Extract serviceaccount name and namespace from account.spec.username (#…

…20) Signed-off-by: Rokibul Hasan <[email protected]>
kluster-manager · Aug 12, 2024 · 4884b62 · 4884b62
1 parent 6f45fbd
commit 4884b62
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 7 deletions.
diff --git a/pkg/manager/agent-manifests/cluster-auth/Chart.yaml b/pkg/manager/agent-manifests/cluster-auth/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v1
 description: Cluster Auth Agent
 name: cluster-auth-agent
-version: v2024.7.10
-appVersion: v0.0.2
+version: v2024.8.9
+appVersion: v0.0.3
 home: https://github.com/kluster-manager/cluster-auth
 icon: https://cdn.appscode.com/images/products/searchlight/icons/android-icon-192x192.png
 sources:

diff --git a/pkg/manager/controller/authentication/account_controller.go b/pkg/manager/controller/authentication/account_controller.go
@@ -23,6 +23,7 @@ import (
 
 	authenticationv1alpha1 "github.com/kluster-manager/cluster-auth/apis/authentication/v1alpha1"
 	"github.com/kluster-manager/cluster-auth/pkg/common"
+	"github.com/kluster-manager/cluster-auth/pkg/utils"
 
 	core "k8s.io/api/core/v1"
 	rbac "k8s.io/api/rbac/v1"
@@ -138,12 +139,17 @@ func (r *AccountReconciler) createGatewayClusterRoleBindingForUser(ctx context.C
 	}
 
 	if strings.Contains(acc.Spec.Username, common.ServiceAccountPrefix) {
+		name, namespace, err := utils.ExtractServiceAccountNameAndNamespace(acc.Spec.Username)
+		if err != nil {
+			return err
+		}
+
 		sub = []rbac.Subject{
 			{
 				APIGroup:  "",
 				Kind:      "ServiceAccount",
-				Name:      acc.Name,
-				Namespace: common.AddonAgentInstallNamespace,
+				Name:      name,
+				Namespace: namespace,
 			},
 		}
 	}
@@ -164,7 +170,7 @@ func (r *AccountReconciler) createGatewayClusterRoleBindingForUser(ctx context.C
 	}
 
 	if strings.Contains(acc.Spec.Username, common.ServiceAccountPrefix) {
-		crb.Name = fmt.Sprintf("ace.%s.proxy", acc.Spec.Username)
+		crb.Name = fmt.Sprintf("ace.%s.proxy", acc.Name)
 	}
 
 	_, err := cu.CreateOrPatch(ctx, r.Client, &crb, func(obj client.Object, createOp bool) client.Object {
@@ -199,9 +205,14 @@ func (r *AccountReconciler) createClusterRoleAndClusterRoleBindingToImpersonate(
 	}
 
 	if strings.Contains(acc.Spec.Username, common.ServiceAccountPrefix) {
+		name, _, err := utils.ExtractServiceAccountNameAndNamespace(acc.Spec.Username)
+		if err != nil {
+			return err
+		}
+
 		cr = rbac.ClusterRole{
 			ObjectMeta: metav1.ObjectMeta{
-				Name: fmt.Sprintf("ace.%s.impersonate", acc.Spec.Username),
+				Name: fmt.Sprintf("ace.%s.impersonate", acc.Name),
 				OwnerReferences: []metav1.OwnerReference{
 					*metav1.NewControllerRef(acc, authenticationv1alpha1.GroupVersion.WithKind("Account")),
 				},
@@ -211,7 +222,7 @@ func (r *AccountReconciler) createClusterRoleAndClusterRoleBindingToImpersonate(
 					APIGroups:     []string{""},
 					Resources:     []string{"serviceaccounts"},
 					Verbs:         []string{"impersonate"},
-					ResourceNames: []string{acc.Name},
+					ResourceNames: []string{name},
 				},
 			},
 		}

diff --git a/pkg/utils/util.go b/pkg/utils/util.go
@@ -17,6 +17,7 @@ limitations under the License.
 package utils
 
 import (
+	"errors"
 	"strings"
 
 	authorizationv1alpha1 "github.com/kluster-manager/cluster-auth/apis/authorization/v1alpha1"
@@ -40,3 +41,11 @@ func ReplaceColonWithHyphen(input string) string {
 	parts := strings.Split(input, ":")
 	return strings.Join(parts, "-")
 }
+
+func ExtractServiceAccountNameAndNamespace(s string) (name, namespace string, err error) {
+	parts := strings.Split(s, ":")
+	if len(parts) == 4 {
+		return parts[3], parts[2], nil
+	}
+	return "", "", errors.New("account username is invalid")
+}