emojivoto is working.

But... need to do major rework only a single networkauthentication may be set the required authenticationRefs in the authorization policy are anded together so we should use a separate authorization policy for each communication link
2025-01-25 12:44:01 +01:00 · 2025-01-25 12:44:01 +01:00 · cd4023f5ce
commit cd4023f5ce
parent 56398027b7
3 changed files with 24 additions and 9 deletions
--- a/cmd/policygen/linkerd_generator.go
+++ b/cmd/policygen/linkerd_generator.go
@ -3,9 +3,12 @@ package main
 import (
 	"fmt"
 	"io"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"os"
 	"slices"
 	"strconv"
+	"strings"
 )

 type LinkerdPolicyGenerator struct {
@ -104,7 +107,7 @@ func (g *LinkerdPolicyGenerator) GenerateCommunicationRule(
 			// linkerd rules
 			// 1. an authpolicy may contain only one meshtlsauthentication rule
 			// 2. an authpolicy may contain only one service account .
-			// 3. an authpolicy may contain more than one networkauthentication
+			// 3. an authpolicy may contain only one networkauthentication
 			//
 			// Should generate here a methtlsautheorization for every port
 			// and pass in a list of service accounts instead of a list of apps.
@ -136,13 +139,24 @@ func (g *LinkerdPolicyGenerator) GenerateCommunicationRule(
 	return nil
 }

-func (g *LinkerdPolicyGenerator) serviceAccounts(peers []*ApplicationPeer) []string {
-	serviceAccounts := []string{}
+func (g *LinkerdPolicyGenerator) serviceAccounts(peers []*ApplicationPeer) []v1.ServiceAccount {
+	serviceAccounts := []v1.ServiceAccount{}
 	for _, peer := range peers {
-		serviceAccounts = append(serviceAccounts, peer.Application.ServiceAccounts...)
+		for _, sa := range peer.Application.ServiceAccounts {
+			serviceAccounts = append(serviceAccounts, v1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      sa,
+					Namespace: peer.Application.Namespace.Name,
+				},
+			})
+		}
 	}
-	slices.Sort(serviceAccounts)
-	return slices.Compact(serviceAccounts)
+	slices.SortFunc(serviceAccounts, func(s1 v1.ServiceAccount, s2 v1.ServiceAccount) int {
+		return strings.Compare(s1.Namespace+"/"+s1.Name, s2.Namespace+"/"+s2.Name)
+	})
+	return slices.CompactFunc(serviceAccounts, func(s1, s2 v1.ServiceAccount) bool {
+		return s1.Namespace == s2.Namespace && s1.Name == s2.Name
+	})
 }

 func (g *LinkerdPolicyGenerator) Finalize(writer io.Writer) error {
--- a/cmd/policygen/templates/linkerd/application/meshtlsauthentication.yaml
+++ b/cmd/policygen/templates/linkerd/application/meshtlsauthentication.yaml
@ -2,12 +2,13 @@
 apiVersion: policy.linkerd.io/v1alpha1
 kind: MeshTLSAuthentication
 metadata:
-  name: {{ .app.Name }}-{{.port}}
+  name: {{ .app.Name }}-p{{.port}}
  namespace: {{ .app.Namespace.Name }}
 spec:
  identityRefs:
  {{- range $sa := .serviceAccounts }}
    - kind: ServiceAccount
-      name: {{ $sa }}
+      name: {{ $sa.Name }}
+      namespace: {{ $sa.Namespace }}
  {{- end }}

--- a/cmd/policygen/templates/linkerd/application/server.yaml
+++ b/cmd/policygen/templates/linkerd/application/server.yaml
@ -1,7 +1,7 @@
 {{- range $port := .Ports }}
 {{- if or (eq $port.Protocol "TCP") (not $port.Protocol) }}
 ---
-apiVersion: policy.linkerd.io/v1beta1
+apiVersion: policy.linkerd.io/v1beta3
 kind: Server
 metadata:
  name: {{ $.Name }}-p{{ $port.Port }}