Give Knative serving permissions to service account

GitLab uses a kubernetes service account to perform deployments. For serverless deployments to work as expected with externally created clusters with their own knative installations (e.g. via Cloud Run), this account requires additional permissions in the serving.knative.dev API group.
author: Hordur Freyr Yngvason <hfyngvason@gitlab.com> 2019-07-11 11:26:15 +0000
committer: Achilleas Pipinellis <axil@gitlab.com> 2019-07-11 11:26:15 +0000
commit: 6971fd261dd63ac7698da9d4e5337af6f053dddd (patch)
tree: 44654d2b0d971fb8cab894c8e271fd346fb96e12 /lib
parent: cc3ef63572361398d6f93d29a31c16e23cbc6de6 (diff)
download: gitlab-ce-6971fd261dd63ac7698da9d4e5337af6f053dddd.tar.gz
3 files changed, 35 insertions, 3 deletions
diff --git a/lib/gitlab/kubernetes/kube_client.rb b/lib/gitlab/kubernetes/kube_client.rb
index de14df56555..1350924cd76 100644
--- a/lib/gitlab/kubernetes/kube_client.rb
+++ b/lib/gitlab/kubernetes/kube_client.rb
@@ -59,6 +59,13 @@ module Gitlab
 
       # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
       # group client
+      delegate :create_role,
+      :get_role,
+      :update_role,
+      to: :rbac_client
+
+      # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
+      # group client
       delegate :create_role_binding,
         :get_role_binding,
         :update_role_binding,
diff --git a/lib/gitlab/kubernetes/role.rb b/lib/gitlab/kubernetes/role.rb
new file mode 100644
index 00000000000..096f60f0372
--- /dev/null
+++ b/lib/gitlab/kubernetes/role.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Kubernetes
+    class Role
+      def initialize(name:, namespace:, rules:)
+        @name = name
+        @namespace = namespace
+        @rules = rules
+      end
+
+      def generate
+        ::Kubeclient::Resource.new(
+          metadata: { name: name, namespace: namespace },
+          rules: rules
+        )
+      end
+
+      private
+
+      attr_reader :name, :namespace, :rules
+    end
+  end
+end
diff --git a/lib/gitlab/kubernetes/role_binding.rb b/lib/gitlab/kubernetes/role_binding.rb
index cb0cb42d007..0404fb4453c 100644
--- a/lib/gitlab/kubernetes/role_binding.rb
+++ b/lib/gitlab/kubernetes/role_binding.rb
@@ -3,9 +3,10 @@
 module Gitlab
   module Kubernetes
     class RoleBinding
-      def initialize(name:, role_name:, namespace:, service_account_name:)
+      def initialize(name:, role_name:, role_kind:, namespace:, service_account_name:)
         @name = name
         @role_name = role_name
+        @role_kind = role_kind
         @namespace = namespace
         @service_account_name = service_account_name
       end
@@ -20,7 +21,7 @@ module Gitlab
 
       private
 
-      attr_reader :name, :role_name, :namespace, :service_account_name
+      attr_reader :name, :role_name, :role_kind, :namespace, :service_account_name
 
       def metadata
         { name: name, namespace: namespace }
@@ -29,7 +30,7 @@ module Gitlab
       def role_ref
         {
           apiGroup: 'rbac.authorization.k8s.io',
-          kind: 'ClusterRole',
+          kind: role_kind,
           name: role_name
         }
       end
author	Hordur Freyr Yngvason <hfyngvason@gitlab.com>	2019-07-11 11:26:15 +0000
committer	Achilleas Pipinellis <axil@gitlab.com>	2019-07-11 11:26:15 +0000
commit	6971fd261dd63ac7698da9d4e5337af6f053dddd (patch)
tree	44654d2b0d971fb8cab894c8e271fd346fb96e12 /lib
parent	cc3ef63572361398d6f93d29a31c16e23cbc6de6 (diff)
download	gitlab-ce-6971fd261dd63ac7698da9d4e5337af6f053dddd.tar.gz