Do not add username labels to Identities and Users

pkg/cmd/generate/assertion_test.go

@@ -291,7 +291,6 @@ type userAssertion struct {
 func (a *storageAssertionImpl) assertUser(name string) userAssertion {
 	expLabels := map[string]string{
 		"provider": "ksctl",
-		"username": name,
 	}
 
 	userObj := &userv1.User{}

pkg/cmd/generate/cluster.go

@@ -26,9 +26,10 @@ func ensureServiceAccounts(ctx *clusterContext, objsCache objectsCache) error {
 		}
 
 		pm := &permissionsManager{
-			objectsCache:    objsCache,
-			createSubject:   ensureServiceAccount(saNamespace),
-			subjectBaseName: sa.Name,
+			objectsCache:           objsCache,
+			createSubject:          ensureServiceAccount(saNamespace),
+			subjectBaseName:        sa.Name,
+			objectIsServiceAccount: true,
 		}
 
 		if err := pm.ensurePermissions(ctx, sa.PermissionsPerClusterType); err != nil {
@@ -56,7 +57,7 @@ func ensureUsers(ctx *clusterContext, objsCache objectsCache) error {
 		}
 		// create the subject if explicitly requested (even if there is no specific permissions)
 		if user.AllClusters {
-			if _, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, defaultSAsNamespace(ctx.kubeSawAdmins, ctx.clusterType), ksctlLabelsWithUsername(m.subjectBaseName)); err != nil {
+			if _, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, defaultSAsNamespace(ctx.kubeSawAdmins, ctx.clusterType), ksctlLabels()); err != nil {
 				return err
 			}
 		}

pkg/cmd/generate/permissions.go

@@ -16,8 +16,9 @@ import (
 
 type permissionsManager struct {
 	objectsCache
-	createSubject   newSubjectFunc
-	subjectBaseName string
+	createSubject          newSubjectFunc
+	subjectBaseName        string
+	objectIsServiceAccount bool
 }
 
 type newSubjectFunc func(ctx *clusterContext, objsCache objectsCache, subjectBaseName, targetNamespace string, labels map[string]string) (rbacv1.Subject, error)
@@ -81,7 +82,14 @@ func (m *permissionsManager) ensurePermission(ctx *clusterContext, roleName, tar
 	}
 
 	// ensure that the subject exists
-	subject, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, defaultSAsNamespace(ctx.kubeSawAdmins, ctx.clusterType), ksctlLabelsWithUsername(m.subjectBaseName))
+	labels := ksctlLabels()
+	if m.objectIsServiceAccount {
+		// It might be useful to have the corresponding username in labels in the SA
+		// However we don't want to add the username label to Identities and Users because usernames are not DNS compliant and not always can be used as labels
+		// TODO don't use the raw username as a label in SA too. We could use annotations instead.
+		labels = ksctlLabelsWithUsername(m.subjectBaseName)
+	}
+	subject, err := m.createSubject(ctx, m.objectsCache, m.subjectBaseName, defaultSAsNamespace(ctx.kubeSawAdmins, ctx.clusterType), labels)
 	if err != nil {
 		return err
 	}

pkg/cmd/generate/permissions_test.go

@@ -125,7 +125,6 @@ func TestEnsureServiceAccount(t *testing.T) {
 func TestEnsureUserAndIdentity(t *testing.T) {
 	labels := map[string]string{
 		"provider": "ksctl",
-		"username": "john-crtadmin",
 	}
 	require.NoError(t, client.AddToScheme())
 
@@ -222,8 +221,9 @@ func newPermissionsManager(t *testing.T, clusterType configuration.ClusterType,
 	cache := objectsCache{}
 
 	return permissionsManager{
-		objectsCache:    cache,
-		subjectBaseName: "john",
-		createSubject:   ensureServiceAccount(""),
+		objectsCache:           cache,
+		subjectBaseName:        "john",
+		createSubject:          ensureServiceAccount(""),
+		objectIsServiceAccount: true,
 	}, clusterCtx
 }