diff options
author | Mayra Cabrera <mcabrera@gitlab.com> | 2018-09-21 17:23:33 -0500 |
---|---|---|
committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-09-26 21:47:29 -0300 |
commit | e5a512628b7889fad30242751f982251dffdc463 (patch) | |
tree | 7561cd92417c54e38628d67ca4ef7f0b2eefa0d5 /app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb | |
parent | e255b88e51b956d92afb5e9b90a2749a60e63459 (diff) | |
download | gitlab-ce-51716-automatically-create-service-account-to-project-namespace.tar.gz |
Limit GCP Kubernetes service to project namespace51716-automatically-create-service-account-to-project-namespace
This is needed to support RBAC on AutoDevOps, basically we:
- Creates a service account under project's namespace and assign it a
different token
- If RBAC is enabled we create a RoleBinding for this new service
account with edit access
- Service account name is exposed through environment variables on
Platform::Kubernetes
- KUBE_TOKEN and KUBECONFIG are replaced with new credentials
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51716
Diffstat (limited to 'app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb')
-rw-r--r-- | app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb index 9e09345c8dc..89209ed8bfa 100644 --- a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb +++ b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb @@ -4,10 +4,11 @@ module Clusters module Gcp module Kubernetes class FetchKubernetesTokenService - attr_reader :kubeclient + attr_reader :kubeclient, :namespace - def initialize(kubeclient) + def initialize(kubeclient, namespace) @kubeclient = kubeclient + @namespace = namespace end def execute @@ -18,12 +19,16 @@ module Clusters private def get_secret - kubeclient.get_secret(SERVICE_ACCOUNT_TOKEN_NAME, SERVICE_ACCOUNT_NAMESPACE).as_json + kubeclient.get_secret(service_account_token_name, namespace).as_json rescue Kubeclient::HttpError => err raise err unless err.error_code == 404 nil end + + def service_account_token_name + SERVICE_ACCOUNT_TOKEN_NAME + end end end end |