CAFile         string
 	ClientCertFile string
@@ -220,23 +220,23 @@ func newIdentityStorageProvider(c *CompletedConfig) controlplaneapiserver.RESTSt
 		provider.UserIdentities = backend
 	}
 
-	if utilfeature.DefaultFeatureGate.Enabled(features.MachineAccountKeys) {
-		allow := make(map[string]struct{}, len(c.ExtraConfig.MachineAccountKeysProvider.ForwardExtras))
-		for _, k := range c.ExtraConfig.MachineAccountKeysProvider.ForwardExtras {
+	if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountKeys) {
+		allow := make(map[string]struct{}, len(c.ExtraConfig.ServiceAccountKeysProvider.ForwardExtras))
+		for _, k := range c.ExtraConfig.ServiceAccountKeysProvider.ForwardExtras {
 			allow[k] = struct{}{}
 		}
-		cfg := machineaccountkeysbackend.Config{
+		cfg := serviceaccountkeysbackend.Config{
 			BaseConfig:     c.ControlPlane.Generic.LoopbackClientConfig,
-			ProviderURL:    c.ExtraConfig.MachineAccountKeysProvider.URL,
-			CAFile:         c.ExtraConfig.MachineAccountKeysProvider.CAFile,
-			ClientCertFile: c.ExtraConfig.MachineAccountKeysProvider.ClientCertFile,
-			ClientKeyFile:  c.ExtraConfig.MachineAccountKeysProvider.ClientKeyFile,
-			Timeout:        time.Duration(c.ExtraConfig.MachineAccountKeysProvider.TimeoutSeconds) * time.Second,
-			Retries:        c.ExtraConfig.MachineAccountKeysProvider.Retries,
+			ProviderURL:    c.ExtraConfig.ServiceAccountKeysProvider.URL,
+			CAFile:         c.ExtraConfig.ServiceAccountKeysProvider.CAFile,
+			ClientCertFile: c.ExtraConfig.ServiceAccountKeysProvider.ClientCertFile,
+			ClientKeyFile:  c.ExtraConfig.ServiceAccountKeysProvider.ClientKeyFile,
+			Timeout:        time.Duration(c.ExtraConfig.ServiceAccountKeysProvider.TimeoutSeconds) * time.Second,
+			Retries:        c.ExtraConfig.ServiceAccountKeysProvider.Retries,
 			ExtrasAllow:    allow,
 		}
-		backend, _ := machineaccountkeysbackend.NewDynamicProvider(cfg)
-		provider.MachineAccountKeys = backend
+		backend, _ := serviceaccountkeysbackend.NewDynamicProvider(cfg)
+		provider.ServiceAccountKeys = backend
 	}
 
