Merge branch 'fix-tillerless-helm-commands' into 'master'

Fix tillerless helm command permissions See merge request gitlab-org/gitlab!29268

Merge branch 'fix-tillerless-helm-commands' into 'master'
Fix tillerless helm command permissions See merge request gitlab-org/gitlab!29268
74df7c80 · Thong Kuah · 8e070e94 · a26d787b · 74df7c80 · 74df7c80
Commit 74df7c80 authored Apr 16, 2020 by Thong Kuah
6 changed files
--- a/lib/gitlab/kubernetes/helm/base_command.rb
+++ b/lib/gitlab/kubernetes/helm/base_command.rb
@@ -25,11 +25,21 @@ module Gitlab
        end
        def service_account_resource
-          nil
+          return unless rbac?
+          Gitlab::Kubernetes::ServiceAccount.new(service_account_name, namespace).generate
        end
        def cluster_role_binding_resource
-          nil
+          return unless rbac?
+          subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: namespace }]
+          Gitlab::Kubernetes::ClusterRoleBinding.new(
+            cluster_role_binding_name,
+            cluster_role_name,
+            subjects
+          ).generate
        end
        def file_names
@@ -61,6 +71,14 @@ module Gitlab
        def service_account_name
          Gitlab::Kubernetes::Helm::SERVICE_ACCOUNT
        end
+        def cluster_role_binding_name
+          Gitlab::Kubernetes::Helm::CLUSTER_ROLE_BINDING
+        end
+        def cluster_role_name
+          Gitlab::Kubernetes::Helm::CLUSTER_ROLE
+        end
      end
    end
  end

--- a/lib/gitlab/kubernetes/helm/init_command.rb
+++ b/lib/gitlab/kubernetes/helm/init_command.rb
@@ -24,24 +24,6 @@ module Gitlab
          @rbac
        end
-        def service_account_resource
-          return unless rbac?
-          Gitlab::Kubernetes::ServiceAccount.new(service_account_name, namespace).generate
-        end
-        def cluster_role_binding_resource
-          return unless rbac?
-          subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: namespace }]
-          Gitlab::Kubernetes::ClusterRoleBinding.new(
-            cluster_role_binding_name,
-            cluster_role_name,
-            subjects
-          ).generate
-        end
        private
        def init_helm_command
@@ -69,14 +51,6 @@ module Gitlab
          ['--service-account', service_account_name]
        end
-        def cluster_role_binding_name
-          Gitlab::Kubernetes::Helm::CLUSTER_ROLE_BINDING
-        end
-        def cluster_role_name
-          Gitlab::Kubernetes::Helm::CLUSTER_ROLE
-        end
      end
    end
  end

--- a/spec/lib/gitlab/kubernetes/helm/base_command_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/base_command_spec.rb
@@ -61,4 +61,56 @@ describe Gitlab::Kubernetes::Helm::BaseCommand do
    it { is_expected.to eq('install-test-class-name') }
  end
+  describe '#service_account_resource' do
+    let(:resource) do
+      Kubeclient::Resource.new(metadata: { name: 'tiller', namespace: 'gitlab-managed-apps' })
+    end
+    subject { base_command.service_account_resource }
+    context 'rbac is enabled' do
+      let(:rbac) { true }
+      it 'generates a Kubeclient resource for the tiller ServiceAccount' do
+        is_expected.to eq(resource)
+      end
+    end
+    context 'rbac is not enabled' do
+      let(:rbac) { false }
+      it 'generates nothing' do
+        is_expected.to be_nil
+      end
+    end
+  end
+  describe '#cluster_role_binding_resource' do
+    let(:resource) do
+      Kubeclient::Resource.new(
+        metadata: { name: 'tiller-admin' },
+        roleRef: { apiGroup: 'rbac.authorization.k8s.io', kind: 'ClusterRole', name: 'cluster-admin' },
+        subjects: [{ kind: 'ServiceAccount', name: 'tiller', namespace: 'gitlab-managed-apps' }]
+      )
+    end
+    subject { base_command.cluster_role_binding_resource }
+    context 'rbac is enabled' do
+      let(:rbac) { true }
+      it 'generates a Kubeclient resource for the ClusterRoleBinding for tiller' do
+        is_expected.to eq(resource)
+      end
+    end
+    context 'rbac is not enabled' do
+      let(:rbac) { false }
+      it 'generates nothing' do
+        is_expected.to be_nil
+      end
+    end
+  end
 end
--- a/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb
@@ -83,56 +83,4 @@ describe Gitlab::Kubernetes::Helm::InitCommand do
      end
    end
  end
-  describe '#service_account_resource' do
-    let(:resource) do
-      Kubeclient::Resource.new(metadata: { name: 'tiller', namespace: 'gitlab-managed-apps' })
-    end
-    subject { init_command.service_account_resource }
-    context 'rbac is enabled' do
-      let(:rbac) { true }
-      it 'generates a Kubeclient resource for the tiller ServiceAccount' do
-        is_expected.to eq(resource)
-      end
-    end
-    context 'rbac is not enabled' do
-      let(:rbac) { false }
-      it 'generates nothing' do
-        is_expected.to be_nil
-      end
-    end
-  end
-  describe '#cluster_role_binding_resource' do
-    let(:resource) do
-      Kubeclient::Resource.new(
-        metadata: { name: 'tiller-admin' },
-        roleRef: { apiGroup: 'rbac.authorization.k8s.io', kind: 'ClusterRole', name: 'cluster-admin' },
-        subjects: [{ kind: 'ServiceAccount', name: 'tiller', namespace: 'gitlab-managed-apps' }]
-      )
-    end
-    subject { init_command.cluster_role_binding_resource }
-    context 'rbac is enabled' do
-      let(:rbac) { true }
-      it 'generates a Kubeclient resource for the ClusterRoleBinding for tiller' do
-        is_expected.to eq(resource)
-      end
-    end
-    context 'rbac is not enabled' do
-      let(:rbac) { false }
-      it 'generates nothing' do
-        is_expected.to be_nil
-      end
-    end
-  end
 end
--- a/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb
@@ -305,20 +305,4 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do
      is_expected.to eq(resource)
    end
  end
-  describe '#service_account_resource' do
-    subject { install_command.service_account_resource }
-    it 'returns nothing' do
-      is_expected.to be_nil
-    end
-  end
-  describe '#cluster_role_binding_resource' do
-    subject { install_command.cluster_role_binding_resource }
-    it 'returns nothing' do
-      is_expected.to be_nil
-    end
-  end
 end
--- a/spec/lib/gitlab/kubernetes/helm/patch_command_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/patch_command_spec.rb
@@ -199,20 +199,4 @@ describe Gitlab::Kubernetes::Helm::PatchCommand do
      is_expected.to eq(resource)
    end
  end
-  describe '#service_account_resource' do
-    subject { patch_command.service_account_resource }
-    it 'returns nothing' do
-      is_expected.to be_nil
-    end
-  end
-  describe '#cluster_role_binding_resource' do
-    subject { patch_command.cluster_role_binding_resource }
-    it 'returns nothing' do
-      is_expected.to be_nil
-    end
-  end
 end