Extract serviceaccount name and namespace from account.spec.username

Signed-off-by: Rokibul Hasan <[email protected]>

pkg/manager/controller/authentication/account_controller.go

@@ -23,6 +23,7 @@ import (
 
 	authenticationv1alpha1 "github.com/kluster-manager/cluster-auth/apis/authentication/v1alpha1"
 	"github.com/kluster-manager/cluster-auth/pkg/common"
+	"github.com/kluster-manager/cluster-auth/pkg/utils"
 
 	core "k8s.io/api/core/v1"
 	rbac "k8s.io/api/rbac/v1"
@@ -138,12 +139,21 @@ func (r *AccountReconciler) createGatewayClusterRoleBindingForUser(ctx context.C
 	}
 
 	if strings.Contains(acc.Spec.Username, common.ServiceAccountPrefix) {
+		name, err := utils.ExtractServiceAccountName(acc.Spec.Username)
+		if err != nil {
+			return err
+		}
+		namespace, err := utils.ExtractServiceAccountNamespace(acc.Spec.Username)
+		if err != nil {
+			return err
+		}
+
 		sub = []rbac.Subject{
 			{
 				APIGroup:  "",
 				Kind:      "ServiceAccount",
-				Name:      acc.Name,
-				Namespace: common.AddonAgentInstallNamespace,
+				Name:      name,
+				Namespace: namespace,
 			},
 		}
 	}
@@ -164,7 +174,7 @@ func (r *AccountReconciler) createGatewayClusterRoleBindingForUser(ctx context.C
 	}
 
 	if strings.Contains(acc.Spec.Username, common.ServiceAccountPrefix) {
-		crb.Name = fmt.Sprintf("ace.%s.proxy", acc.Spec.Username)
+		crb.Name = fmt.Sprintf("ace.%s.proxy", acc.Name)
 	}
 
 	_, err := cu.CreateOrPatch(ctx, r.Client, &crb, func(obj client.Object, createOp bool) client.Object {
@@ -199,9 +209,14 @@ func (r *AccountReconciler) createClusterRoleAndClusterRoleBindingToImpersonate(
 	}
 
 	if strings.Contains(acc.Spec.Username, common.ServiceAccountPrefix) {
+		name, err := utils.ExtractServiceAccountName(acc.Spec.Username)
+		if err != nil {
+			return err
+		}
+
 		cr = rbac.ClusterRole{
 			ObjectMeta: metav1.ObjectMeta{
-				Name: fmt.Sprintf("ace.%s.impersonate", acc.Spec.Username),
+				Name: fmt.Sprintf("ace.%s.impersonate", acc.Name),
 				OwnerReferences: []metav1.OwnerReference{
 					*metav1.NewControllerRef(acc, authenticationv1alpha1.GroupVersion.WithKind("Account")),
 				},
@@ -211,7 +226,7 @@ func (r *AccountReconciler) createClusterRoleAndClusterRoleBindingToImpersonate(
 					APIGroups:     []string{""},
 					Resources:     []string{"serviceaccounts"},
 					Verbs:         []string{"impersonate"},
-					ResourceNames: []string{acc.Name},
+					ResourceNames: []string{name},
 				},
 			},
 		}

pkg/utils/util.go

@@ -17,6 +17,7 @@ limitations under the License.
 package utils
 
 import (
+	"errors"
 	"strings"
 
 	authorizationv1alpha1 "github.com/kluster-manager/cluster-auth/apis/authorization/v1alpha1"
@@ -40,3 +41,19 @@ func ReplaceColonWithHyphen(input string) string {
 	parts := strings.Split(input, ":")
 	return strings.Join(parts, "-")
 }
+
+func ExtractServiceAccountName(name string) (string, error) {
+	parts := strings.Split(name, ":")
+	if len(parts) == 4 {
+		return parts[3], nil
+	}
+	return "", errors.New("account username is invalid")
+}
+
+func ExtractServiceAccountNamespace(name string) (string, error) {
+	parts := strings.Split(name, ":")
+	if len(parts) == 4 {
+		return parts[2], nil
+	}
+	return "", errors.New("account username is invalid")
+}