diff options
| author | Thong Kuah <tkuah@gitlab.com> | 2018-08-29 12:07:01 +0300 |
|---|---|---|
| committer | Thong Kuah <tkuah@gitlab.com> | 2018-09-14 07:26:50 +0300 |
| commit | 7ebc18d1b3d398e3635feec1939ee3dac6c4a2a0 (patch) | |
| tree | 860e8425064c1b20e889555f1d4c05e117e93242 /app | |
| parent | fe450ebf51abd9fa96a0eff01ad074fc4cfbedab (diff) | |
When provisioning a new cluster, create gitlab service account so that GitLab can perform operations in a RBAC-enabled cluster.
Correspondingly, use the token of the gitlab service account, vs the
default service account token which will have no privs.
Diffstat (limited to 'app')
4 files changed, 99 insertions, 1 deletions
diff --git a/app/services/clusters/gcp/finalize_creation_service.rb b/app/services/clusters/gcp/finalize_creation_service.rb index 76b1f439569..29948b32192 100644 --- a/app/services/clusters/gcp/finalize_creation_service.rb +++ b/app/services/clusters/gcp/finalize_creation_service.rb @@ -8,18 +8,30 @@ module Clusters def execute(provider) @provider = provider + create_gitlab_service_account! + configure_provider configure_kubernetes cluster.save! rescue Google::Apis::ServerError, Google::Apis::ClientError, Google::Apis::AuthorizationError => e provider.make_errored!("Failed to request to CloudPlatform; #{e.message}") + rescue Kubeclient::HttpError => e + provider.make_errored!("Failed to run Kubeclient: #{e.message}") rescue ActiveRecord::RecordInvalid => e provider.make_errored!("Failed to configure Google Kubernetes Engine Cluster: #{e.message}") end private + def create_gitlab_service_account! + Clusters::Gcp::Kubernetes::CreateServiceAccountService.new( + 'https://' + gke_cluster.endpoint, + Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate), + gke_cluster.master_auth.username, + gke_cluster.master_auth.password).execute + end + def configure_provider provider.endpoint = gke_cluster.endpoint provider.status_event = :make_created @@ -32,6 +44,7 @@ module Clusters ca_cert: Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate), username: gke_cluster.master_auth.username, password: gke_cluster.master_auth.password, + authorization_type: authorization_type, token: request_kubernetes_token) end @@ -43,6 +56,11 @@ module Clusters gke_cluster.master_auth.password).execute end + # GKE Clusters have RBAC enabled on Kubernetes >= 1.6 + def authorization_type + 'rbac' + end + def gke_cluster @gke_cluster ||= provider.api_client.projects_zones_clusters_get( provider.gcp_project_id, diff --git a/app/services/clusters/gcp/kubernetes.rb b/app/services/clusters/gcp/kubernetes.rb new file mode 100644 index 00000000000..74ef68eb58f --- /dev/null +++ b/app/services/clusters/gcp/kubernetes.rb @@ -0,0 +1,11 @@ +# frozen_string_literal: true + +module Clusters + module Gcp + module Kubernetes + SERVICE_ACCOUNT_NAME = 'gitlab' + CLUSTER_ROLE_BINDING_NAME = 'gitlab-admin' + CLUSTER_ROLE_NAME = 'cluster-admin' + end + end +end diff --git a/app/services/clusters/gcp/kubernetes/create_service_account_service.rb b/app/services/clusters/gcp/kubernetes/create_service_account_service.rb new file mode 100644 index 00000000000..a9088578c81 --- /dev/null +++ b/app/services/clusters/gcp/kubernetes/create_service_account_service.rb @@ -0,0 +1,65 @@ +# frozen_string_literal: true + +module Clusters + module Gcp + module Kubernetes + class CreateServiceAccountService + attr_reader :api_url, :ca_pem, :username, :password + + def initialize(api_url, ca_pem, username, password) + @api_url = api_url + @ca_pem = ca_pem + @username = username + @password = password + end + + def execute + kubeclient = build_kube_client!(api_groups: ['api', 'apis/rbac.authorization.k8s.io']) + + kubeclient.create_service_account(service_account_resource) + kubeclient.create_cluster_role_binding(cluster_role_binding_resource) + end + + private + + def service_account_resource + Gitlab::Kubernetes::ServiceAccount.new(SERVICE_ACCOUNT_NAME, 'default').generate + end + + def cluster_role_binding_resource + subjects = [{ kind: 'ServiceAccount', name: SERVICE_ACCOUNT_NAME, namespace: 'default' }] + + Gitlab::Kubernetes::ClusterRoleBinding.new( + CLUSTER_ROLE_BINDING_NAME, + CLUSTER_ROLE_NAME, + subjects + ).generate + end + + def build_kube_client!(api_groups: ['api'], api_version: 'v1') + raise "Incomplete settings" unless api_url && username && password + + Gitlab::Kubernetes::KubeClient.new( + api_url, + api_groups, + api_version, + auth_options: { username: username, password: password }, + ssl_options: kubeclient_ssl_options, + http_proxy_uri: ENV['http_proxy'] + ) + end + + def kubeclient_ssl_options + opts = { verify_ssl: OpenSSL::SSL::VERIFY_PEER } + + if ca_pem.present? + opts[:cert_store] = OpenSSL::X509::Store.new + opts[:cert_store].add_cert(OpenSSL::X509::Certificate.new(ca_pem)) + end + + opts + end + end + end + end +end diff --git a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb index 07c8eaae5d3..ba5e0ed9881 100644 --- a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb +++ b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb @@ -16,7 +16,7 @@ module Clusters def execute read_secrets.each do |secret| name = secret.dig('metadata', 'name') - if /default-token/ =~ name + if token_regex =~ name token_base64 = secret.dig('data', 'token') return Base64.decode64(token_base64) if token_base64 end @@ -27,6 +27,10 @@ module Clusters private + def token_regex + /#{SERVICE_ACCOUNT_NAME}-token/ + end + def read_secrets kubeclient = build_kubeclient! |