Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2019-11-16 09:06:19 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2019-11-16 09:06:19 +0000
commit: 409c3cb076e500968ec4c283cb388b56f3e7c9e6 (patch)
tree: 643e9b425314ab1f2d936ad194248255ba94d445
parent: 2860167b7774c526469be38aa2ccf58530d1bfa2 (diff)
download: gitlab-ce-409c3cb076e500968ec4c283cb388b56f3e7c9e6.tar.gz
4 files changed, 81 insertions, 0 deletions
diff --git a/app/services/clusters/kubernetes/create_or_update_service_account_service.rb b/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
index 8b8ad924b64..d798dcdcfd3 100644
--- a/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
+++ b/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
@@ -49,6 +49,8 @@ module Clusters
 
         create_or_update_knative_serving_role
         create_or_update_knative_serving_role_binding
+        create_or_update_crossplane_database_role
+        create_or_update_crossplane_database_role_binding
       end
 
       private
@@ -78,6 +80,14 @@ module Clusters
         kubeclient.update_role_binding(knative_serving_role_binding_resource)
       end
 
+      def create_or_update_crossplane_database_role
+        kubeclient.update_role(crossplane_database_role_resource)
+      end
+
+      def create_or_update_crossplane_database_role_binding
+        kubeclient.update_role_binding(crossplane_database_role_binding_resource)
+      end
+
       def service_account_resource
         Gitlab::Kubernetes::ServiceAccount.new(
           service_account_name,
@@ -134,6 +144,28 @@ module Clusters
           service_account_name: service_account_name
         ).generate
       end
+
+      def crossplane_database_role_resource
+        Gitlab::Kubernetes::Role.new(
+          name: Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_NAME,
+          namespace: service_account_namespace,
+          rules: [{
+            apiGroups: %w(database.crossplane.io),
+            resources: %w(postgresqlinstances),
+            verbs: %w(get list create watch)
+          }]
+        ).generate
+      end
+
+      def crossplane_database_role_binding_resource
+        Gitlab::Kubernetes::RoleBinding.new(
+          name: Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME,
+          role_name: Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_NAME,
+          role_kind: :Role,
+          namespace: service_account_namespace,
+          service_account_name: service_account_name
+        ).generate
+      end
     end
   end
 end
diff --git a/app/services/clusters/kubernetes/kubernetes.rb b/app/services/clusters/kubernetes/kubernetes.rb
index 7d5d0c2c1d6..d29519999b2 100644
--- a/app/services/clusters/kubernetes/kubernetes.rb
+++ b/app/services/clusters/kubernetes/kubernetes.rb
@@ -10,5 +10,7 @@ module Clusters
     PROJECT_CLUSTER_ROLE_NAME = 'edit'
     GITLAB_KNATIVE_SERVING_ROLE_NAME = 'gitlab-knative-serving-role'
     GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME = 'gitlab-knative-serving-rolebinding'
+    GITLAB_CROSSPLANE_DATABASE_ROLE_NAME = 'gitlab-crossplane-database-role'
+    GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME = 'gitlab-crossplane-database-rolebinding'
   end
 end
diff --git a/spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb b/spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb
index 5a3b1cd6cfb..291e63bbe4a 100644
--- a/spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb
+++ b/spec/services/clusters/kubernetes/create_or_update_namespace_service_spec.rb
@@ -37,6 +37,8 @@ describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' do
     stub_kubeclient_put_secret(api_url, "#{namespace}-token", namespace: namespace)
     stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace)
     stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)
+    stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_NAME, namespace: namespace)
+    stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME, namespace: namespace)
 
     stub_kubeclient_get_secret(
       api_url,
diff --git a/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb b/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
index 10dbfc800ff..4df73fcc2ae 100644
--- a/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
+++ b/spec/services/clusters/kubernetes/create_or_update_service_account_service_spec.rb
@@ -145,6 +145,8 @@ describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
         stub_kubeclient_create_role_binding(api_url, namespace: namespace)
         stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace)
         stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)
+        stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_NAME, namespace: namespace)
+        stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME, namespace: namespace)
       end
 
       it_behaves_like 'creates service account and token'
@@ -172,6 +174,31 @@ describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
         )
       end
 
+      it 'creates a role binding granting crossplane database permissions to the service account' do
+        subject
+
+        expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME}").with(
+          body: hash_including(
+            metadata: {
+              name: Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME,
+              namespace: namespace
+            },
+            roleRef: {
+              apiGroup: 'rbac.authorization.k8s.io',
+              kind: 'Role',
+              name: Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_NAME
+            },
+            subjects: [
+              {
+                kind: 'ServiceAccount',
+                name: service_account_name,
+                namespace: namespace
+              }
+            ]
+          )
+        )
+      end
+
       it 'creates a role and role binding granting knative serving permissions to the service account' do
         subject
 
@@ -189,6 +216,24 @@ describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
           )
         )
       end
+
+      it 'creates a role and role binding granting crossplane database permissions to the service account' do
+        subject
+
+        expect(WebMock).to have_requested(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/roles/#{Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_NAME}").with(
+          body: hash_including(
+            metadata: {
+              name: Clusters::Kubernetes::GITLAB_CROSSPLANE_DATABASE_ROLE_NAME,
+              namespace: namespace
+            },
+            rules: [{
+              apiGroups: %w(database.crossplane.io),
+              resources: %w(postgresqlinstances),
+              verbs: %w(get list create watch)
+            }]
+          )
+        )
+      end
     end
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2019-11-16 09:06:19 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2019-11-16 09:06:19 +0000
commit	409c3cb076e500968ec4c283cb388b56f3e7c9e6 (patch)
tree	643e9b425314ab1f2d936ad194248255ba94d445
parent	2860167b7774c526469be38aa2ccf58530d1bfa2 (diff)
download	gitlab-ce-409c3cb076e500968ec4c283cb388b56f3e7c9e6.tar.gz