Merge pull request #440 from joelddiaz/gcp-serviceaccountnames-list-c…

…heck Bug 2036827: ensure GCP CredsReq has a list of ServiceAccounts
openshift · Jan 4, 2022 · 895e9c1 · 895e9c1
2 parents 2e091dd + 6ebbcf2
commit 895e9c1
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/pkg/cmd/provisioning/gcp/create_service_accounts.go b/pkg/cmd/provisioning/gcp/create_service_accounts.go
@@ -105,6 +105,12 @@ func processCredentialsRequests(ctx context.Context, client gcp.Client, credReqs
 }
 
 func createServiceAccount(ctx context.Context, client gcp.Client, name string, credReq *credreqv1.CredentialsRequest, serviceAccountNum int, workloadIdentityPool, workloadIdentityProvider, project, targetDir string, generateOnly bool) (string, error) {
+	// The credReq must have a non zero-length list of ServiceAccountNames
+	// that can be used to restrict which k8s ServiceAccounts can use the GCP ServiceAccount.
+	if len(credReq.Spec.ServiceAccountNames) == 0 {
+		return "", fmt.Errorf("CredentialsRequest %s/%s must provide at least one ServiceAccount in .spec.ServiceAccountNames", credReq.Namespace, credReq.Name)
+	}
+
 	// The service account id has a max length of 30 chars
 	// split it into 12-11-5 where the resuling string becomes:
 	// <infraName chopped to 12 chars>-<crName chopped to 11 chars>-<random 5 chars>