cosmo-workspace · oruharo · Aug 2, 2023 · Jul 31, 2023 · Aug 1, 2023 · Aug 2, 2023
diff --git a/api/v1alpha1/template_types.go b/api/v1alpha1/template_types.go
@@ -18,8 +18,8 @@ const (
 
 	// TemplateAnnKeyUserRoles is an annotation key on Template for specific UserRoles
 	TemplateAnnKeyUserRoles = "cosmo-workspace.github.io/userroles"
-	// TemplateAnnKeyForbiddenUserRoles is an annotation key on Template which is not for specific UserRoles
-	TemplateAnnKeyForbiddenUserRoles = "cosmo-workspace.github.io/forbidden-userroles"
+	// TemplateAnnKeyRequiredAddons is a annotation key for Template which requires useraddons
+	TemplateAnnKeyRequiredAddons = "cosmo-workspace.github.io/required-useraddons"
 )
 
 func init() {

diff --git a/api/v1alpha1/user_types.go b/api/v1alpha1/user_types.go
@@ -29,7 +29,10 @@ const NamespaceLabelKeyUserName = "cosmo-workspace.github.io/user"
 const UserAddonTemplateAnnKeyDefaultUserAddon = "useraddon.cosmo-workspace.github.io/default"
 
 // Var for user addon
-const TemplateVarUserName = "{{USER_NAME}}"
+const (
+	TemplateVarUser     = "{{USER}}"
+	TemplateVarUserName = "{{USER_NAME}}"
+)
 
 const UserNamespacePrefix = "cosmo-user-"
 

diff --git a/hack/local-run-test/Makefile b/hack/local-run-test/Makefile
@@ -309,6 +309,7 @@ apply-template: kubectl cosmoctl ## Apply template.
 	for i in `ls ../../example/useraddons/*/*.yaml`; do until (kubectl apply -f $$i) do sleep 1; done; done
 	for i in `ls ../../example/workspaces/*.yaml`; do until (kubectl apply -f $$i) do sleep 1; done; done
 	$(MAKE) -C templates/dev-code-server apply
+	kubectl apply -f templates/iamserviceaccount/addon.yaml
 
 
 add-user: kubectl cosmoctl ## add user

diff --git a/hack/local-run-test/templates/dev-code-server/Makefile b/hack/local-run-test/templates/dev-code-server/Makefile
@@ -8,19 +8,14 @@ template: ## Create template
 	cd kubernetes/ && kustomize edit set image $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG)
 	kustomize build kubernetes/ | cosmoctl tmpl generate -o cosmo-template.yaml --workspace \
 		--required-vars CODE-SERVER_STORAGE_GB:20,DOCKER_STORAGE:20
-	kustomize build kubernetes/ | cosmoctl tmpl generate -o team-a-template.yaml --workspace \
+	kustomize build team-a | cosmoctl tmpl generate -o team-a-template.yaml --workspace \
 		--name team-a-codeserver \
 		--desc 'only for team A' \
 		--userroles 'team-a-*' \
-		--required-vars CODE-SERVER_STORAGE_GB:20,DOCKER_STORAGE:20
-	kustomize build kubernetes/ | cosmoctl tmpl generate -o team-shared-template.yaml --workspace \
-		--name team-shared-codeserver \
-		--desc 'shared template excluding team-a-dev' \
-		--forbidden-userroles team-a-dev \
+		--required-useraddons team-a-serviceaccount \
 		--required-vars CODE-SERVER_STORAGE_GB:20,DOCKER_STORAGE:20
 
 .PHONY: apply
 apply: template ## Apply template
 	kubectl apply -f cosmo-template.yaml
-	kubectl apply -f team-a-template.yaml
-	kubectl apply -f team-shared-template.yaml
+	kubectl apply -f team-a-template.yaml
diff --git a/hack/local-run-test/templates/dev-code-server/cosmo-template.yaml b/hack/local-run-test/templates/dev-code-server/cosmo-template.yaml
@@ -1,4 +1,4 @@
-# Generated by cosmoctl - cosmo v0.10.0 cosmo-workspace 2023
+# Generated by cosmoctl - cosmo v1.0.0-rc2 cosmo-workspace 2023
 apiVersion: cosmo-workspace.github.io/v1alpha1
 kind: Template
 metadata:

