diff options
| author | Hordur Freyr Yngvason <hfyngvason@gitlab.com> | 2019-06-28 15:46:42 +0200 |
|---|---|---|
| committer | Hordur Freyr Yngvason <hfyngvason@gitlab.com> | 2019-07-01 15:49:10 +0200 |
| commit | 02e64d0eed9606ee6aae177d2c75294f98be699f (patch) | |
| tree | 3f9596962084994706e7aac244d326f6745b2f07 | |
| parent | 6f91c4763b9dced844b4d482781c8ea95a4a8434 (diff) | |
| download | gitlab-ce-hfy/apply-cluster-role-for-knative-serving-to-added-clusters.tar.gz | |
Provision knative-serving-only cluster role for managed rbac user clustershfy/apply-cluster-role-for-knative-serving-to-added-clusters
Allows the gitlab service account deploy to Knative (via the default
edit role)
| -rw-r--r-- | app/workers/cluster_provision_worker.rb | 27 | ||||
| -rw-r--r-- | spec/workers/cluster_provision_worker_spec.rb | 31 |
2 files changed, 55 insertions, 3 deletions
diff --git a/app/workers/cluster_provision_worker.rb b/app/workers/cluster_provision_worker.rb index 59de7903c1c..7f2c4785eb5 100644 --- a/app/workers/cluster_provision_worker.rb +++ b/app/workers/cluster_provision_worker.rb @@ -6,9 +6,32 @@ class ClusterProvisionWorker def perform(cluster_id) Clusters::Cluster.find_by_id(cluster_id).try do |cluster| - cluster.provider.try do |provider| - Clusters::Gcp::ProvisionService.new.execute(provider) if cluster.gcp? + if cluster.gcp? + cluster.provider.try do |provider| + Clusters::Gcp::ProvisionService.new.execute(provider) + end + elsif cluster.user? + if cluster.platform_kubernetes_rbac? && cluster.managed? + create_or_update_aggregate_to_edit_role(cluster) + end end end end + + private + + def create_or_update_aggregate_to_edit_role(cluster) + name = 'gitlab-knative-serving-only-role' + labels = { 'rbac.authorization.k8s.io/aggregate-to-edit' => 'true' } + rules = [{ + apiGroups: %w(serving.knative.dev), + resources: %w(configurations configurationgenerations routes revisions revisionuids autoscalers services), + verbs: %w(get list create update delete patch watch) + }] + + cluster_role = Gitlab::Kubernetes::ClusterRole.new(name, labels, rules) + + # update_cluster_role actually behaves like a "create or update" method + cluster.kubeclient.update_cluster_role(cluster_role.generate) + end end diff --git a/spec/workers/cluster_provision_worker_spec.rb b/spec/workers/cluster_provision_worker_spec.rb index 3f69962f25d..aacdb8f67ba 100644 --- a/spec/workers/cluster_provision_worker_spec.rb +++ b/spec/workers/cluster_provision_worker_spec.rb @@ -16,13 +16,36 @@ describe ClusterProvisionWorker do end context 'when provider type is user' do - let(:cluster) { create(:cluster, :provided_by_user) } + let(:cluster) { create(:cluster, :provided_by_user, managed: false) } it 'does not provision a cluster' do expect_any_instance_of(Clusters::Gcp::ProvisionService).not_to receive(:execute) described_class.new.perform(cluster.id) end + + it 'does not create a cluster role if the cluster is not managed rbac' do + expect_any_instance_of(::Gitlab::Kubernetes::KubeClient).not_to receive(:update_cluster_role) + + described_class.new.perform(cluster.id) + end + + context 'when the cluster is a managed rbac cluster' do + before do + cluster.update(managed: true) + end + + it 'creates an aggregated to edit cluster role for the serving.knative.dev API group' do + expect_any_instance_of(::Gitlab::Kubernetes::KubeClient).to receive(:update_cluster_role).with( + having_attributes( + metadata: having_attributes(labels: having_attributes('rbac.authorization.k8s.io/aggregate-to-edit' => 'true')), + rules: array_including(having_attributes(apiGroups: %w(serving.knative.dev))) + ) + ).and_return(true) + + described_class.new.perform(cluster.id) + end + end end context 'when cluster does not exist' do @@ -31,6 +54,12 @@ describe ClusterProvisionWorker do described_class.new.perform(123) end + + it 'does not attempt to create a cluster role' do + expect_any_instance_of(::Gitlab::Kubernetes::KubeClient).not_to receive(:update_cluster_role) + + described_class.new.perform(123) + end end end end |