class KubesGoogle::ServiceAccount
Public Class Methods
new(app:, namespace:nil, roles: [], gsa: nil, ksa: nil)
click to toggle source
# File lib/kubes_google/service_account.rb, line 9 def initialize(app:, namespace:nil, roles: [], gsa: nil, ksa: nil) @app, @roles = app, roles @google_project = ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.") # conventional names @namespace = namespace || "#{@app}-#{Kubes.env}" # convention: app-env @gsa = gsa || "#{@app}-#{Kubes.env}" # convention: app-env @ksa = ksa || @app # convention: app @service_account = "#{@gsa}@#{@google_project}.iam.gserviceaccount.com" # full service account name end
Public Instance Methods
add_role(role)
click to toggle source
# File lib/kubes_google/service_account.rb, line 68 def add_role(role) return if has_role?(role) sh "gcloud projects add-iam-policy-binding #{@google_project} \ --member=serviceAccount:#{@service_account} \ --role=#{role} > /dev/null".squish end
add_roles()
click to toggle source
# File lib/kubes_google/service_account.rb, line 46 def add_roles logger.debug "Adding Google Roles/Permissions" roles.each do |role| add_role(role) end end
call()
click to toggle source
# File lib/kubes_google/service_account.rb, line 20 def call create_google_service_account create_gke_iam_binding add_roles end
create_gke_iam_binding()
click to toggle source
# File lib/kubes_google/service_account.rb, line 33 def create_gke_iam_binding logger.debug "Creating GKE IAM Binding" member = "serviceAccount:#{@google_project}.svc.id.goog[#{@namespace}/#{@ksa}]" found = sh "gcloud iam service-accounts get-iam-policy #{@service_account} | grep -F #{member} > /dev/null" return if found sh "gcloud iam service-accounts add-iam-policy-binding \ --role roles/iam.workloadIdentityUser \ --member #{member} \ #{@service_account}".squish end
create_google_service_account()
click to toggle source
# File lib/kubes_google/service_account.rb, line 26 def create_google_service_account logger.debug "Creating google service account" found = sh %Q{gcloud iam service-accounts list | grep " #{@service_account}" > /dev/null} return if found sh "gcloud iam service-accounts create #{@gsa}" end
has_role?(role)
click to toggle source
# File lib/kubes_google/service_account.rb, line 59 def has_role?(role) out = capture "gcloud projects get-iam-policy #{@google_project} --format json" data = JSON.load(out) bindings = data['bindings'] binding = bindings.find { |b| b['role'] == role } return false unless binding binding['members'].include?(@service_account) end
roles()
click to toggle source
# File lib/kubes_google/service_account.rb, line 53 def roles @roles.map do |role| role.include?("roles/") ? role : "roles/#{role}" end end