diff options
Diffstat (limited to 'app/services/clusters/gcp')
4 files changed, 31 insertions, 32 deletions
diff --git a/app/services/clusters/gcp/finalize_creation_service.rb b/app/services/clusters/gcp/finalize_creation_service.rb index 8170e732d48..3ae0a4a19d0 100644 --- a/app/services/clusters/gcp/finalize_creation_service.rb +++ b/app/services/clusters/gcp/finalize_creation_service.rb @@ -8,9 +8,8 @@ module Clusters def execute(provider) @provider = provider - create_gitlab_service_account! - configure_provider + create_gitlab_service_account! configure_kubernetes cluster.save! @@ -25,9 +24,7 @@ module Clusters private def create_gitlab_service_account! - if create_rbac_cluster? - Clusters::Gcp::Kubernetes::CreateServiceAccountService.new(kube_client).execute - end + Clusters::Gcp::Kubernetes::CreateServiceAccountService.new(kube_client, rbac: create_rbac_cluster?).execute end def configure_provider @@ -47,9 +44,7 @@ module Clusters end def request_kubernetes_token - service_account_name = create_rbac_cluster? ? Clusters::Gcp::Kubernetes::SERVICE_ACCOUNT_NAME : 'default' - - Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client, service_account_name).execute + Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client).execute end def authorization_type diff --git a/app/services/clusters/gcp/kubernetes.rb b/app/services/clusters/gcp/kubernetes.rb index 74ef68eb58f..21a09891ac4 100644 --- a/app/services/clusters/gcp/kubernetes.rb +++ b/app/services/clusters/gcp/kubernetes.rb @@ -4,6 +4,7 @@ module Clusters module Gcp module Kubernetes SERVICE_ACCOUNT_NAME = 'gitlab' + SERVICE_ACCOUNT_TOKEN_NAME = 'gitlab-token' CLUSTER_ROLE_BINDING_NAME = 'gitlab-admin' CLUSTER_ROLE_NAME = 'cluster-admin' end diff --git a/app/services/clusters/gcp/kubernetes/create_service_account_service.rb b/app/services/clusters/gcp/kubernetes/create_service_account_service.rb index 8d87bd7b5c8..4c43b94d911 100644 --- a/app/services/clusters/gcp/kubernetes/create_service_account_service.rb +++ b/app/services/clusters/gcp/kubernetes/create_service_account_service.rb @@ -4,25 +4,32 @@ module Clusters module Gcp module Kubernetes class CreateServiceAccountService - attr_reader :kubeclient + attr_reader :kubeclient, :rbac - def initialize(kubeclient) + def initialize(kubeclient, rbac:) @kubeclient = kubeclient + @rbac = rbac end def execute kubeclient.create_service_account(service_account_resource) - kubeclient.create_cluster_role_binding(cluster_role_binding_resource) + kubeclient.create_secret(service_account_token_resource) + kubeclient.create_cluster_role_binding(cluster_role_binding_resource) if rbac end private def service_account_resource - Gitlab::Kubernetes::ServiceAccount.new(SERVICE_ACCOUNT_NAME, 'default').generate + Gitlab::Kubernetes::ServiceAccount.new(service_account_name, namespace).generate + end + + def service_account_token_resource + Gitlab::Kubernetes::ServiceAccountToken.new( + SERVICE_ACCOUNT_TOKEN_NAME, service_account_name, namespace).generate end def cluster_role_binding_resource - subjects = [{ kind: 'ServiceAccount', name: SERVICE_ACCOUNT_NAME, namespace: 'default' }] + subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: namespace }] Gitlab::Kubernetes::ClusterRoleBinding.new( CLUSTER_ROLE_BINDING_NAME, @@ -30,6 +37,14 @@ module Clusters subjects ).generate end + + def service_account_name + SERVICE_ACCOUNT_NAME + end + + def namespace + 'default' + end end end end diff --git a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb index c16ce451aaf..877dc1de89b 100644 --- a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb +++ b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb @@ -4,37 +4,25 @@ module Clusters module Gcp module Kubernetes class FetchKubernetesTokenService - attr_reader :kubeclient, :service_account_name + attr_reader :kubeclient - def initialize(kubeclient, service_account_name) + def initialize(kubeclient) @kubeclient = kubeclient - @service_account_name = service_account_name end def execute - read_secrets.each do |secret| - name = secret.dig('metadata', 'name') - if token_regex =~ name - token_base64 = secret.dig('data', 'token') - return Base64.decode64(token_base64) if token_base64 - end - end - - nil + token_base64 = get_secret&.dig('data', 'token') + Base64.decode64(token_base64) if token_base64 end private - def token_regex - /#{service_account_name}-token/ - end - - def read_secrets - kubeclient.get_secrets.as_json + def get_secret + kubeclient.get_secret(SERVICE_ACCOUNT_TOKEN_NAME).as_json rescue Kubeclient::HttpError => err raise err unless err.error_code == 404 - [] + nil end end end |