diff --git a/hack/local-run-test/templates/dev-code-server/team-a-template.yaml b/hack/local-run-test/templates/dev-code-server/team-a-template.yaml
@@ -1,8 +1,9 @@
-# Generated by cosmoctl - cosmo v0.10.0 cosmo-workspace 2023
+# Generated by cosmoctl - cosmo v1.0.0-rc2 cosmo-workspace 2023
 apiVersion: cosmo-workspace.github.io/v1alpha1
 kind: Template
 metadata:
   annotations:
+    cosmo-workspace.github.io/required-useraddons: team-a-serviceaccount
     cosmo-workspace.github.io/userroles: team-a-*
     workspace.cosmo-workspace.github.io/deployment: workspace
     workspace.cosmo-workspace.github.io/service: workspace
@@ -84,7 +85,7 @@ spec:
               runAsUser: 1000
           securityContext:
             fsGroup: 1000
-          serviceAccountName: default
+          serviceAccountName: iamserviceaccount
   requiredVars:
   - default: "20"
     var: CODE-SERVER_STORAGE_GB

diff --git a/hack/local-run-test/templates/dev-code-server/team-a/kustomization.yaml b/hack/local-run-test/templates/dev-code-server/team-a/kustomization.yaml
@@ -0,0 +1,10 @@
+resources:
+- ../kubernetes
+
+patches:
+- target:
+    kind: Deployment
+  patch: |
+    - op: replace
+      path: /spec/template/spec/serviceAccountName
+      value: iamserviceaccount
diff --git a/hack/local-run-test/templates/dev-code-server/team-shared-template.yaml b/hack/local-run-test/templates/dev-code-server/team-shared-template.yaml
diff --git a/hack/local-run-test/templates/iamserviceaccount/Makefile b/hack/local-run-test/templates/iamserviceaccount/Makefile
@@ -0,0 +1,11 @@
+all: template
+
+.PHONY: template
+template:
+	kustomize build kubernetes | cosmoctl tmpl gen --useraddon \
+		--name team-a-serviceaccount \
+	    --userroles=team-a-* \
+		--disable-nameprefix \
+		--cluster-scope \
+		--required-useraddons resource-limitter \
+		-o addon.yaml
diff --git a/hack/local-run-test/templates/iamserviceaccount/addon.yaml b/hack/local-run-test/templates/iamserviceaccount/addon.yaml
@@ -0,0 +1,38 @@
+# Generated by cosmoctl - cosmo v1.0.0-rc2 cosmo-workspace 2023
+apiVersion: cosmo-workspace.github.io/v1alpha1
+kind: ClusterTemplate
+metadata:
+  annotations:
+    cosmo-workspace.github.io/disable-nameprefix: "true"
+    cosmo-workspace.github.io/required-useraddons: resource-limitter
+    cosmo-workspace.github.io/userroles: team-a-*
+  creationTimestamp: null
+  labels:
+    cosmo-workspace.github.io/type: useraddon
+  name: team-a-serviceaccount
+spec:
+  rawYaml: |
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      labels:
+        cosmo-workspace.github.io/instance: '{{INSTANCE}}'
+        cosmo-workspace.github.io/template: '{{TEMPLATE}}'
+      name: iamserviceaccount
+      namespace: '{{NAMESPACE}}'
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      labels:
+        cosmo-workspace.github.io/instance: '{{INSTANCE}}'
+        cosmo-workspace.github.io/template: '{{TEMPLATE}}'
+      name: '{{USER_NAME}}-view'
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: view
+    subjects:
+    - kind: ServiceAccount
+      name: iamserviceaccount
+      namespace: '{{NAMESPACE}}'
diff --git a/hack/local-run-test/templates/iamserviceaccount/kubernetes/clusterrolebinding.yaml b/hack/local-run-test/templates/iamserviceaccount/kubernetes/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: "{{USER_NAME}}-view"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: view
+subjects:
+- kind: ServiceAccount
+  name: iamserviceaccount
+  namespace: "{{NAMESPACE}}"
diff --git a/hack/local-run-test/templates/iamserviceaccount/kubernetes/kustomization.yaml b/hack/local-run-test/templates/iamserviceaccount/kubernetes/kustomization.yaml
@@ -0,0 +1,3 @@
+resources:
+- clusterrolebinding.yaml
+- serviceaccount.yaml
diff --git a/hack/local-run-test/templates/iamserviceaccount/kubernetes/serviceaccount.yaml b/hack/local-run-test/templates/iamserviceaccount/kubernetes/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: iamserviceaccount
+  namespace: "{{NAMESPACE}}"