Fixing tests and iterating on the serviceaccount logic

cmd/kops/create_cluster.go

@@ -994,10 +994,13 @@ func RunCreateCluster(f *util.Factory, out io.Writer, c *CreateClusterOptions) e
 			}
 			cluster.Spec.Project = project
 		}
-		if c.GCEServiceAccount != "" {
-			klog.Infof("VMs will be configured to use specified Service Account: %v", c.GCEServiceAccount)
-			cluster.Spec.GCEServiceAccount = c.GCEServiceAccount
-		} else {
+	}
+
+	if c.GCEServiceAccount != "" {
+		klog.Infof("VMs will be configured to use specified Service Account: %v", c.GCEServiceAccount)
+		cluster.Spec.GCEServiceAccount = c.GCEServiceAccount
+	} else {
+		if api.CloudProviderID(cluster.Spec.CloudProvider) == api.CloudProviderGCE {
 			klog.Warning("VMs will be configured to use the GCE default compute Service Account! This is an anti-pattern")
 			klog.Warning("Use a pre-create Service Account with the flag: --gce-service-account=account@projectname.iam.gserviceaccount.com")
 			cluster.Spec.GCEServiceAccount = "default"

pkg/model/gcemodel/autoscalinggroup.go

@@ -139,6 +139,16 @@ func (b *AutoscalingGroupModelBuilder) Build(c *fi.ModelBuilderContext) error {
 				t.CanIPForward = fi.Bool(true)
 			}
 
+			if b.Cluster.Spec.GCEServiceAccount != "" {
+				klog.Infof("VMs using Service Account: %v", b.Cluster.Spec.GCEServiceAccount)
+				// b.Cluster.Spec.GCEServiceAccount = c.GCEServiceAccount
+			} else {
+				klog.Warning("VMs will be configured to use the GCE default compute Service Account! This is an anti-pattern")
+				klog.Warning("Use a pre-created Service Account with the flag: --gce-service-account=account@projectname.iam.gserviceaccount.com")
+				b.Cluster.Spec.GCEServiceAccount = "default"
+			}
+
+			klog.Infof("gsa: %v", b.Cluster.Spec.GCEServiceAccount)
 			t.ServiceAccounts = []string{b.Cluster.Spec.GCEServiceAccount}
 			//labels, err := b.CloudTagsForInstanceGroup(ig)
 			//if err != nil {

tests/integration/update_cluster/ha_gce/kubernetes.tf

@@ -398,7 +398,7 @@ resource "google_compute_instance_template" "master-us-test1-a-ha-gce-example-co
   machine_type   = "n1-standard-1"
 
   service_account = {
-    email = "default"
+    email  = "default"
     scopes = ["https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/monitoring", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/devstorage.read_write", "https://www.googleapis.com/auth/ndev.clouddns.readwrite"]
   }
 
@@ -439,6 +439,11 @@ resource "google_compute_instance_template" "master-us-test1-b-ha-gce-example-co
   can_ip_forward = true
   machine_type   = "n1-standard-1"
 
+  service_account = {
+    email  = "default"
+    scopes = ["https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/monitoring", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/devstorage.read_write", "https://www.googleapis.com/auth/ndev.clouddns.readwrite"]
+  }
+
   scheduling = {
     automatic_restart   = true
     on_host_maintenance = "MIGRATE"
@@ -477,7 +482,7 @@ resource "google_compute_instance_template" "master-us-test1-c-ha-gce-example-co
   machine_type   = "n1-standard-1"
 
   service_account = {
-    email = "default"
+    email  = "default"
     scopes = ["https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/monitoring", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/devstorage.read_write", "https://www.googleapis.com/auth/ndev.clouddns.readwrite"]
   }
 
@@ -519,8 +524,8 @@ resource "google_compute_instance_template" "nodes-ha-gce-example-com" {
   machine_type   = "n1-standard-2"
 
   service_account = {
-    email = "default"
-    scopes = ["https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/monitoring", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/devstorage.read_write", "https://www.googleapis.com/auth/ndev.clouddns.readwrite"]
+    email  = "default"
+    scopes = ["https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/monitoring", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/devstorage.read_only"]
   }
 
   scheduling = {

tests/integration/update_cluster/minimal_gce/kubernetes.tf

@@ -298,7 +298,7 @@ resource "google_compute_instance_template" "master-us-test1-a-minimal-gce-examp
   machine_type   = "n1-standard-1"
 
   service_account = {
-    email = "default"
+    email  = "default"
     scopes = ["https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/monitoring", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/devstorage.read_write", "https://www.googleapis.com/auth/ndev.clouddns.readwrite"]
   }
 
@@ -340,7 +340,7 @@ resource "google_compute_instance_template" "nodes-minimal-gce-example-com" {
   machine_type   = "n1-standard-2"
 
   service_account = {
-    email = "default"
+    email  = "default"
     scopes = ["https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/monitoring", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/devstorage.read_only"]
   }
 

upup/pkg/fi/cloudup/gcetasks/instancetemplate.go

@@ -537,11 +537,12 @@ func (t *terraformInstanceCommon) AddServiceAccounts(serviceAccounts []*compute.
 		klog.Infof("adding csa: %v", serviceAccounts[0].Email)
 		csa := serviceAccounts[0]
 		tsa := &terraformServiceAccount{
-			Email: csa.Email,
-		}
-		for _, scope := range csa.Scopes {
-			tsa.Scopes = append(tsa.Scopes, scope)
+			Email:  csa.Email,
+			Scopes: csa.Scopes,
 		}
+		// for _, scope := range csa.Scopes {
+		// 	tsa.Scopes = append(tsa.Scopes, scope)
+		// }
 		t.ServiceAccount = tsa
 	}
 }