Annotate KSA by default if GSA in use

Author: evenh

pkg/resourcegenerator/serviceaccount/application.go

@@ -26,8 +26,11 @@ func generateForApplication(r reconciliation.Reconciliation) error {
 	serviceAccount := corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Namespace: application.Namespace, Name: application.Name}}
 
 	if util.IsCloudSqlProxyEnabled(application.Spec.GCP) {
-		setCloudSqlAnnotations(&serviceAccount, application)
+		setGCPSAAnnotation(&serviceAccount, application.Spec.GCP.CloudSQLProxy.ServiceAccount)
+	} else if util.GCPServiceAccountInUse(application.Spec.GCP) {
+		setGCPSAAnnotation(&serviceAccount, application.Spec.GCP.Auth.ServiceAccount)
 	}
+
 	r.AddResource(&serviceAccount)
 	ctxLog.Debug("Finished generating service account for application", "application", application.Name)
 	return nil

pkg/resourcegenerator/serviceaccount/service_account.go

@@ -3,7 +3,6 @@ package serviceaccount
 import (
 	"maps"
 
-	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/pkg/reconciliation"
 	"github.com/kartverket/skiperator/pkg/resourcegenerator/resourceutils/generator"
 	corev1 "k8s.io/api/core/v1"
@@ -15,13 +14,13 @@ func Generate(r reconciliation.Reconciliation) error {
 	return multiGenerator.Generate(r, "ServiceAccount")
 }
 
-func setCloudSqlAnnotations(serviceAccount *corev1.ServiceAccount, gcp skiperatorv1alpha1.SKIPObject) {
+func setGCPSAAnnotation(serviceAccount *corev1.ServiceAccount, saEmail string) {
 	annotations := serviceAccount.GetAnnotations()
 	if len(annotations) == 0 {
 		annotations = make(map[string]string)
 	}
 	maps.Copy(annotations, map[string]string{
-		"iam.gke.io/gcp-service-account": gcp.GetCommonSpec().GCP.CloudSQLProxy.ServiceAccount,
+		"iam.gke.io/gcp-service-account": saEmail,
 	})
 	serviceAccount.SetAnnotations(annotations)
 }

pkg/resourcegenerator/serviceaccount/skipjob.go

@@ -26,8 +26,11 @@ func generateForSKIPJob(r reconciliation.Reconciliation) error {
 	serviceAccount := corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Namespace: skipJob.Namespace, Name: skipJob.KindPostFixedName()}}
 
 	if util.IsCloudSqlProxyEnabled(skipJob.Spec.Container.GCP) {
-		setCloudSqlAnnotations(&serviceAccount, skipJob)
+		setGCPSAAnnotation(&serviceAccount, skipJob.Spec.Container.GCP.CloudSQLProxy.ServiceAccount)
+	} else if util.GCPServiceAccountInUse(skipJob.Spec.Container.GCP) {
+		setGCPSAAnnotation(&serviceAccount, skipJob.Spec.Container.GCP.Auth.ServiceAccount)
 	}
+
 	r.AddResource(&serviceAccount)
 	ctxLog.Debug("Finished generating service account for skipjob", "skipjob", skipJob.Name)
 	return nil

pkg/util/helperfunctions.go

@@ -3,23 +3,24 @@ package util
 import (
 	"context"
 	"fmt"
+	"hash/fnv"
+	"net/url"
+	"regexp"
+	"strings"
+	"unicode"
+
 	"github.com/kartverket/skiperator/api/v1alpha1/digdirator"
 	"github.com/kartverket/skiperator/api/v1alpha1/podtypes"
 	"github.com/mitchellh/hashstructure/v2"
 	nais_io_v1 "github.com/nais/liberator/pkg/apis/nais.io/v1"
 	"github.com/nais/liberator/pkg/namegen"
-	"hash/fnv"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/client-go/tools/record"
-	"net/url"
-	"regexp"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"strings"
-	"unicode"
 )
 
 //TODO Clean up this file, move functions to more appropriate files
@@ -177,6 +178,14 @@ func EnsurePrefix(s string, prefix string) string {
 	return s
 }
 
+func GCPServiceAccountInUse(gcp *podtypes.GCP) bool {
+	if gcp == nil || gcp.Auth == nil || gcp.Auth.ServiceAccount == "" {
+		return false
+	}
+
+	return true
+}
+
 func IsCloudSqlProxyEnabled(gcp *podtypes.GCP) bool {
 	return gcp != nil && gcp.CloudSQLProxy != nil
 }

tests/application/gcp/application-assert.yaml

@@ -59,3 +59,10 @@ data:
 kind: ConfigMap
 metadata:
   name: gcp-gcp-auth
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gcp
+  annotations:
+    iam.gke.io/gcp-service-account: something@verdier.com