class KubesGoogle::ServiceAccount

Public Class Methods

new(app:, namespace:nil, roles: [], gsa: nil, ksa: nil) click to toggle source
# File lib/kubes_google/service_account.rb, line 9
def initialize(app:, namespace:nil, roles: [], gsa: nil, ksa: nil)
  @app, @roles = app, roles
  @google_project = ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")

  # conventional names
  @namespace = namespace || "#{@app}-#{Kubes.env}" # convention: app-env
  @gsa = gsa || "#{@app}-#{Kubes.env}"             # convention: app-env
  @ksa = ksa || @app                               # convention: app
  @service_account = "#{@gsa}@#{@google_project}.iam.gserviceaccount.com" # full service account name
end

Public Instance Methods

add_role(role) click to toggle source
# File lib/kubes_google/service_account.rb, line 68
def add_role(role)
  return if has_role?(role)

  sh "gcloud projects add-iam-policy-binding #{@google_project} \
      --member=serviceAccount:#{@service_account} \
      --role=#{role} > /dev/null".squish
end
add_roles() click to toggle source
# File lib/kubes_google/service_account.rb, line 46
def add_roles
  logger.debug "Adding Google Roles/Permissions"
  roles.each do |role|
    add_role(role)
  end
end
call() click to toggle source
# File lib/kubes_google/service_account.rb, line 20
def call
  create_google_service_account
  create_gke_iam_binding
  add_roles
end
create_gke_iam_binding() click to toggle source
# File lib/kubes_google/service_account.rb, line 33
def create_gke_iam_binding
  logger.debug "Creating GKE IAM Binding"
  member = "serviceAccount:#{@google_project}.svc.id.goog[#{@namespace}/#{@ksa}]"

  found = sh "gcloud iam service-accounts get-iam-policy #{@service_account} | grep -F #{member} > /dev/null"
  return if found

  sh "gcloud iam service-accounts add-iam-policy-binding \
            --role roles/iam.workloadIdentityUser \
            --member #{member} \
            #{@service_account}".squish
end
create_google_service_account() click to toggle source
# File lib/kubes_google/service_account.rb, line 26
def create_google_service_account
  logger.debug "Creating google service account"
  found = sh %Q{gcloud iam service-accounts list | grep " #{@service_account}" > /dev/null}
  return if found
  sh "gcloud iam service-accounts create #{@gsa}"
end
has_role?(role) click to toggle source
# File lib/kubes_google/service_account.rb, line 59
def has_role?(role)
  out = capture "gcloud projects get-iam-policy #{@google_project} --format json"
  data = JSON.load(out)
  bindings = data['bindings']
  binding = bindings.find { |b| b['role'] == role }
  return false unless binding
  binding['members'].include?(@service_account)
end
roles() click to toggle source
# File lib/kubes_google/service_account.rb, line 53
def roles
  @roles.map do |role|
    role.include?("roles/") ? role : "roles/#{role}"
  end
end