Merge pull request #62 from projectsyn/feat/sa-token-secret

Add support for generating ServiceAccount token secrets

Author: simu

lib/resource-locker.libjsonnet

@@ -162,6 +162,17 @@ local rbac_objs(objdata, verbs=[ 'create', 'get', 'update', 'patch' ]) =
     metadata+: rbac_meta {
       namespace: namespace,
     },
+    secrets: [ { name: saname } ],
+  };
+  // Create service account token secret
+  local tokensecret = kube.Secret(saname) {
+    metadata+: rbac_meta {
+      namespace: namespace,
+      annotations+: {
+        'kubernetes.io/service-account.name': saname,
+      },
+    },
+    type: 'kubernetes.io/service-account-token',
   };
   // Create cluster role to get/list/watch resource kind
   local rolename = clusterRoleName(name);
@@ -204,6 +215,7 @@ local rbac_objs(objdata, verbs=[ 'create', 'get', 'update', 'patch' ]) =
     serviceaccount: serviceaccount,
     objs: std.prune([
       serviceaccount,
+      tokensecret,
       clusterrole,
       clusterrolebinding,
       role,

tests/golden/lib/resource-locker/tests/test-lock.yaml

@@ -10,6 +10,23 @@ metadata:
     name: foo-test-6e4cb03e339fd56-manager
   name: foo-test-6e4cb03e339fd56-manager
   namespace: syn-resource-locker
+secrets:
+  - name: foo-test-6e4cb03e339fd56-manager
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: foo-test-6e4cb03e339fd56-manager
+    resourcelocker.syn.tools/target-namespace: foo
+    resourcelocker.syn.tools/target-object: apps.Deployment/test
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/part-of: resource-locker
+    name: foo-test-6e4cb03e339fd56-manager
+  name: foo-test-6e4cb03e339fd56-manager
+  namespace: syn-resource-locker
+type: kubernetes.io/service-account-token
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

tests/golden/lib/resource-locker/tests/test-patch-long-name.yaml

@@ -9,6 +9,22 @@ metadata:
     name: clusterrolebinding-system-build-775295b1777a143-manager
   name: clusterrolebinding-system-build-775295b1777a143-manager
   namespace: syn-resource-locker
+secrets:
+  - name: clusterrolebinding-system-build-775295b1777a143-manager
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: clusterrolebinding-system-build-775295b1777a143-manager
+    resourcelocker.syn.tools/target-object: rbac.authorization.k8s.io.ClusterRoleBinding/system:build-strategy-docker-binding
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/part-of: resource-locker
+    name: clusterrolebinding-system-build-775295b1777a143-manager
+  name: clusterrolebinding-system-build-775295b1777a143-manager
+  namespace: syn-resource-locker
+type: kubernetes.io/service-account-token
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

tests/golden/lib/resource-locker/tests/test-patch.yaml

@@ -10,6 +10,23 @@ metadata:
     name: foo-test-6e4cb03e339fd56-manager
   name: foo-test-6e4cb03e339fd56-manager
   namespace: syn-resource-locker
+secrets:
+  - name: foo-test-6e4cb03e339fd56-manager
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: foo-test-6e4cb03e339fd56-manager
+    resourcelocker.syn.tools/target-namespace: foo
+    resourcelocker.syn.tools/target-object: apps.Deployment/test
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/part-of: resource-locker
+    name: foo-test-6e4cb03e339fd56-manager
+  name: foo-test-6e4cb03e339fd56-manager
+  namespace: syn-resource-locker
+type: kubernetes.io/service-account-token
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole