Commit a26d787b authored by Hordur Freyr Yngvason's avatar Hordur Freyr Yngvason Committed by Thong Kuah

Fix tillerless helm command permissions

Helm commands run in the context of a service account, currently tiller,
but when a cluster is tillerless from the start they do not have this
account present.

Previously, they were being created as part of the helm tiller
installation.
parent 24b51f5c
......@@ -25,11 +25,21 @@ module Gitlab
end
def service_account_resource
nil
return unless rbac?
Gitlab::Kubernetes::ServiceAccount.new(service_account_name, namespace).generate
end
def cluster_role_binding_resource
nil
return unless rbac?
subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: namespace }]
Gitlab::Kubernetes::ClusterRoleBinding.new(
cluster_role_binding_name,
cluster_role_name,
subjects
).generate
end
def file_names
......@@ -61,6 +71,14 @@ module Gitlab
def service_account_name
Gitlab::Kubernetes::Helm::SERVICE_ACCOUNT
end
def cluster_role_binding_name
Gitlab::Kubernetes::Helm::CLUSTER_ROLE_BINDING
end
def cluster_role_name
Gitlab::Kubernetes::Helm::CLUSTER_ROLE
end
end
end
end
......
......@@ -24,24 +24,6 @@ module Gitlab
@rbac
end
def service_account_resource
return unless rbac?
Gitlab::Kubernetes::ServiceAccount.new(service_account_name, namespace).generate
end
def cluster_role_binding_resource
return unless rbac?
subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: namespace }]
Gitlab::Kubernetes::ClusterRoleBinding.new(
cluster_role_binding_name,
cluster_role_name,
subjects
).generate
end
private
def init_helm_command
......@@ -69,14 +51,6 @@ module Gitlab
['--service-account', service_account_name]
end
def cluster_role_binding_name
Gitlab::Kubernetes::Helm::CLUSTER_ROLE_BINDING
end
def cluster_role_name
Gitlab::Kubernetes::Helm::CLUSTER_ROLE
end
end
end
end
......
......@@ -61,4 +61,56 @@ describe Gitlab::Kubernetes::Helm::BaseCommand do
it { is_expected.to eq('install-test-class-name') }
end
describe '#service_account_resource' do
let(:resource) do
Kubeclient::Resource.new(metadata: { name: 'tiller', namespace: 'gitlab-managed-apps' })
end
subject { base_command.service_account_resource }
context 'rbac is enabled' do
let(:rbac) { true }
it 'generates a Kubeclient resource for the tiller ServiceAccount' do
is_expected.to eq(resource)
end
end
context 'rbac is not enabled' do
let(:rbac) { false }
it 'generates nothing' do
is_expected.to be_nil
end
end
end
describe '#cluster_role_binding_resource' do
let(:resource) do
Kubeclient::Resource.new(
metadata: { name: 'tiller-admin' },
roleRef: { apiGroup: 'rbac.authorization.k8s.io', kind: 'ClusterRole', name: 'cluster-admin' },
subjects: [{ kind: 'ServiceAccount', name: 'tiller', namespace: 'gitlab-managed-apps' }]
)
end
subject { base_command.cluster_role_binding_resource }
context 'rbac is enabled' do
let(:rbac) { true }
it 'generates a Kubeclient resource for the ClusterRoleBinding for tiller' do
is_expected.to eq(resource)
end
end
context 'rbac is not enabled' do
let(:rbac) { false }
it 'generates nothing' do
is_expected.to be_nil
end
end
end
end
......@@ -83,56 +83,4 @@ describe Gitlab::Kubernetes::Helm::InitCommand do
end
end
end
describe '#service_account_resource' do
let(:resource) do
Kubeclient::Resource.new(metadata: { name: 'tiller', namespace: 'gitlab-managed-apps' })
end
subject { init_command.service_account_resource }
context 'rbac is enabled' do
let(:rbac) { true }
it 'generates a Kubeclient resource for the tiller ServiceAccount' do
is_expected.to eq(resource)
end
end
context 'rbac is not enabled' do
let(:rbac) { false }
it 'generates nothing' do
is_expected.to be_nil
end
end
end
describe '#cluster_role_binding_resource' do
let(:resource) do
Kubeclient::Resource.new(
metadata: { name: 'tiller-admin' },
roleRef: { apiGroup: 'rbac.authorization.k8s.io', kind: 'ClusterRole', name: 'cluster-admin' },
subjects: [{ kind: 'ServiceAccount', name: 'tiller', namespace: 'gitlab-managed-apps' }]
)
end
subject { init_command.cluster_role_binding_resource }
context 'rbac is enabled' do
let(:rbac) { true }
it 'generates a Kubeclient resource for the ClusterRoleBinding for tiller' do
is_expected.to eq(resource)
end
end
context 'rbac is not enabled' do
let(:rbac) { false }
it 'generates nothing' do
is_expected.to be_nil
end
end
end
end
......@@ -305,20 +305,4 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do
is_expected.to eq(resource)
end
end
describe '#service_account_resource' do
subject { install_command.service_account_resource }
it 'returns nothing' do
is_expected.to be_nil
end
end
describe '#cluster_role_binding_resource' do
subject { install_command.cluster_role_binding_resource }
it 'returns nothing' do
is_expected.to be_nil
end
end
end
......@@ -199,20 +199,4 @@ describe Gitlab::Kubernetes::Helm::PatchCommand do
is_expected.to eq(resource)
end
end
describe '#service_account_resource' do
subject { patch_command.service_account_resource }
it 'returns nothing' do
is_expected.to be_nil
end
end
describe '#cluster_role_binding_resource' do
subject { patch_command.cluster_role_binding_resource }
it 'returns nothing' do
is_expected.to be_nil
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment