actions/fluxcd-flux2
3
0
Fork 0
mirror of https://github.com/fluxcd/flux2.git synced 2026-02-23 08:01:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge pull request #5402 from reiSh6phoo9o/feat/configurable_serviceaccountname

Browse source 
Make service-account name configurable in `flux create tenant`
This commit is contained in:
Stefan Prodan 2025-06-13 15:30:11 +03:00 committed by GitHub
commit 40a9b495b2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 188 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
cmd/flux/create_tenant.go
View file

@ -59,6 +59,7 @@ const (
type tenantFlags struct { type tenantFlags struct {
namespaces []string namespaces []string
clusterRole string clusterRole string
account string
} }
var tenantArgs tenantFlags var tenantArgs tenantFlags
@ -66,6 +67,7 @@ var tenantArgs tenantFlags
func init() { func init() {
createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant") createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant")
createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding") createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
createTenantCmd.Flags().StringVar(&tenantArgs.account, "with-service-account", "", "service account belonging to this tenant")
createCmd.AddCommand(createTenantCmd) createCmd.AddCommand(createTenantCmd)
} }
@ -107,9 +109,17 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
} }
namespaces = append(namespaces, namespace) namespaces = append(namespaces, namespace)
accountName := tenant
if tenantArgs.account != "" {
accountName = tenantArgs.account
}
if err := validation.IsQualifiedName(accountName); len(err) > 0 {
return fmt.Errorf("invalid service-account name '%s': %v", accountName, err)
}
account := corev1.ServiceAccount{ account := corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: tenant, Name: accountName,
Namespace: ns, Namespace: ns,
Labels: objLabels, Labels: objLabels,
}, },
@ -131,7 +141,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
}, },
{ {
Kind: "ServiceAccount", Kind: "ServiceAccount",
Name: tenant, Name: accountName,
Namespace: ns, Namespace: ns,
}, },
}, },
@ -283,9 +293,9 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
return err return err
} }
fmt.Println("---") rootCmd.Println("---")
data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1) data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
fmt.Println(resourceToString(data)) rootCmd.Println(resourceToString(data))
account.TypeMeta = metav1.TypeMeta{ account.TypeMeta = metav1.TypeMeta{
APIVersion: "v1", APIVersion: "v1",
@ -296,9 +306,9 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
return err return err
} }
fmt.Println("---") rootCmd.Println("---")
data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1) data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
fmt.Println(resourceToString(data)) rootCmd.Println(resourceToString(data))
roleBinding.TypeMeta = metav1.TypeMeta{ roleBinding.TypeMeta = metav1.TypeMeta{
APIVersion: "rbac.authorization.k8s.io/v1", APIVersion: "rbac.authorization.k8s.io/v1",
@ -309,8 +319,8 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
return err return err
} }
fmt.Println("---") rootCmd.Println("---")
fmt.Println(resourceToString(data)) rootCmd.Println(resourceToString(data))
return nil return nil
} }

68
cmd/flux/create_tenant_test.go Normal file
View file

@ -0,0 +1,68 @@
//go:build e2e
// +build e2e
/*
Copyright 2025 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"testing"
)
func TestCreateTenant(t *testing.T) {
tests := []struct {
name string
args string
assert assertFunc
}{
{
name: "no args",
args: "create tenant",
assert: assertError("name is required"),
},
{
name: "no namespace",
args: "create tenant dev-team --cluster-role=cluster-admin",
assert: assertError("with-namespace is required"),
},
{
name: "basic tenant",
args: "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --export",
assert: assertGoldenFile("./testdata/create_tenant/tenant-basic.yaml"),
},
{
name: "tenant with custom serviceaccount",
args: "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --with-service-account=flux-tenant --export",
assert: assertGoldenFile("./testdata/create_tenant/tenant-with-service-account.yaml"),
},
{
name: "tenant with custom cluster role",
args: "create tenant dev-team --with-namespace=apps --cluster-role=custom-role --export",
assert: assertGoldenFile("./testdata/create_tenant/tenant-with-cluster-role.yaml"),
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cmd := cmdTestCase{
args: tt.args,
assert: tt.assert,
}
cmd.runTestCmd(t)
})
}
}

34
cmd/flux/testdata/create_tenant/tenant-basic.yaml vendored Normal file
View file

@ -0,0 +1,34 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
toolkit.fluxcd.io/tenant: dev-team
name: apps
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
toolkit.fluxcd.io/tenant: dev-team
name: dev-team
namespace: apps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
toolkit.fluxcd.io/tenant: dev-team
name: dev-team-reconciler
namespace: apps
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: gotk:apps:reconciler
- kind: ServiceAccount
name: dev-team
namespace: apps

34
cmd/flux/testdata/create_tenant/tenant-with-cluster-role.yaml vendored Normal file
View file

@ -0,0 +1,34 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
toolkit.fluxcd.io/tenant: dev-team
name: apps
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
toolkit.fluxcd.io/tenant: dev-team
name: dev-team
namespace: apps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
toolkit.fluxcd.io/tenant: dev-team
name: dev-team-reconciler
namespace: apps
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: custom-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: gotk:apps:reconciler
- kind: ServiceAccount
name: dev-team
namespace: apps

34
cmd/flux/testdata/create_tenant/tenant-with-service-account.yaml vendored Normal file
View file

@ -0,0 +1,34 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
toolkit.fluxcd.io/tenant: dev-team
name: apps
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
toolkit.fluxcd.io/tenant: dev-team
name: flux-tenant
namespace: apps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
toolkit.fluxcd.io/tenant: dev-team
name: dev-team-reconciler
namespace: apps
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: gotk:apps:reconciler
- kind: ServiceAccount
name: flux-tenant
namespace: apps