diff options
author | Thong Kuah <tkuah@gitlab.com> | 2018-08-29 12:07:01 +0300 |
---|---|---|
committer | Thong Kuah <tkuah@gitlab.com> | 2018-09-14 07:26:50 +0300 |
commit | 7ebc18d1b3d398e3635feec1939ee3dac6c4a2a0 (patch) | |
tree | 860e8425064c1b20e889555f1d4c05e117e93242 /app/services/clusters/gcp/finalize_creation_service.rb | |
parent | fe450ebf51abd9fa96a0eff01ad074fc4cfbedab (diff) |
When provisioning a new cluster, create gitlab service account so that GitLab can perform operations in a RBAC-enabled cluster.
Correspondingly, use the token of the gitlab service account, vs the
default service account token which will have no privs.
Diffstat (limited to 'app/services/clusters/gcp/finalize_creation_service.rb')
-rw-r--r-- | app/services/clusters/gcp/finalize_creation_service.rb | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/app/services/clusters/gcp/finalize_creation_service.rb b/app/services/clusters/gcp/finalize_creation_service.rb index 76b1f439569..29948b32192 100644 --- a/app/services/clusters/gcp/finalize_creation_service.rb +++ b/app/services/clusters/gcp/finalize_creation_service.rb @@ -8,18 +8,30 @@ module Clusters def execute(provider) @provider = provider + create_gitlab_service_account! + configure_provider configure_kubernetes cluster.save! rescue Google::Apis::ServerError, Google::Apis::ClientError, Google::Apis::AuthorizationError => e provider.make_errored!("Failed to request to CloudPlatform; #{e.message}") + rescue Kubeclient::HttpError => e + provider.make_errored!("Failed to run Kubeclient: #{e.message}") rescue ActiveRecord::RecordInvalid => e provider.make_errored!("Failed to configure Google Kubernetes Engine Cluster: #{e.message}") end private + def create_gitlab_service_account! + Clusters::Gcp::Kubernetes::CreateServiceAccountService.new( + 'https://' + gke_cluster.endpoint, + Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate), + gke_cluster.master_auth.username, + gke_cluster.master_auth.password).execute + end + def configure_provider provider.endpoint = gke_cluster.endpoint provider.status_event = :make_created @@ -32,6 +44,7 @@ module Clusters ca_cert: Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate), username: gke_cluster.master_auth.username, password: gke_cluster.master_auth.password, + authorization_type: authorization_type, token: request_kubernetes_token) end @@ -43,6 +56,11 @@ module Clusters gke_cluster.master_auth.password).execute end + # GKE Clusters have RBAC enabled on Kubernetes >= 1.6 + def authorization_type + 'rbac' + end + def gke_cluster @gke_cluster ||= provider.api_client.projects_zones_clusters_get( provider.gcp_project_id, |