Merge pull request #1161 from cappyzawa/feat/default-service-account-flag

[RFC-0010] Add default-service-account for lockdown

Author: matheuscscp

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/fluxcd/notification-controller/api v1.6.0
 	github.com/fluxcd/pkg/apis/event v0.18.0
 	github.com/fluxcd/pkg/apis/meta v1.18.0
-	github.com/fluxcd/pkg/auth v0.23.0
+	github.com/fluxcd/pkg/auth v0.27.0
 	github.com/fluxcd/pkg/cache v0.10.0
 	github.com/fluxcd/pkg/git v0.34.0
 	github.com/fluxcd/pkg/masktoken v0.7.0

go.sum

@@ -138,8 +138,8 @@ github.com/fluxcd/pkg/apis/kustomize v1.11.0 h1:0IzDgxZkc4v+5SDNCvgZhfwfkdkQLPXC
 github.com/fluxcd/pkg/apis/kustomize v1.11.0/go.mod h1:j302mJGDww8cn9qvMsRQ0LJ1HPAPs/IlX7CSsoJV7BI=
 github.com/fluxcd/pkg/apis/meta v1.18.0 h1:ACHrMIjlcioE9GKS7NGk62KX4NshqNewr8sBwMcXABs=
 github.com/fluxcd/pkg/apis/meta v1.18.0/go.mod h1:97l3hTwBpJbXBY+wetNbqrUsvES8B1jGioKcBUxmqd8=
-github.com/fluxcd/pkg/auth v0.23.0 h1:Xt89QO1Hzh7X0JFwCeONyxMlgOX/zOPx0eyIyFoKyF0=
-github.com/fluxcd/pkg/auth v0.23.0/go.mod h1:YEAHpBFuW5oLlH9ekuJaQdnJ2Q3A7Ny8kha3WY7QMnY=
+github.com/fluxcd/pkg/auth v0.27.0 h1:DFsizUxt9ZDAc+z7+o7jcbtfaxRH55MRD/wdU4CXNCQ=
+github.com/fluxcd/pkg/auth v0.27.0/go.mod h1:YEAHpBFuW5oLlH9ekuJaQdnJ2Q3A7Ny8kha3WY7QMnY=
 github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY=
 github.com/fluxcd/pkg/cache v0.10.0/go.mod h1:pPXRzQUDQagsCniuOolqVhnAkbNgYOg8d2cTliPs7ME=
 github.com/fluxcd/pkg/git v0.34.0 h1:qTViWkfpEDnjzySyKRKliqUeGj/DznqlkmPhaDNIsFY=

internal/notifier/azure_helpers.go

@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"net/url"
 
-	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/pkg/auth"
@@ -33,7 +32,12 @@ import (
 
 // newManagedIdentityToken is used to attempt credential-free authentication.
 func newManagedIdentityToken(ctx context.Context, proxy, serviceAccountName, providerName, providerNamespace, scope string, tokenClient client.Client, tokenCache *cache.TokenCache) (string, error) {
-	opts := []auth.Option{auth.WithScopes(scope)}
+	opts := []auth.Option{
+		auth.WithScopes(scope),
+		auth.WithClient(tokenClient),
+		auth.WithServiceAccountNamespace(providerNamespace),
+	}
+
 	if proxy != "" {
 		proxyURL, err := url.Parse(proxy)
 		if err != nil {
@@ -43,11 +47,7 @@ func newManagedIdentityToken(ctx context.Context, proxy, serviceAccountName, pro
 	}
 
 	if serviceAccountName != "" {
-		serviceAccount := types.NamespacedName{
-			Name:      serviceAccountName,
-			Namespace: providerNamespace,
-		}
-		opts = append(opts, auth.WithServiceAccount(serviceAccount, tokenClient))
+		opts = append(opts, auth.WithServiceAccountName(serviceAccountName))
 	}
 
 	if tokenCache != nil {

internal/notifier/google_helpers.go

@@ -22,7 +22,6 @@ import (
 	"net/url"
 
 	"google.golang.org/api/option"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/pkg/auth"
 	"github.com/fluxcd/pkg/auth/gcp"
@@ -39,8 +38,10 @@ func buildGCPClientOptions(ctx context.Context, opts notifierOptions) ([]option.
 	if opts.Token != "" {
 		clientOpts = append(clientOpts, option.WithCredentialsJSON([]byte(opts.Token)))
 	} else {
-		var authOpts []auth.Option
-		authOpts = append(authOpts, auth.WithClient(opts.TokenClient))
+		authOpts := []auth.Option{
+			auth.WithClient(opts.TokenClient),
+			auth.WithServiceAccountNamespace(opts.ProviderNamespace),
+		}
 
 		if opts.TokenCache != nil {
 			involvedObject := cache.InvolvedObject{
@@ -53,11 +54,7 @@ func buildGCPClientOptions(ctx context.Context, opts notifierOptions) ([]option.
 		}
 
 		if opts.ServiceAccountName != "" {
-			serviceAccountKey := client.ObjectKey{
-				Name:      opts.ServiceAccountName,
-				Namespace: opts.ProviderNamespace,
-			}
-			authOpts = append(authOpts, auth.WithServiceAccount(serviceAccountKey, opts.TokenClient))
+			authOpts = append(authOpts, auth.WithServiceAccountName(opts.ServiceAccountName))
 		}
 
 		if opts.ProxyURL != "" {

internal/server/event_handlers_test.go

@@ -525,7 +525,8 @@ func TestGetNotificationParams(t *testing.T) {
 			}
 
 			if tt.enableObjLevelWI {
-				t.Setenv(auth.EnvVarEnableObjectLevelWorkloadIdentity, "true")
+				auth.EnableObjectLevelWorkloadIdentity()
+				t.Cleanup(auth.DisableObjectLevelWorkloadIdentity)
 			}
 
 			// Create fake objects and event server.

main.go

@@ -96,6 +96,7 @@ func main() {
 		exportHTTPPathMetrics bool
 		tokenCacheOptions     pkgcache.TokenFlags
 		watchOptions          runtimeCtrl.WatchOptions
+		defaultServiceAccount string
 	)
 
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
@@ -118,6 +119,8 @@ func main() {
 	rateLimiterOptions.BindFlags(flag.CommandLine)
 	featureGates.BindFlags(flag.CommandLine)
 	tokenCacheOptions.BindFlags(flag.CommandLine, tokenCacheDefaultMaxSize)
+	flag.StringVar(&defaultServiceAccount, auth.ControllerFlagDefaultServiceAccount,
+		"", "Default service account to use for workload identity when not specified in resources.")
 
 	flag.Parse()
 
@@ -136,6 +139,15 @@ func main() {
 		auth.EnableObjectLevelWorkloadIdentity()
 	}
 
+	if defaultServiceAccount != "" {
+		auth.SetDefaultServiceAccount(defaultServiceAccount)
+	}
+
+	if auth.InconsistentObjectLevelConfiguration() {
+		setupLog.Error(auth.ErrInconsistentObjectLevelConfiguration, "invalid configuration")
+		os.Exit(1)
+	}
+
 	watchNamespace := ""
 	if !watchOptions.AllNamespaces {
 		watchNamespace = os.Getenv("RUNTIME_NAMESPACE")