whyvez/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Kustomize GKE Workload Identity Plugin


Creates iam.workloadIdentityUser bindings for each IAMServiceAccount.
Creates iam.workloadIdentityUser bindings for each external SA defined in spec.
Annotates KSA that matches with each GSA from internal and external referenced GSA.

apiVersion: my.org.com/v1beta1
kind: WorkloadIdentityUser
metadata:
  name: my-project
  annotations:
    config.kubernetes.io/function: |
      exec:
        path: ./plugins/workload-identity-user.sh
spec:
  project: my-gcp-project
  namespace: my-namespace
  externals:
    - my-external-sa # GSA provioned externally i.e. terraform

  
## workload-identity-user.sh
#!/usr/bin/env bash

resourceList=$(cat)

project=$(yq '.functionConfig.spec.project' <<< "$resourceList")
namespace=$(yq '.functionConfig.spec.namespace' <<< "$resourceList")
readarray externals < <(yq '.functionConfig.spec.externals[]' <<< "$resourceList")
readarray GSAs < <(yq '.items[] | select(.kind == "IAMServiceAccount") | .metadata.name' <<< "$resourceList")

GSAs+=( "${externals[@]}" )

for GSA in "${GSAs[@]}"; do
  read -r -d '' iam_policy_member << EOM
{
  "apiVersion": "iam.cnrm.cloud.google.com/v1beta1",
  "kind": "IAMPolicyMember",
  "metadata": {
    "name": "${GSA}"
  },
  "spec": {
    "member": "serviceAccount:${project}.svc.id.goog[${namespace}/${GSA}]",
    "role": "roles/iam.workloadIdentityUser",
    "resourceRef": {
      "apiVersion": "iam.cnrm.cloud.google.com/v1beta1",
      "kind": "IAMServiceAccount",
      "external": "projects/${project}/serviceAccounts/${GSA}@${project}.iam.gserviceaccount.com"
    }
  }
}
EOM
  resourceList=$(yq ".items += $(tr -d "\n" <<< $iam_policy_member)" <<< "$resourceList")
done

for GSA in "${GSAs[@]}"; do
  annotation="{\"iam.gke.io/gcp-service-account\": \"$(tr -d "\n" <<< $GSA)\@$(tr -d "\n" <<< $project)\.iam.gserviceaccount.com\"}"
  resourceList=$(yq "(.items[] | select(.kind == \"ServiceAccount\" and .metadata.name == \"$(tr -d "\n" <<< $GSA)\") | .metadata.annotations) += ${annotation})" <<< "$resourceList")
done

echo "$resourceList"
	#!/usr/bin/env bash

	resourceList=$(cat)

	project=$(yq '.functionConfig.spec.project' <<< "$resourceList")
	namespace=$(yq '.functionConfig.spec.namespace' <<< "$resourceList")
	readarray externals < <(yq '.functionConfig.spec.externals[]' <<< "$resourceList")
	readarray GSAs < <(yq '.items[] \| select(.kind == "IAMServiceAccount") \| .metadata.name' <<< "$resourceList")

	GSAs+=( "${externals[@]}" )

	for GSA in "${GSAs[@]}"; do
	read -r -d '' iam_policy_member << EOM
	{
	"apiVersion": "iam.cnrm.cloud.google.com/v1beta1",
	"kind": "IAMPolicyMember",
	"metadata": {
	"name": "${GSA}"
	},
	"spec": {
	"member": "serviceAccount:${project}.svc.id.goog[${namespace}/${GSA}]",
	"role": "roles/iam.workloadIdentityUser",
	"resourceRef": {
	"apiVersion": "iam.cnrm.cloud.google.com/v1beta1",
	"kind": "IAMServiceAccount",
	"external": "projects/${project}/serviceAccounts/${GSA}@${project}.iam.gserviceaccount.com"
	}
	}
	}
	EOM
	resourceList=$(yq ".items += $(tr -d "\n" <<< $iam_policy_member)" <<< "$resourceList")
	done

	for GSA in "${GSAs[@]}"; do
	annotation="{\"iam.gke.io/gcp-service-account\": \"$(tr -d "\n" <<< $GSA)\@$(tr -d "\n" <<< $project)\.iam.gserviceaccount.com\"}"
	resourceList=$(yq "(.items[] \| select(.kind == \"ServiceAccount\" and .metadata.name == \"$(tr -d "\n" <<< $GSA)\") \| .metadata.annotations) += ${annotation})" <<< "$resourceList")
	done

	echo "$resourceList"