From 02254587d9cf01f138a4096673967402a9ab00fc Mon Sep 17 00:00:00 2001 From: Jacob Ferriero Date: Fri, 11 Sep 2020 21:53:28 -0700 Subject: [PATCH] fix: Shorten GSA account_id if necessary (#666) --- modules/workload-identity/README.md | 2 +- modules/workload-identity/main.tf | 4 +- .../scripts/kubectl_wrapper.sh | 53 ------------------- modules/workload-identity/variables.tf | 2 +- 4 files changed, 5 insertions(+), 56 deletions(-) delete mode 100755 modules/workload-identity/scripts/kubectl_wrapper.sh diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md index 785ad7eb9..233d2112d 100644 --- a/modules/workload-identity/README.md +++ b/modules/workload-identity/README.md @@ -72,7 +72,7 @@ module "my-app-workload-identity" { | cluster\_name | Cluster name. Required if using existing KSA. | string | `""` | no | | k8s\_sa\_name | Name for the existing Kubernetes service account | string | `"null"` | no | | location | Cluster location (region if regional cluster, zone if zonal cluster). Required if using existing KSA. | string | `""` | no | -| name | Name for both service accounts | string | n/a | yes | +| name | Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary. | string | n/a | yes | | namespace | Namespace for k8s service account | string | `"default"` | no | | project\_id | GCP project ID | string | n/a | yes | | use\_existing\_k8s\_sa | Use an existing kubernetes service account instead of creating one | bool | `"false"` | no | diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index e17851c30..288f3fdb2 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -25,7 +25,9 @@ locals { } resource "google_service_account" "cluster_service_account" { - account_id = var.name + # GCP service account ids must be < 30 chars matching regex ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$ + # KSA do not have this naming restriction. + account_id = substr(var.name, 0, 30) display_name = substr("GCP SA bound to K8S SA ${local.k8s_given_name}", 0, 100) project = var.project_id } diff --git a/modules/workload-identity/scripts/kubectl_wrapper.sh b/modules/workload-identity/scripts/kubectl_wrapper.sh deleted file mode 100755 index e92300bcb..000000000 --- a/modules/workload-identity/scripts/kubectl_wrapper.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash -# Copyright 2018 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -set -e - -if [ "$#" -lt 3 ]; then - >&2 echo "Not all expected arguments set." - exit 1 -fi - -HOST=$1 -TOKEN=$2 -CA_CERTIFICATE=$3 - -shift 3 - -RANDOM_ID="${RANDOM}_${RANDOM}" -export TMPDIR="/tmp/kubectl_wrapper_${RANDOM_ID}" - -function cleanup { - rm -rf "${TMPDIR}" -} -trap cleanup EXIT - -mkdir "${TMPDIR}" - -export KUBECONFIG="${TMPDIR}/config" - -# shellcheck disable=SC1117 -base64 --help | grep "\--decode" && B64_ARG="--decode" || B64_ARG="-d" -echo "${CA_CERTIFICATE}" | base64 ${B64_ARG} > "${TMPDIR}/ca_certificate" - -kubectl config set-cluster kubectl-wrapper --server="${HOST}" --certificate-authority="${TMPDIR}/ca_certificate" --embed-certs=true 1>/dev/null -rm -f "${TMPDIR}/ca_certificate" -kubectl config set-context kubectl-wrapper --cluster=kubectl-wrapper --user=kubectl-wrapper --namespace=default 1>/dev/null -kubectl config set-credentials kubectl-wrapper --token="${TOKEN}" 1>/dev/null -kubectl config use-context kubectl-wrapper 1>/dev/null -kubectl version 1>/dev/null - -"$@" diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf index 0832eb5ef..8042f5432 100644 --- a/modules/workload-identity/variables.tf +++ b/modules/workload-identity/variables.tf @@ -15,7 +15,7 @@ */ variable "name" { - description = "Name for both service accounts" + description = "Name for both service accounts. The GCP SA will be truncated to the first 30 chars if necessary." type = string }