 	return provider

cmd/milo/apiserver/server.go

@@ -68,10 +68,10 @@ var (
 	userIdentitiesProviderCAFile         string
 	userIdentitiesProviderClientCert     string
 	userIdentitiesProviderClientKey      string
-	machineAccountKeysProviderURL        string
-	machineAccountKeysProviderCAFile     string
-	machineAccountKeysProviderClientCert string
-	machineAccountKeysProviderClientKey  string
+	serviceAccountKeysProviderURL        string
+	serviceAccountKeysProviderCAFile     string
+	serviceAccountKeysProviderClientCert string
+	serviceAccountKeysProviderClientKey  string
 	eventsProviderURL                    string
 	eventsProviderCAFile                 string
 	eventsProviderClientCert             string
@@ -188,10 +188,10 @@ func NewCommand() *cobra.Command {
 	fs.StringVar(&userIdentitiesProviderCAFile, "useridentities-provider-ca-file", "", "Path to CA file to validate useridentities provider TLS")
 	fs.StringVar(&userIdentitiesProviderClientCert, "useridentities-provider-client-cert", "", "Client certificate for mTLS to useridentities provider")
 	fs.StringVar(&userIdentitiesProviderClientKey, "useridentities-provider-client-key", "", "Client private key for mTLS to useridentities provider")
-	fs.StringVar(&machineAccountKeysProviderURL, "machineaccountkeys-provider-url", "", "Direct provider base URL for machineaccountkeys (e.g., https://zitadel-apiserver:8443)")
-	fs.StringVar(&machineAccountKeysProviderCAFile, "machineaccountkeys-provider-ca-file", "", "Path to CA file to validate machineaccountkeys provider TLS")
-	fs.StringVar(&machineAccountKeysProviderClientCert, "machineaccountkeys-provider-client-cert", "", "Client certificate for mTLS to machineaccountkeys provider")
-	fs.StringVar(&machineAccountKeysProviderClientKey, "machineaccountkeys-provider-client-key", "", "Client private key for mTLS to machineaccountkeys provider")
+	fs.StringVar(&serviceAccountKeysProviderURL, "serviceaccountkeys-provider-url", "", "Direct provider base URL for serviceaccountkeys (e.g., https://zitadel-apiserver:8443)")
+	fs.StringVar(&serviceAccountKeysProviderCAFile, "serviceaccountkeys-provider-ca-file", "", "Path to CA file to validate serviceaccountkeys provider TLS")
+	fs.StringVar(&serviceAccountKeysProviderClientCert, "serviceaccountkeys-provider-client-cert", "", "Client certificate for mTLS to serviceaccountkeys provider")
+	fs.StringVar(&serviceAccountKeysProviderClientKey, "serviceaccountkeys-provider-client-key", "", "Client private key for mTLS to serviceaccountkeys provider")
 	fs.StringVar(&eventsProviderURL, "events-provider-url", "", "Activity API server URL for events storage (e.g., https://activity-apiserver.activity-system.svc:443)")
 	fs.StringVar(&eventsProviderCAFile, "events-provider-ca-file", "", "Path to CA file to validate Activity provider TLS")
 	fs.StringVar(&eventsProviderClientCert, "events-provider-client-cert", "", "Client certificate for mTLS to Activity provider")
@@ -261,13 +261,13 @@ func Run(ctx context.Context, opts options.CompletedOptions) error {
 	config.ExtraConfig.UserIdentitiesProvider.Retries = providerRetries
 	config.ExtraConfig.UserIdentitiesProvider.ForwardExtras = forwardExtras
 
-	config.ExtraConfig.MachineAccountKeysProvider.URL = machineAccountKeysProviderURL
-	config.ExtraConfig.MachineAccountKeysProvider.CAFile = machineAccountKeysProviderCAFile
-	config.ExtraConfig.MachineAccountKeysProvider.ClientCertFile = machineAccountKeysProviderClientCert
-	config.ExtraConfig.MachineAccountKeysProvider.ClientKeyFile = machineAccountKeysProviderClientKey
-	config.ExtraConfig.MachineAccountKeysProvider.TimeoutSeconds = providerTimeoutSeconds
-	config.ExtraConfig.MachineAccountKeysProvider.Retries = providerRetries
-	config.ExtraConfig.MachineAccountKeysProvider.ForwardExtras = forwardExtras
+	config.ExtraConfig.ServiceAccountKeysProvider.URL = serviceAccountKeysProviderURL
+	config.ExtraConfig.ServiceAccountKeysProvider.CAFile = serviceAccountKeysProviderCAFile
+	config.ExtraConfig.ServiceAccountKeysProvider.ClientCertFile = serviceAccountKeysProviderClientCert
+	config.ExtraConfig.ServiceAccountKeysProvider.ClientKeyFile = serviceAccountKeysProviderClientKey
+	config.ExtraConfig.ServiceAccountKeysProvider.TimeoutSeconds = providerTimeoutSeconds
+	config.ExtraConfig.ServiceAccountKeysProvider.Retries = providerRetries
+	config.ExtraConfig.ServiceAccountKeysProvider.ForwardExtras = forwardExtras
 
 	config.ExtraConfig.EventsProvider.URL = eventsProviderURL
 	config.ExtraConfig.EventsProvider.CAFile = eventsProviderCAFile

