actuator

Documentation

Overview

Copyright 2019 The OpenShift Authors.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

• func AreSlicesEqualWithoutOrder(a, b []string) bool
• func CreateRole(gcpClient ccgcp.Client, permissions []string, ...) (*iamadminpb.Role, error)
• func CreateServiceAccount(gcpClient ccgcp.Client, ...) (*iamadminpb.ServiceAccount, error)
• func DeleteRole(gcpClient ccgcp.Client, roleName string) (*iamadminpb.Role, error)
• func DeleteServiceAccount(gcpClient ccgcp.Client, svcAcct *iamadminpb.ServiceAccount) error
• func EnsurePolicyBindingsForProject(rootClient ccgcp.Client, roles []string, member string) error
• func EnsurePolicyBindingsForServiceAccount(rootClient ccgcp.Client, svcAcct *iamadminpb.ServiceAccount, roles []string, ...) error
• func GenerateRoleID(infraName string, crName string) (string, error)
• func GetRole(gcpClient ccgcp.Client, roleID, projectName string) (*iamadminpb.Role, error)
• func GetServiceAccount(gcpClient ccgcp.Client, svcAcctID string) (*iamadminpb.ServiceAccount, error)
• func RemovePolicyBindingsForProject(gcpClient ccgcp.Client, memberName string) error
• func ServiceAccountBindingName(svcAccount *iamadminpb.ServiceAccount) string
• func UpdateRole(gcpClient ccgcp.Client, role *iamadminpb.Role, roleName string) (*iamadminpb.Role, error)
• type Actuator
  • func NewActuator(c client.Client, projectName string) (*Actuator, error)
  • func (a *Actuator) Create(ctx context.Context, cr *minterv1.CredentialsRequest) error
  • func (a *Actuator) Delete(ctx context.Context, cr *minterv1.CredentialsRequest) error
  • func (a *Actuator) Exists(ctx context.Context, cr *minterv1.CredentialsRequest) (bool, error)
  • func (a *Actuator) GetCredentialsRootSecret(ctx context.Context, cr *minterv1.CredentialsRequest) (*corev1.Secret, error)
  • func (a *Actuator) GetCredentialsRootSecretLocation() types.NamespacedName
  • func (a *Actuator) Update(ctx context.Context, cr *minterv1.CredentialsRequest) error
  • func (a *Actuator) Upgradeable(mode operatorv1.CloudCredentialsMode) *configv1.ClusterOperatorStatusCondition

Functions

func AreSlicesEqualWithoutOrder

func AreSlicesEqualWithoutOrder(a, b []string) bool

AreSlicesEqualWithoutOrder check for equality on slices without order

func CreateRole

func CreateRole(gcpClient ccgcp.Client, permissions []string, roleName, roleID, roleDescription, projectName string) (*iamadminpb.Role, error)

CreateRole creates a new role given permissions

func CreateServiceAccount

func CreateServiceAccount(gcpClient ccgcp.Client, svcAcctID, svcAcctName, svcAcctDescription, projectName string) (*iamadminpb.ServiceAccount, error)

func DeleteRole

func DeleteRole(gcpClient ccgcp.Client, roleName string) (*iamadminpb.Role, error)

DeleteRole deletes the role created to satisfy a credentials request

func DeleteServiceAccount

func DeleteServiceAccount(gcpClient ccgcp.Client, svcAcct *iamadminpb.ServiceAccount) error

func EnsurePolicyBindingsForProject

func EnsurePolicyBindingsForProject(rootClient ccgcp.Client, roles []string, member string) error

EnsurePolicyBindingsForProject ensures that given roles and member, appropriate binding is added to project

func EnsurePolicyBindingsForServiceAccount

func EnsurePolicyBindingsForServiceAccount(rootClient ccgcp.Client, svcAcct *iamadminpb.ServiceAccount, roles []string, member string) error

EnsurePolicyBindingsForServiceAccount ensures that given roles and member, appropriate binding is added to IAM service account

func GenerateRoleID

func GenerateRoleID(infraName string, crName string) (string, error)

GenerateRoleID generates a unique ID for the role given infra name and credentials request name. The role ID has a max length of 64 chars and can include only letters, numbers, period and underscores we sanitize infraName and crName to make them alphanumeric and then split role ID into 29_28_5 where the resulting string becomes: <infraName chopped to 29 chars>_<crName chopped to 28 chars>_<random 5 chars>

func GetRole

func GetRole(gcpClient ccgcp.Client, roleID, projectName string) (*iamadminpb.Role, error)

GetRole fetches the role created to satisfy a credentials request

func GetServiceAccount

func GetServiceAccount(gcpClient ccgcp.Client, svcAcctID string) (*iamadminpb.ServiceAccount, error)

func RemovePolicyBindingsForProject

func RemovePolicyBindingsForProject(gcpClient ccgcp.Client, memberName string) error

RemovePolicyBindingsForProject ensures that given member, all the associated bindings for that member are removed from the project policy

func ServiceAccountBindingName

func ServiceAccountBindingName(svcAccount *iamadminpb.ServiceAccount) string

func UpdateRole

func UpdateRole(gcpClient ccgcp.Client, role *iamadminpb.Role, roleName string) (*iamadminpb.Role, error)

UpdateRole updates an existing role given permissions

Types

type Actuator

type Actuator struct {
	ProjectName      string
	Client           client.Client
	Codec            *minterv1.ProviderCodec
	GCPClientBuilder func(string, []byte) (ccgcp.Client, error)
}

Actuator implements the CredentialsRequest Actuator interface to create credentials for GCP.

func NewActuator

func NewActuator(c client.Client, projectName string) (*Actuator, error)

NewActuator initializes and returns a new Actuator for GCP.

func (*Actuator) Create

func (a *Actuator) Create(ctx context.Context, cr *minterv1.CredentialsRequest) error

Create the credentials.

func (*Actuator) Delete

func (a *Actuator) Delete(ctx context.Context, cr *minterv1.CredentialsRequest) error

Delete the credentials. If no error returned, it is assumed that all dependent resources have been cleaned up.

func (*Actuator) Exists

func (a *Actuator) Exists(ctx context.Context, cr *minterv1.CredentialsRequest) (bool, error)

Exists checks if the credentials currently exist.

To do this we will check if the target secret exists. This call is only used to determine if we're doing a Create or an Update, but in the context of this acutator it makes no difference. As such we will not check if the service account exists in GCP and is correctly configured as this will all be handled in both Create and Update.

func (*Actuator) GetCredentialsRootSecret

func (a *Actuator) GetCredentialsRootSecret(ctx context.Context, cr *minterv1.CredentialsRequest) (*corev1.Secret, error)

GetCredentialsRootSecret will return the cluster's root GCP cloud cred secret if it exists and is properly annotated

func (*Actuator) GetCredentialsRootSecretLocation

func (a *Actuator) GetCredentialsRootSecretLocation() types.NamespacedName

GetCredentialsRootSecretLocation returns the namespace and name where the parent credentials secret is stored.

func (*Actuator) Update

func (a *Actuator) Update(ctx context.Context, cr *minterv1.CredentialsRequest) error

Update the credentials to the provided definition.

func (*Actuator) Upgradeable

func (a *Actuator) Upgradeable(mode operatorv1.CloudCredentialsMode) *configv1.ClusterOperatorStatusCondition

Upgradeable returns a ClusterOperator status condition for the upgradeable type if the system is considered not upgradeable. Otherwise, return nil as the default value is for things to be upgradeable.