Skip to content
This repository has been archived by the owner on Aug 25, 2021. It is now read-only.

feat: add rbac support #29

Merged
merged 4 commits into from
Oct 18, 2018
Merged

feat: add rbac support #29

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6330895
feat: add rbac support
tomwganem Oct 9, 2018
32ed79e
fix: move .Values.rbac.enabled to .Values.syncCatalog.rbac.enabled
tomwganem Oct 15, 2018
6d9c884
feat: create serviceAccount for sync catalog cluster role bind
tomwganem Oct 15, 2018
973cc2e
fix: use a "-" instead of a ":" for names
tomwganem Oct 17, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions templates/sync-cluster-role-binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{{- $rbacEnabled := (or (and (ne (.Values.rbac.enabled | toString) "-") .Values.rbac.enabled) (and (eq (.Values.rbac.enabled | toString) "-") .Values.rbac.enabled)) }}
{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (and $rbacEnabled $syncEnabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: consul:sync
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: consul:sync
subjects:
- kind: Group
name: system:serviceaccounts:{{ .Release.Namespace }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
25 changes: 25 additions & 0 deletions templates/sync-cluster-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
{{- $rbacEnabled := (or (and (ne (.Values.rbac.enabled | toString) "-") .Values.rbac.enabled) (and (eq (.Values.rbac.enabled | toString) "-") .Values.rbac.enabled)) }}
{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (and $rbacEnabled $syncEnabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: consul:sync
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- services
- endpoints
verbs:
- get
- list
- watch
- update
- patch
- delete
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- delete
- delete
- create

I was getting error="services is forbidden: User "system:serviceaccount:platform:consul-sync-catalog" cannot create services in the namespace "platform"" without this. Once added, the consul service was synced to k8s.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. Yep.

It seems possible that we should create two roles here. One for k8s => Consul and one for Consul => k8s, since either one-way can be disabled/enabled and k8s => Consul only requires read-only privileges which is a nice to have.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually decided to just add -create for now and keep the simple thing, we can split it out later if its useful.

{{- end }}
56 changes: 56 additions & 0 deletions test/unit/sync-cluster-role-binding.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
#!/usr/bin/env bats

load _helpers

@test "sync/ClusterRoleBinding: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-cluster-role-binding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "sync/ClusterRoleBinding: enable with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-cluster-role-binding.yaml \
--set 'global.enabled=false' \
--set 'syncCatalog.enabled=true' \
--set 'rbac.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

@test "sync/ClusterRoleBinding: disable with syncCatalog.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-cluster-role-binding.yaml \
--set 'syncCatalog.enabled=false' \
--set 'rbac.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "sync/ClusterRoleBinding: disable with rbac.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-cluster-role-binding.yaml \
--set 'syncCatalog.enabled=true' \
--set 'rbac.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "sync/ClusterRoleBinding: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-cluster-role-binding.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
56 changes: 56 additions & 0 deletions test/unit/sync-cluster-role.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
#!/usr/bin/env bats

load _helpers

@test "sync/ClusterRole: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-cluster-role.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "sync/ClusterRole: enable with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-cluster-role.yaml \
--set 'global.enabled=false' \
--set 'syncCatalog.enabled=true' \
--set 'rbac.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

@test "sync/ClusterRole: disable with syncCatalog.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-cluster-role.yaml \
--set 'syncCatalog.enabled=false' \
--set 'rbac.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "sync/ClusterRole: disable with rbac.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-cluster-role.yaml \
--set 'syncCatalog.enabled=true' \
--set 'rbac.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "sync/ClusterRole: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-cluster-role.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
5 changes: 5 additions & 0 deletions values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,3 +186,8 @@ connectInject:
# defaults but can be customized if necessary.
certName: tls.crt
keyName: tls.key

# Enabling rbac will create cluster roles and cluster role bindings to allow the
# syncCatalog service to communicate with the kubernetes api to get/create services
rbac:
enabled: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should probably go under the syncCatalog section. I can see the easiest way would be:

syncCatalog:
  rbac:
    enabled: false/true