Annotate KSA by default if GSA in use (#750)

evenh · web-flow · commit 8f8f2b40a152 · 2025-09-24T12:25:12.000+02:00
* Update generated CRD

* Annotate KSA by default if GSA in use
diff --git a/config/crd/skiperator.kartverket.no_applications.yaml b/config/crd/skiperator.kartverket.no_applications.yaml
@@ -330,7 +330,9 @@ spec:
                     a Container.
                   properties:
                     name:
-                      description: Name of the environment variable. Must be a C_IDENTIFIER.
+                      description: |-
+                        Name of the environment variable.
+                        May consist of any printable ASCII characters except '='.
                       type: string
                     value:
                       description: |-
@@ -388,6 +390,43 @@ spec:
                           - fieldPath
                           type: object
                           x-kubernetes-map-type: atomic
+                        fileKeyRef:
+                          description: |-
+                            FileKeyRef selects a key of the env file.
+                            Requires the EnvFiles feature gate to be enabled.
+                          properties:
+                            key:
+                              description: |-
+                                The key within the env file. An invalid key will prevent the pod from starting.
+                                The keys defined within a source may consist of any printable ASCII characters except '='.
+                                During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                              type: string
+                            optional:
+                              default: false
+                              description: |-
+                                Specify whether the file or its key must be defined. If the file or key
+                                does not exist, then the env var is not published.
+                                If optional is set to true and the specified key does not exist,
+                                the environment variable will not be set in the Pod's containers.
+
+                                If optional is set to false and the specified key does not exist,
+                                an error will be returned during Pod creation.
+                              type: boolean
+                            path:
+                              description: |-
+                                The path within the volume from which to select the file.
+                                Must be relative and may not contain the '..' path or start with '..'.
+                              type: string
+                            volumeName:
+                              description: The name of the volume mount containing
+                                the env file.
+                              type: string
+                          required:
+                          - key
+                          - path
+                          - volumeName
+                          type: object
+                          x-kubernetes-map-type: atomic
                         resourceFieldRef:
                           description: |-
                             Selects a resource of the container: only resources limits and requests
diff --git a/config/crd/skiperator.kartverket.no_skipjobs.yaml b/config/crd/skiperator.kartverket.no_skipjobs.yaml
@@ -304,8 +304,9 @@ spec:
                         in a Container.
                       properties:
                         name:
-                          description: Name of the environment variable. Must be a
-                            C_IDENTIFIER.
+                          description: |-
+                            Name of the environment variable.
+                            May consist of any printable ASCII characters except '='.
                           type: string
                         value:
                           description: |-
@@ -363,6 +364,43 @@ spec:
                               - fieldPath
                               type: object
                               x-kubernetes-map-type: atomic
+                            fileKeyRef:
+                              description: |-
+                                FileKeyRef selects a key of the env file.
+                                Requires the EnvFiles feature gate to be enabled.
+                              properties:
+                                key:
+                                  description: |-
+                                    The key within the env file. An invalid key will prevent the pod from starting.
+                                    The keys defined within a source may consist of any printable ASCII characters except '='.
+                                    During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                  type: string
+                                optional:
+                                  default: false
+                                  description: |-
+                                    Specify whether the file or its key must be defined. If the file or key
+                                    does not exist, then the env var is not published.
+                                    If optional is set to true and the specified key does not exist,
+                                    the environment variable will not be set in the Pod's containers.
+
+                                    If optional is set to false and the specified key does not exist,
+                                    an error will be returned during Pod creation.
+                                  type: boolean
+                                path:
+                                  description: |-
+                                    The path within the volume from which to select the file.
+                                    Must be relative and may not contain the '..' path or start with '..'.
+                                  type: string
+                                volumeName:
+                                  description: The name of the volume mount containing
+                                    the env file.
+                                  type: string
+                              required:
+                              - key
+                              - path
+                              - volumeName
+                              type: object
+                              x-kubernetes-map-type: atomic
                             resourceFieldRef:
                               description: |-
                                 Selects a resource of the container: only resources limits and requests
diff --git a/pkg/resourcegenerator/serviceaccount/application.go b/pkg/resourcegenerator/serviceaccount/application.go
@@ -26,8 +26,11 @@ func generateForApplication(r reconciliation.Reconciliation) error {
 	serviceAccount := corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Namespace: application.Namespace, Name: application.Name}}
 
 	if util.IsCloudSqlProxyEnabled(application.Spec.GCP) {
-		setCloudSqlAnnotations(&serviceAccount, application)
+		setGCPSAAnnotation(&serviceAccount, application.Spec.GCP.CloudSQLProxy.ServiceAccount)
+	} else if util.GCPServiceAccountInUse(application.Spec.GCP) {
+		setGCPSAAnnotation(&serviceAccount, application.Spec.GCP.Auth.ServiceAccount)
 	}
+
 	r.AddResource(&serviceAccount)
 	ctxLog.Debug("Finished generating service account for application", "application", application.Name)
 	return nil
diff --git a/pkg/resourcegenerator/serviceaccount/service_account.go b/pkg/resourcegenerator/serviceaccount/service_account.go
@@ -3,7 +3,6 @@ package serviceaccount
 import (
 	"maps"
 
