ServiceIdentity: support cloudservices.gserviceaccount.com

This is an unusual P4SA, that is the P4SA for Managed Instance Groups (MIGs)

Author: justinsb

pkg/controller/direct/registry/registry.go

@@ -36,7 +36,9 @@ type registration struct {
 	gvk     schema.GroupVersionKind
 	factory ModelFactoryFunc
 	model   directbase.Model
-	rg      predicate.ReconcileGate
+
+	// reconcileGate is a condition, we will reconcile only objects matching the specified condition
+	reconcileGate predicate.ReconcileGate
 }
 
 type ModelFactoryFunc func(ctx context.Context, config *config.ControllerConfig) (directbase.Model, error)
@@ -51,7 +53,7 @@ func GetModel(gk schema.GroupKind) (directbase.Model, error) {
 
 func GetReconcileGate(gk schema.GroupKind) predicate.ReconcileGate {
 	registration := singleton.registrations[gk]
-	return registration.rg
+	return registration.reconcileGate
 }
 
 func PreferredGVK(gk schema.GroupKind) (schema.GroupVersionKind, bool) {
@@ -97,14 +99,14 @@ func RegisterModel(gvk schema.GroupVersionKind, modelFn ModelFactoryFunc) {
 	RegisterModelWithReconcileGate(gvk, modelFn, rg)
 }
 
-func RegisterModelWithReconcileGate(gvk schema.GroupVersionKind, modelFn ModelFactoryFunc, rg predicate.ReconcileGate) {
+func RegisterModelWithReconcileGate(gvk schema.GroupVersionKind, modelFn ModelFactoryFunc, reconcileGate predicate.ReconcileGate) {
 	if singleton.registrations == nil {
 		singleton.registrations = make(map[schema.GroupKind]*registration)
 	}
 	singleton.registrations[gvk.GroupKind()] = &registration{
-		gvk:     gvk,
-		factory: modelFn,
-		rg:      rg,
+		gvk:           gvk,
+		factory:       modelFn,
+		reconcileGate: reconcileGate,
 	}
 }
 

pkg/controller/direct/secretmanager/secret_controller.go

@@ -44,8 +44,8 @@ const (
 )
 
 func init() {
-	rg := &SecretReconcileGate{}
-	registry.RegisterModelWithReconcileGate(krm.SecretManagerSecretGVK, NewModel, rg)
+	reconcileGate := &SecretReconcileGate{}
+	registry.RegisterModelWithReconcileGate(krm.SecretManagerSecretGVK, NewModel, reconcileGate)
 }
 
 type SecretReconcileGate struct {

pkg/controller/direct/serviceusage/serviceidentity_controller.go

@@ -26,11 +26,13 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/GoogleCloudPlatform/k8s-config-connector/apis/common/projects"
 	krm "github.com/GoogleCloudPlatform/k8s-config-connector/apis/serviceusage/v1beta1"
 	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/config"
 	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct"
 	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct/directbase"
 	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/direct/registry"
+	kccpredicate "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/controller/predicate"
 
 	gcp "google.golang.org/api/serviceusage/v1beta1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -39,8 +41,38 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+// GoogleApisServiceAgent was historically used by multiple services, but for more granular permission control we moved to P4SAs instead.
+// MIGs were tricky to move though, and so instead of switching to a P4SA, they adopted the GoogleApisServiceAgent as their P4SA
+// We still want to support this though, so we recognize this "magic value"
+const GoogleApisServiceAgent = "cloudservices.gserviceaccount.com"
+
 func init() {
-	registry.RegisterModel(krm.ServiceIdentityGVK, NewServiceIdentityModel)
+	reconcileGate := &serviceIdentityReconcileGate{}
+	registry.RegisterModelWithReconcileGate(krm.ServiceIdentityGVK, NewServiceIdentityModel, reconcileGate)
+}
+
+// serviceIdentityReconcileGate opts in some reconciliation to direct.
+// Specifically if the service is the "magic" cloudservices.gserviceaccount.com P4SA,
+// we use direct - it is not supported by legacy reconcilers.
+type serviceIdentityReconcileGate struct {
+	optIn kccpredicate.OptInToDirectReconciliation
+}
+
+var _ kccpredicate.ReconcileGate = &serviceIdentityReconcileGate{}
+
+func (r *serviceIdentityReconcileGate) ShouldReconcile(o *unstructured.Unstructured) bool {
+	if r.optIn.ShouldReconcile(o) {
+		return true
+	}
+	obj := &krm.ServiceIdentity{}
+	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(o.Object, &obj); err != nil {
+		return false
+	}
+	serviceName := direct.ValueOf(obj.Spec.ResourceID)
+	if serviceName == "" {
+		serviceName = obj.GetName()
+	}
+	return serviceName == GoogleApisServiceAgent
 }
 
