diff --git a/pkg/cmd/generate/assertion_test.go b/pkg/cmd/generate/assertion_test.go index 5d8093e..ec3ea7c 100644 --- a/pkg/cmd/generate/assertion_test.go +++ b/pkg/cmd/generate/assertion_test.go @@ -291,7 +291,6 @@ type userAssertion struct { func (a *storageAssertionImpl) assertUser(name string) userAssertion { expLabels := map[string]string{ "provider": "ksctl", - "username": name, } userObj := &userv1.User{} diff --git a/pkg/cmd/generate/cluster.go b/pkg/cmd/generate/cluster.go index b34b5f3..8daa107 100644 --- a/pkg/cmd/generate/cluster.go +++ b/pkg/cmd/generate/cluster.go @@ -26,9 +26,10 @@ func ensureServiceAccounts(ctx *clusterContext, objsCache objectsCache) error { } pm := &permissionsManager{ - objectsCache: objsCache, - createSubject: ensureServiceAccount(saNamespace), - subjectBaseName: sa.Name, + objectsCache: objsCache, + createSubject: ensureServiceAccount(saNamespace), + subjectBaseName: sa.Name, + objectIsServiceAccount: true, } if err := pm.ensurePermissions(ctx, sa.PermissionsPerClusterType); err != nil { @@ -56,7 +57,7 @@ func ensureUsers(ctx *clusterContext, objsCache objectsCache) error { } // create the subject if explicitly requested (even if there is no specific permissions) if user.AllClusters { - if _, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, defaultSAsNamespace(ctx.kubeSawAdmins, ctx.clusterType), ksctlLabelsWithUsername(m.subjectBaseName)); err != nil { + if _, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, defaultSAsNamespace(ctx.kubeSawAdmins, ctx.clusterType), ksctlLabels()); err != nil { return err } } diff --git a/pkg/cmd/generate/permissions.go b/pkg/cmd/generate/permissions.go index 1cad906..6096243 100644 --- a/pkg/cmd/generate/permissions.go +++ b/pkg/cmd/generate/permissions.go @@ -16,8 +16,9 @@ import ( type permissionsManager struct { objectsCache - createSubject newSubjectFunc - subjectBaseName string + createSubject newSubjectFunc + subjectBaseName string + objectIsServiceAccount bool } type newSubjectFunc func(ctx *clusterContext, objsCache objectsCache, subjectBaseName, targetNamespace string, labels map[string]string) (rbacv1.Subject, error) @@ -81,7 +82,14 @@ func (m *permissionsManager) ensurePermission(ctx *clusterContext, roleName, tar } // ensure that the subject exists - subject, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, defaultSAsNamespace(ctx.kubeSawAdmins, ctx.clusterType), ksctlLabelsWithUsername(m.subjectBaseName)) + labels := ksctlLabels() + if m.objectIsServiceAccount { + // It might be useful to have the corresponding username in labels in the SA + // However we don't want to add the username label to Identities and Users because usernames are not DNS compliant and not always can be used as labels + // TODO don't use the raw username as a label in SA too. We could use annotations instead. + labels = ksctlLabelsWithUsername(m.subjectBaseName) + } + subject, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, defaultSAsNamespace(ctx.kubeSawAdmins, ctx.clusterType), labels) if err != nil { return err } diff --git a/pkg/cmd/generate/permissions_test.go b/pkg/cmd/generate/permissions_test.go index 917901f..0ac9494 100644 --- a/pkg/cmd/generate/permissions_test.go +++ b/pkg/cmd/generate/permissions_test.go @@ -125,7 +125,6 @@ func TestEnsureServiceAccount(t *testing.T) { func TestEnsureUserAndIdentity(t *testing.T) { labels := map[string]string{ "provider": "ksctl", - "username": "john-crtadmin", } require.NoError(t, client.AddToScheme()) @@ -222,8 +221,9 @@ func newPermissionsManager(t *testing.T, clusterType configuration.ClusterType, cache := objectsCache{} return permissionsManager{ - objectsCache: cache, - subjectBaseName: "john", - createSubject: ensureServiceAccount(""), + objectsCache: cache, + subjectBaseName: "john", + createSubject: ensureServiceAccount(""), + objectIsServiceAccount: true, }, clusterCtx }