-	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/pkg/reconciliation"
 	"github.com/kartverket/skiperator/pkg/resourcegenerator/resourceutils/generator"
 	corev1 "k8s.io/api/core/v1"
@@ -15,13 +14,13 @@ func Generate(r reconciliation.Reconciliation) error {
 	return multiGenerator.Generate(r, "ServiceAccount")
 }
 
-func setCloudSqlAnnotations(serviceAccount *corev1.ServiceAccount, gcp skiperatorv1alpha1.SKIPObject) {
+func setGCPSAAnnotation(serviceAccount *corev1.ServiceAccount, saEmail string) {
 	annotations := serviceAccount.GetAnnotations()
 	if len(annotations) == 0 {
 		annotations = make(map[string]string)
 	}
 	maps.Copy(annotations, map[string]string{
-		"iam.gke.io/gcp-service-account": gcp.GetCommonSpec().GCP.CloudSQLProxy.ServiceAccount,
+		"iam.gke.io/gcp-service-account": saEmail,
 	})
 	serviceAccount.SetAnnotations(annotations)
 }
diff --git a/pkg/resourcegenerator/serviceaccount/skipjob.go b/pkg/resourcegenerator/serviceaccount/skipjob.go
@@ -26,8 +26,11 @@ func generateForSKIPJob(r reconciliation.Reconciliation) error {
 	serviceAccount := corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Namespace: skipJob.Namespace, Name: skipJob.KindPostFixedName()}}
 
 	if util.IsCloudSqlProxyEnabled(skipJob.Spec.Container.GCP) {
-		setCloudSqlAnnotations(&serviceAccount, skipJob)
+		setGCPSAAnnotation(&serviceAccount, skipJob.Spec.Container.GCP.CloudSQLProxy.ServiceAccount)
+	} else if util.GCPServiceAccountInUse(skipJob.Spec.Container.GCP) {
+		setGCPSAAnnotation(&serviceAccount, skipJob.Spec.Container.GCP.Auth.ServiceAccount)
 	}
+
 	r.AddResource(&serviceAccount)
 	ctxLog.Debug("Finished generating service account for skipjob", "skipjob", skipJob.Name)
 	return nil
diff --git a/pkg/util/helperfunctions.go b/pkg/util/helperfunctions.go
@@ -3,23 +3,24 @@ package util
 import (
 	"context"
 	"fmt"
+	"hash/fnv"
+	"net/url"
+	"regexp"
+	"strings"
+	"unicode"
+
 	"github.com/kartverket/skiperator/api/v1alpha1/digdirator"
 	"github.com/kartverket/skiperator/api/v1alpha1/podtypes"
 	"github.com/mitchellh/hashstructure/v2"
 	nais_io_v1 "github.com/nais/liberator/pkg/apis/nais.io/v1"
 	"github.com/nais/liberator/pkg/namegen"
-	"hash/fnv"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/client-go/tools/record"
-	"net/url"
-	"regexp"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"strings"
-	"unicode"
 )
 
 //TODO Clean up this file, move functions to more appropriate files
@@ -177,6 +178,14 @@ func EnsurePrefix(s string, prefix string) string {
 	return s
 }
 
+func GCPServiceAccountInUse(gcp *podtypes.GCP) bool {
+	if gcp == nil || gcp.Auth == nil || gcp.Auth.ServiceAccount == "" {
+		return false
+	}
+
+	return true
+}
+
 func IsCloudSqlProxyEnabled(gcp *podtypes.GCP) bool {
 	return gcp != nil && gcp.CloudSQLProxy != nil
 }
diff --git a/tests/application/gcp/application-assert.yaml b/tests/application/gcp/application-assert.yaml
@@ -59,3 +59,10 @@ data:
 kind: ConfigMap
 metadata:
   name: gcp-gcp-auth
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gcp
+  annotations:
+    iam.gke.io/gcp-service-account: something@verdier.com