 func NewServiceIdentityModel(ctx context.Context, config *config.ControllerConfig) (directbase.Model, error) {
@@ -74,9 +106,10 @@ func (m *serviceIdentityModel) AdapterForObject(ctx context.Context, reader clie
 		return nil, err
 	}
 	return &serviceIdentityAdapter{
-		gcpBeta: gcpBeta,
-		id:      id.(*krm.ServiceIdentityIdentity),
-		desired: obj,
+		gcpBeta:       gcpBeta,
+		id:            id.(*krm.ServiceIdentityIdentity),
+		desired:       obj,
+		projectMapper: m.config.ProjectMapper,
 	}, nil
 }
 
@@ -86,7 +119,9 @@ func (m *serviceIdentityModel) AdapterForURL(ctx context.Context, url string) (d
 }
 
 type serviceIdentityAdapter struct {
-	gcpBeta *gcp.APIService
+	projectMapper *projects.ProjectMapper
+	gcpBeta       *gcp.APIService
+
 	id      *krm.ServiceIdentityIdentity
 	desired *krm.ServiceIdentity
 	actual  *gcp.ServiceIdentity // This will be populated from status or after generation
@@ -122,55 +157,64 @@ func (a *serviceIdentityAdapter) Create(ctx context.Context, createOp *directbas
 	fqn := a.id.String()
 	log.V(2).Info("generating service identity", "fqn", fqn)
 
-	//   - parent: Name of the consumer and service to generate an identity for. The
-	//     `GenerateServiceIdentity` methods currently support projects, folders,
-	//     organizations. Example parents would be:
-	//     `projects/123/services/example.googleapis.com`
-	//     `folders/123/services/example.googleapis.com`
-	//     `organizations/123/services/example.googleapis.com`.
-
-	op, err := a.gcpBeta.Services.GenerateServiceIdentity(fqn).Context(ctx).Do()
-	if err != nil {
-		return fmt.Errorf("generating service identity for %q: %w", fqn, err)
-	}
+	status := &krm.ServiceIdentityStatus{}
+	if a.id.Service == GoogleApisServiceAgent {
+		// Special case: the MIG "P4SA" (which is also the "Google APIs Service Agent")
+		// Format is always <projectNumber>@cloudservices.gserviceaccount.com
 
-	var serviceIdentity *gcp.GoogleApiServiceusageV1beta1ServiceIdentity
-	for {
-		if op.Done {
-			klog.Warningf("RESPONSE IS %v", string(op.Response))
-			klog.Warningf("FULL OPERATION IS %v", op)
-			identity := &gcp.GoogleApiServiceusageV1beta1ServiceIdentity{}
-			if err := json.Unmarshal(op.Response, identity); err != nil {
-				return fmt.Errorf("error parsing response: %w", err)
-			}
-			serviceIdentity = identity
-			break
-		}
-		time.Sleep(2 * time.Second)
-		if err := ctx.Err(); err != nil {
-			return err
+		projectNumber, err := a.projectMapper.LookupProjectNumber(ctx, a.id.ParentID.ProjectID)
+		if err != nil {
+			return fmt.Errorf("looking up project number for %q: %w", a.id.ParentID.ProjectID, err)
 		}
-		op, err = a.gcpBeta.Operations.Get(op.Name).Context(ctx).Do()
+		email := fmt.Sprintf("%[email protected]", projectNumber)
+		status.Email = &email
+	} else {
+		//   - parent: Name of the consumer and service to generate an identity for. The
+		//     `GenerateServiceIdentity` methods currently support projects, folders,
+		//     organizations. Example parents would be:
+		//     `projects/123/services/example.googleapis.com`
+		//     `folders/123/services/example.googleapis.com`
+		//     `organizations/123/services/example.googleapis.com`.
+
+		op, err := a.gcpBeta.Services.GenerateServiceIdentity(fqn).Context(ctx).Do()
 		if err != nil {
-			return fmt.Errorf("waiting for service identity generation for %q: %w", fqn, err)
+			return fmt.Errorf("generating service identity for %q: %w", fqn, err)
 		}
-	}
 
