Class: KubesGoogle::ServiceAccount

Inherits:
Object
  • Object
show all
Includes:
Logging, Util::Sh
Defined in:
lib/kubes_google/service_account.rb

Constant Summary collapse

@@project_iam_policies = 
nil

Instance Method Summary collapse

Methods included from Logging

#logger

Constructor Details

#initialize(app:, namespace: nil, roles: [], gsa: nil, ksa: nil) ⇒ ServiceAccount

Returns a new instance of ServiceAccount.



9
10
11
12
13
14
15
16
17
18
 
# File 'lib/kubes_google/service_account.rb', line 9

def initialize(app:, namespace:nil, roles: [], gsa: nil, ksa: nil)
  @app, @roles = app, roles
  @google_project = ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")

  # conventional names
  @namespace = namespace || "#{@app}-#{Kubes.env}" # convention: app-env
  @gsa = gsa || "#{@app}-#{Kubes.env}"             # convention: app-env
  @ksa = ksa || @app                               # convention: app
  @service_account = "#{@gsa}@#{@google_project}.iam.gserviceaccount.com" # full service account name
end

Instance Method Details

#add_role(role) ⇒ Object 



76
77
78
79
80
81
82
83
 
# File 'lib/kubes_google/service_account.rb', line 76

def add_role(role)
  return if has_role?(role)

  sh "gcloud projects add-iam-policy-binding #{@google_project} \
      --member='serviceAccount:#{@service_account}' \
      --condition=None \
      --role='#{role}' > /dev/null".squish
end

#add_rolesObject 



47
48
49
50
51
52
 
# File 'lib/kubes_google/service_account.rb', line 47

def add_roles
  logger.debug "Adding Google Roles/Permissions"
  roles.each do |role|
    add_role(role)
  end
end

#callObject 



20
21
22
23
24
 
# File 'lib/kubes_google/service_account.rb', line 20

def call
  
  create_gke_iam_binding
  add_roles
end

#create_gke_iam_bindingObject 



33
34
35
36
37
38
39
40
41
42
43
44
45
 
# File 'lib/kubes_google/service_account.rb', line 33

def create_gke_iam_binding
  logger.debug "Creating GKE IAM Binding"
  member = "serviceAccount:#{@google_project}.svc.id.goog[#{@namespace}/#{@ksa}]"

  found = sh "gcloud iam service-accounts get-iam-policy '#{@service_account}' | grep -F '#{member}' > /dev/null"
  return if found

  sh "gcloud iam service-accounts add-iam-policy-binding \
            --role roles/iam.workloadIdentityUser \
            --member '#{member}' \
            --condition=None \
            '#{@service_account}'".squish
end

#create_google_service_accountObject 



26
27
28
29
30
31
 
# File 'lib/kubes_google/service_account.rb', line 26

def 
  logger.debug "Creating google service account"
  found = sh %Q{gcloud iam service-accounts list | grep " #{@service_account}" > /dev/null}
  return if found
  sh "gcloud iam service-accounts create #{@gsa}"
end

#has_role?(role) ⇒ Boolean

Returns:

  • (Boolean) 


60
61
62
63
64
65
66
 
# File 'lib/kubes_google/service_account.rb', line 60

def has_role?(role)
  data = project_iam_policies
  bindings = data['bindings']
  binding = bindings.find { |b| b['role'] == role }
  return false unless binding
  binding['members'].include?("serviceAccount:#{@service_account}")
end

#project_iam_policiesObject 



69
70
71
72
73
74
 
# File 'lib/kubes_google/service_account.rb', line 69

def project_iam_policies
  return @@project_iam_policies if @@project_iam_policies
  logger.debug "=> gcloud projects get-iam-policy #{@google_project} --format json"
  out = capture "gcloud projects get-iam-policy #{@google_project} --format json"
  @@project_iam_policies = JSON.load(out)
end

#rolesObject 



54
55
56
57
58
 
# File 'lib/kubes_google/service_account.rb', line 54

def roles
  @roles.map do |role|
    role.include?("roles/") ? role : "roles/#{role}"
  end
end