Skip to content

Commit 1f35dcf

Browse files
matheuscscpmatheuscscp
authored
Merge pull request #807 from cappyzawa/feat/default-service-account-flag
[RFC-0010] Add default-service-account for lockdown
2 parents 80b44ae + 5dfa77f commit 1f35dcf

File tree

5 files changed

+22
-10
lines changed

5 files changed

+22
-10
lines changed

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ require (
1313
github.com/fluxcd/pkg/apis/acl v0.8.0
1414
github.com/fluxcd/pkg/apis/event v0.18.0
1515
github.com/fluxcd/pkg/apis/meta v1.18.0
16-
github.com/fluxcd/pkg/auth v0.21.0
16+
github.com/fluxcd/pkg/auth v0.27.0
1717
github.com/fluxcd/pkg/cache v0.10.0
1818
github.com/fluxcd/pkg/runtime v0.80.0
1919
github.com/fluxcd/pkg/version v0.9.0

go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -177,8 +177,8 @@ github.com/fluxcd/pkg/apis/event v0.18.0 h1:PNbWk9gvX8gMIi6VsJapnuDO+giLEeY+6olL
177177
github.com/fluxcd/pkg/apis/event v0.18.0/go.mod h1:7S/DGboLolfbZ6stO6dcDhG1SfkPWQ9foCULvbiYpiA=
178178
github.com/fluxcd/pkg/apis/meta v1.18.0 h1:ACHrMIjlcioE9GKS7NGk62KX4NshqNewr8sBwMcXABs=
179179
github.com/fluxcd/pkg/apis/meta v1.18.0/go.mod h1:97l3hTwBpJbXBY+wetNbqrUsvES8B1jGioKcBUxmqd8=
180-
github.com/fluxcd/pkg/auth v0.21.0 h1:ckAQqP12wuptXEkMY18SQKWEY09m9e6yI0mEMsDV15M=
181-
github.com/fluxcd/pkg/auth v0.21.0/go.mod h1:MXmpsXT97c874HCw5hnfqFUP7TsG8/Ss1vFrk8JccfM=
180+
github.com/fluxcd/pkg/auth v0.27.0 h1:DFsizUxt9ZDAc+z7+o7jcbtfaxRH55MRD/wdU4CXNCQ=
181+
github.com/fluxcd/pkg/auth v0.27.0/go.mod h1:YEAHpBFuW5oLlH9ekuJaQdnJ2Q3A7Ny8kha3WY7QMnY=
182182
github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY=
183183
github.com/fluxcd/pkg/cache v0.10.0/go.mod h1:pPXRzQUDQagsCniuOolqVhnAkbNgYOg8d2cTliPs7ME=
184184
github.com/fluxcd/pkg/runtime v0.80.0 h1:vknT2vdQSGTFnAhz4xGk2ZXUWCrXh3whsISStgA57Go=

internal/controller/imagepolicy_controller_test.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -461,7 +461,8 @@ func TestImagePolicyReconciler_objectLevelWorkloadIdentityFeatureGate(t *testing
461461
t.Run("enabled", func(t *testing.T) {
462462
g := NewWithT(t)
463463

464-
t.Setenv(auth.EnvVarEnableObjectLevelWorkloadIdentity, "true")
464+
auth.EnableObjectLevelWorkloadIdentity()
465+
t.Cleanup(auth.DisableObjectLevelWorkloadIdentity)
465466

466467
namespaceName := "imagepolicy-" + randStringRunes(5)
467468
namespace := &corev1.Namespace{

internal/registry/options.go

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -85,16 +85,15 @@ func (r *AuthOptionsGetter) GetOptions(ctx context.Context, repo *imagev1.ImageR
8585

8686
if provider := repo.GetProvider(); provider != "" && provider != "generic" {
8787
// Build login provider options and use it to attempt registry login.
88-
var opts []auth.Option
88+
opts := []auth.Option{
89+
auth.WithClient(r.Client),
90+
auth.WithServiceAccountNamespace(repo.GetNamespace()),
91+
}
8992
if proxyURL != nil {
9093
opts = append(opts, auth.WithProxyURL(*proxyURL))
9194
}
9295
if repo.Spec.ServiceAccountName != "" {
93-
serviceAccount := client.ObjectKey{
94-
Name: repo.Spec.ServiceAccountName,
95-
Namespace: repo.GetNamespace(),
96-
}
97-
opts = append(opts, auth.WithServiceAccount(serviceAccount, r.Client))
96+
opts = append(opts, auth.WithServiceAccountName(repo.Spec.ServiceAccountName))
9897
}
9998
if r.TokenCache != nil {
10099
opts = append(opts, auth.WithCache(*r.TokenCache, *involvedObject))

main.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@ func main() {
9696
rateLimiterOptions helper.RateLimiterOptions
9797
featureGates feathelper.FeatureGates
9898
tokenCacheOptions pkgcache.TokenFlags
99+
defaultServiceAccount string
99100
)
100101

101102
flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
@@ -114,11 +115,17 @@ func main() {
114115
featureGates.BindFlags(flag.CommandLine)
115116
watchOptions.BindFlags(flag.CommandLine)
116117
tokenCacheOptions.BindFlags(flag.CommandLine, tokenCacheDefaultMaxSize)
118+
flag.StringVar(&defaultServiceAccount, auth.ControllerFlagDefaultServiceAccount,
119+
"", "Default service account to use for workload identity when not specified in resources.")
117120

118121
flag.Parse()
119122

120123
logger.SetLogger(logger.NewLogger(logOptions))
121124

125+
if defaultServiceAccount != "" {
126+
auth.SetDefaultServiceAccount(defaultServiceAccount)
127+
}
128+
122129
if err := featureGates.WithLogger(setupLog).SupportedFeatures(features.FeatureGates()); err != nil {
123130
setupLog.Error(err, "unable to load feature gates")
124131
os.Exit(1)
@@ -132,6 +139,11 @@ func main() {
132139
auth.EnableObjectLevelWorkloadIdentity()
133140
}
134141

142+
if auth.InconsistentObjectLevelConfiguration() {
143+
setupLog.Error(auth.ErrInconsistentObjectLevelConfiguration, "invalid configuration")
144+
os.Exit(1)
145+
}
146+
135147
badgerOpts := badger.DefaultOptions(storagePath)
136148
badgerOpts.ValueLogFileSize = storageValueLogFileSize
137149
badgerDB, err := badger.Open(badgerOpts)

0 commit comments

Comments
 (0)