-	log.V(2).Info("successfully generated service identity", "fqn", fqn, "identity.email", serviceIdentity.Email, "identity.uniqueId", serviceIdentity.UniqueId)
+		var serviceIdentity *gcp.GoogleApiServiceusageV1beta1ServiceIdentity
+		for {
+			if op.Done {
+				identity := &gcp.GoogleApiServiceusageV1beta1ServiceIdentity{}
+				if err := json.Unmarshal(op.Response, identity); err != nil {
+					return fmt.Errorf("error parsing response: %w", err)
+				}
+				serviceIdentity = identity
+				break
+			}
+			time.Sleep(2 * time.Second)
+			if err := ctx.Err(); err != nil {
+				return err
+			}
+			op, err = a.gcpBeta.Operations.Get(op.Name).Context(ctx).Do()
+			if err != nil {
+				return fmt.Errorf("waiting for service identity generation for %q: %w", fqn, err)
+			}
+		}
 
-	// It really doesn't seem worthwhile to use the mapper here
+		log.V(2).Info("successfully generated service identity", "fqn", fqn, "identity.email", serviceIdentity.Email, "identity.uniqueId", serviceIdentity.UniqueId)
 
-	status := &krm.ServiceIdentityStatus{}
+		// It really doesn't seem worthwhile to use the mapper here
 
-	// observedState := krm.ServiceIdentityObservedState{
-	// 	Email:    direct.ValueOf(serviceIdentity.Email),
-	// 	UniqueID: direct.ValueOf(serviceIdentity.UniqueId),
-	// }
+		// observedState := krm.ServiceIdentityObservedState{
+		// 	Email:    direct.ValueOf(serviceIdentity.Email),
+		// 	UniqueID: direct.ValueOf(serviceIdentity.UniqueId),
+		// }
 
-	// status.ObservedState = &observedState
+		// status.ObservedState = &observedState
 
-	status.Email = direct.LazyPtr(serviceIdentity.Email)
-	// status.UniqueID = direct.LazyPtr(serviceIdentity.UniqueId)
+		status.Email = direct.LazyPtr(serviceIdentity.Email)
+		// status.UniqueID = direct.LazyPtr(serviceIdentity.UniqueId)
+	}
 
 	// status.ExternalRef = direct.LazyPtr(parent)
 	return createOp.UpdateStatus(ctx, status, nil)

pkg/test/resourcefixture/testdata/basic/serviceusage/v1beta1/serviceidentity/serviceidentity-gserviceaccount/_generated_object_serviceidentity-gserviceaccount.golden.yaml

@@ -0,0 +1,26 @@
+apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
+kind: ServiceIdentity
+metadata:
+  annotations:
+    cnrm.cloud.google.com/management-conflict-prevention-policy: none
+  finalizers:
+  - cnrm.cloud.google.com/finalizer
+  - cnrm.cloud.google.com/deletion-defender
+  generation: 1
+  labels:
+    cnrm-test: "true"
+  name: example
+  namespace: ${uniqueId}
+spec:
+  projectRef:
+    external: ${projectId}
+  resourceID: cloudservices.gserviceaccount.com
+status:
+  conditions:
+  - lastTransitionTime: "1970-01-01T00:00:00Z"
+    message: The resource is up to date
+    reason: UpToDate
+    status: "True"
+    type: Ready
+  email: ${projectNumber}@cloudservices.gserviceaccount.com
+  observedGeneration: 1

pkg/test/resourcefixture/testdata/basic/serviceusage/v1beta1/serviceidentity/serviceidentity-gserviceaccount/_http.log

@@ -0,0 +1,22 @@
+GET https://cloudresourcemanager.googleapis.com/v3/projects/${projectId}?%24alt=json%3Benum-encoding%3Dint
+Content-Type: application/json
+User-Agent: kcc/${kccVersion} (+https://github.com/GoogleCloudPlatform/k8s-config-connector) kcc/controller-manager/${kccVersion}
+X-Goog-Request-Params: name=projects%2F${projectId}
+
+200 OK
+Content-Type: application/json; charset=UTF-8
+Server: ESF
+Vary: Origin
+Vary: X-Origin
+Vary: Referer
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+X-Xss-Protection: 0
+
+{
+  "createTime": "2024-04-01T12:34:56.123456Z",
+  "etag": "abcdef0123A=",
+  "name": "projects/${projectNumber}",
+  "projectId": "${projectId}",
+  "state": 1
+}

pkg/test/resourcefixture/testdata/basic/serviceusage/v1beta1/serviceidentity/serviceidentity-gserviceaccount/create.yaml

@@ -0,0 +1,22 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
+kind: ServiceIdentity
+metadata:
+  name: example
+spec:
+  projectRef:
+    external: ${projectId}
+  resourceID: cloudservices.gserviceaccount.com