search

GoogleCloudPlatform / k8s-config-connector

GCP Config Connector, a Kubernetes add-on for managing GCP resources
https://cloud.google.com/config-connector/docs/overview
Apache License 2.0
894 stars 222 forks source link

IAMResourceRef type does not fit ServiceAccountRef #543

Open b4nst opened 3 years ago

b4nst commented 3 years ago

Checklist

Bug Description

ServiceAccountRef is a *v1alpha1.IAMResourceRef

https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/6676269f7a16786489acf4c574b5fd42507b45bf/pkg/apis/iam/v1beta1/iampolicymember_types.go#L57

IAMResourceRef.Kind is a mandatory property (no omitempty)

https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/6676269f7a16786489acf4c574b5fd42507b45bf/pkg/apis/k8s/v1alpha1/types.go#L68-L70

But if using kind property in a ServiceAccountRef you'll face

error: error validating "test.yaml": error validating data: ValidationError(IAMPolicyMember.spec.memberFrom.serviceAccountRef): unknown field "kind" in com.google.cloud.cnrm.iam.v1beta1.IAMPolicyMember.spec.memberFrom.serviceAccountRef

which is expected in regard of the documentation.

This break the ability of importing those types in CUE for example. I think we should either add omitempty to IAMResourceRef.Kind or use another dedicated type for ServiceAccountRef.

Kubernetes Cluster Version

Client Version: v1.21.2
Server Version: v1.18.20-gke.901

Config Connector Version

1.52.0

Config Connector Mode

cluster

Steps to Reproduce

Steps to reproduce the issue

YAML snippets

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.

  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-memberref
  spec:
    memberFrom:
      serviceAccountRef:
        name: iampolicymember-dep-memberref
        kind: ""
    role: roles/editor
    resourceRef:
      apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
      kind: PubSubTopic
      name: iampolicymember-dep-memberref
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iampolicymember-dep-memberref
  ---
  apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
  kind: PubSubTopic
  metadata:
    name: iampolicymember-dep-memberref
maqiuyujoyce commented 3 years ago

Hi @b4nst , thanks for reporting the bug. We will look into fixing it!