config/apiserver/deployment.yaml

@@ -70,11 +70,11 @@ spec:
           - --useridentities-provider-ca-file=$(USERIDENTITIES_PROVIDER_CA_FILE)
           - --useridentities-provider-client-cert=$(USERIDENTITIES_PROVIDER_CLIENT_CERT_FILE)
           - --useridentities-provider-client-key=$(USERIDENTITIES_PROVIDER_CLIENT_KEY_FILE)
-          # MachineAccountKeys provider configuration
-          - --machineaccountkeys-provider-url=$(MACHINEACCOUNTKEYS_PROVIDER_URL)
-          - --machineaccountkeys-provider-ca-file=$(MACHINEACCOUNTKEYS_PROVIDER_CA_FILE)
-          - --machineaccountkeys-provider-client-cert=$(MACHINEACCOUNTKEYS_PROVIDER_CLIENT_CERT_FILE)
-          - --machineaccountkeys-provider-client-key=$(MACHINEACCOUNTKEYS_PROVIDER_CLIENT_KEY_FILE)
+          # ServiceAccountKeys provider configuration
+          - --serviceaccountkeys-provider-url=$(SERVICEACCOUNTKEYS_PROVIDER_URL)
+          - --serviceaccountkeys-provider-ca-file=$(SERVICEACCOUNTKEYS_PROVIDER_CA_FILE)
+          - --serviceaccountkeys-provider-client-cert=$(SERVICEACCOUNTKEYS_PROVIDER_CLIENT_CERT_FILE)
+          - --serviceaccountkeys-provider-client-key=$(SERVICEACCOUNTKEYS_PROVIDER_CLIENT_KEY_FILE)
           # Events proxy provider configuration (requires EventsProxy feature gate)
           - --events-provider-url=$(EVENTS_PROVIDER_URL)
           - --events-provider-ca-file=$(EVENTS_PROVIDER_CA_FILE)
@@ -162,13 +162,13 @@ spec:
             value: ""
           - name: USERIDENTITIES_PROVIDER_CLIENT_KEY_FILE
             value: ""
-          - name: MACHINEACCOUNTKEYS_PROVIDER_URL
+          - name: SERVICEACCOUNTKEYS_PROVIDER_URL
             value: ""
-          - name: MACHINEACCOUNTKEYS_PROVIDER_CA_FILE
+          - name: SERVICEACCOUNTKEYS_PROVIDER_CA_FILE
             value: ""
-          - name: MACHINEACCOUNTKEYS_PROVIDER_CLIENT_CERT_FILE
+          - name: SERVICEACCOUNTKEYS_PROVIDER_CLIENT_CERT_FILE
             value: ""
-          - name: MACHINEACCOUNTKEYS_PROVIDER_CLIENT_KEY_FILE
+          - name: SERVICEACCOUNTKEYS_PROVIDER_CLIENT_KEY_FILE
             value: ""
           # Events proxy provider configuration (requires --feature-gates=EventsProxy=true)
           - name: EVENTS_PROVIDER_URL

config/components/apiserver-audit-logging/audit-policy-configmap.yaml

@@ -142,13 +142,13 @@ data:
         - group: "" # core API group
           resources: ["secrets", "configmaps"]
 
-      # Log MachineAccountKey at Metadata level to redact private key from audit logs
+      # Log ServiceAccountKey at Metadata level to redact private key from audit logs
       # The privateKey is only returned in the response body on creation, so we omit
       # the response to prevent credential leakage in audit logs
       - level: Metadata
         resources:
         - group: "identity.miloapis.com"
-          resources: ["machineaccountkeys"]
+          resources: ["serviceaccountkeys"]
 
       # Log Milo API resources at RequestResponse level to capture full context
       - level: RequestResponse

config/crd/bases/iam/iam.miloapis.com_policybindings.yaml

@@ -141,15 +141,15 @@ spec:
                 items:
                   description: |-
                     Subject contains a reference to the object or user identities a role binding applies to.
-                    This can be a User, Group, or MachineAccount.
+                    This can be a User, Group, or ServiceAccount.
                   properties:
                     kind:
                       description: Kind of object being referenced. Values defined
                         in Kind constants.
                       enum:
                       - User
                       - Group
-                      - MachineAccount
+                      - ServiceAccount
                       type: string
                     name:
                       description: |-
@@ -160,7 +160,7 @@ spec:
                     namespace:
                       description: |-
                         Namespace of the referenced object.
-                        If not specified for a Group, User or MachineAccount, it is ignored.
+                        If not specified for a Group, User or ServiceAccount, it is ignored.
                       type: string
                     uid:
                       description: UID of the referenced object. Optional for system

config/crd/bases/iam/iam.miloapis.com_machineaccounts.yaml → config/crd/bases/iam/iam.miloapis.com_serviceaccounts.yaml

@@ -5,14 +5,14 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.18.0
     discovery.miloapis.com/parent-contexts: Project
-  name: machineaccounts.iam.miloapis.com
+  name: serviceaccounts.iam.miloapis.com
 spec:
   group: iam.miloapis.com
   names:
-    kind: MachineAccount
-    listKind: MachineAccountList
-    plural: machineaccounts
-    singular: machineaccount
+    kind: ServiceAccount
+    listKind: ServiceAccountList
+    plural: serviceaccounts
+    singular: serviceaccount
   scope: Cluster
   versions:
   - additionalPrinterColumns:
@@ -37,7 +37,7 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: MachineAccount is the Schema for the machine accounts API
+        description: ServiceAccount is the Schema for the service accounts API
         properties:
           apiVersion:
             description: |-
@@ -57,26 +57,26 @@ spec:
           metadata:
             type: object
           spec:
-            description: MachineAccountSpec defines the desired state of MachineAccount
+            description: ServiceAccountSpec defines the desired state of ServiceAccount
             properties:
               state:
                 default: Active
                 description: |-
-                  The state of the machine account. This state can be safely changed as needed.
+                  The state of the service account. This state can be safely changed as needed.
                   States:
-                    - Active: The machine account can be used to authenticate.
-                    - Inactive: The machine account is prohibited to be used to authenticate, and revokes all existing sessions.
+                    - Active: The service account can be used to authenticate.
+                    - Inactive: The service account is prohibited to be used to authenticate, and revokes all existing sessions.
                 enum:
                 - Active
                 - Inactive
                 type: string
             type: object
           status:
-            description: MachineAccountStatus defines the observed state of MachineAccount
+            description: ServiceAccountStatus defines the observed state of ServiceAccount
             properties:
               conditions:
                 description: Conditions provide conditions that represent the current
-                  status of the MachineAccount.
+                  status of the ServiceAccount.
                 items:
                   description: Condition contains details for one aspect of the current
                     state of this API Resource.
@@ -134,12 +134,12 @@ spec:
                 type: array
               email:
                 description: |-
-                  The computed email of the machine account following the pattern:
+                  The computed email of the service account following the pattern:
                   {metadata.name}@{metadata.namespace}.{project.metadata.name}.{global-suffix}
                 type: string
               state:
                 description: |-
-                  State represents the current activation state of the machine account from the auth provider.
+                  State represents the current activation state of the service account from the auth provider.
                   This field tracks the state from the previous generation and is updated when state changes
                   are successfully propagated to the auth provider. It helps optimize performance by only
                   updating the auth provider when a state change is detected.

config/crd/bases/iam/kustomization.yaml

@@ -2,7 +2,7 @@ resources:
 - iam.miloapis.com_roles.yaml
 - iam.miloapis.com_groups.yaml
 - iam.miloapis.com_groupmemberships.yaml
-- iam.miloapis.com_machineaccounts.yaml
+- iam.miloapis.com_serviceaccounts.yaml
 - iam.miloapis.com_policybindings.yaml
 - iam.miloapis.com_protectedresources.yaml
 - iam.miloapis.com_users.yaml

config/protected-resources/iam/kustomization.yaml

@@ -14,5 +14,5 @@ resources:
   - platformaccessapproval.yaml
   - platformaccessrejection.yaml
   - platforminvitation.yaml
-  - machineaccount.yaml
+  - serviceaccount.yaml
 

config/protected-resources/iam/machineaccount.yaml → config/protected-resources/iam/serviceaccount.yaml

@@ -1,13 +1,13 @@
 apiVersion: iam.miloapis.com/v1alpha1
 kind: ProtectedResource
 metadata:
-  name: iam.miloapis.com-machineaccount
+  name: iam.miloapis.com-serviceaccount
 spec:
   serviceRef:
     name: "iam.miloapis.com"
-  kind: MachineAccount
-  plural: machineaccounts
-  singular: machineaccount
+  kind: ServiceAccount
+  plural: serviceaccounts
+  singular: serviceaccount
   permissions:
     - list
     - get

config/protected-resources/identity/kustomization.yaml

@@ -4,4 +4,4 @@ kind: Kustomization
 resources:
   - session.yaml
   - useridentity.yaml
-  - machineaccountkey.yaml
+  - serviceaccountkey.yaml

config/protected-resources/identity/machineaccountkey.yaml → config/protected-resources/identity/serviceaccountkey.yaml

@@ -1,13 +1,13 @@
 apiVersion: iam.miloapis.com/v1alpha1
 kind: ProtectedResource
 metadata:
-  name: identity.miloapis.com-machineaccountkey
+  name: identity.miloapis.com-serviceaccountkey
 spec:
   serviceRef:
     name: "identity.miloapis.com"
-  kind: MachineAccountKey
-  plural: machineaccountkeys
-  singular: machineaccountkey
+  kind: ServiceAccountKey
+  plural: serviceaccountkeys
+  singular: serviceaccountkey
   permissions:
     - list
     - get

config/resources-metrics/iam/kustomization.yaml

@@ -7,7 +7,7 @@ configMapGenerator:
     - users.yaml
     - groups.yaml
     - group_memberships.yaml
-    - machine_accounts.yaml
+    - service_accounts.yaml
     - policy_bindings.yaml
     - roles.yaml
     - user_invitations.yaml

config/resources-metrics/iam/machine_accounts.yaml → config/resources-metrics/iam/service_accounts.yaml

@@ -3,12 +3,12 @@ spec:
   resources:
     - groupVersionKind:
         group: "iam.miloapis.com"
-        kind: "MachineAccount"
+        kind: "ServiceAccount"
         version: "v1alpha1"
       labelsFromPath:
         name: [metadata, name]
         namespace: [metadata, namespace]
-      metricNamePrefix: milo_machine_accounts
+      metricNamePrefix: milo_service_accounts
       metrics:
         - name: "info"
           each:
@@ -20,4 +20,4 @@ spec:
           each:
             type: Gauge
             gauge:
-              path: [metadata, creationTimestamp]
+              path: [metadata, creationTimestamp]

config/resources-metrics/identity/kustomization.yaml

@@ -4,7 +4,7 @@ kind: Component
 configMapGenerator:
   - name: milo-identity-resource-metrics
     files:
-    - machine_account_keys.yaml
+    - service_account_keys.yaml
     options:
       labels:
         telemetry.datumapis.com/core-resource-metrics-config: "true"

config/resources-metrics/identity/machine_account_keys.yaml → config/resources-metrics/identity/service_account_keys.yaml

@@ -3,12 +3,12 @@ spec:
   resources:
     - groupVersionKind:
         group: "identity.miloapis.com"
-        kind: "MachineAccountKey"
+        kind: "ServiceAccountKey"
         version: "v1alpha1"
       labelsFromPath:
         name: [metadata, name]
         namespace: [metadata, namespace]
-      metricNamePrefix: milo_machine_account_keys
+      metricNamePrefix: milo_service_account_keys
       metrics:
         - name: "info"
           each: