Commit a02e3530 authored by Thong Kuah's avatar Thong Kuah

Always create `gitlab` service account and service account token regardless of ABAC/RBAC

This also solves the async nature of the automatic creation of default
service tokens for service accounts. It also makes explicit which
service account token we always use.

create cluster role binding only if the provider has legacy_abac
disabled.
parent 8c8ccd31
...@@ -8,9 +8,8 @@ module Clusters ...@@ -8,9 +8,8 @@ module Clusters
def execute(provider) def execute(provider)
@provider = provider @provider = provider
create_gitlab_service_account!
configure_provider configure_provider
create_gitlab_service_account!
configure_kubernetes configure_kubernetes
cluster.save! cluster.save!
...@@ -25,9 +24,7 @@ module Clusters ...@@ -25,9 +24,7 @@ module Clusters
private private
def create_gitlab_service_account! def create_gitlab_service_account!
if create_rbac_cluster? Clusters::Gcp::Kubernetes::CreateServiceAccountService.new(kube_client, rbac: create_rbac_cluster?).execute
Clusters::Gcp::Kubernetes::CreateServiceAccountService.new(kube_client).execute
end
end end
def configure_provider def configure_provider
...@@ -47,9 +44,7 @@ module Clusters ...@@ -47,9 +44,7 @@ module Clusters
end end
def request_kubernetes_token def request_kubernetes_token
service_account_name = create_rbac_cluster? ? Clusters::Gcp::Kubernetes::SERVICE_ACCOUNT_NAME : 'default' Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client).execute
Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client, service_account_name).execute
end end
def authorization_type def authorization_type
......
...@@ -4,6 +4,7 @@ module Clusters ...@@ -4,6 +4,7 @@ module Clusters
module Gcp module Gcp
module Kubernetes module Kubernetes
SERVICE_ACCOUNT_NAME = 'gitlab' SERVICE_ACCOUNT_NAME = 'gitlab'
SERVICE_ACCOUNT_TOKEN_NAME = 'gitlab-token'
CLUSTER_ROLE_BINDING_NAME = 'gitlab-admin' CLUSTER_ROLE_BINDING_NAME = 'gitlab-admin'
CLUSTER_ROLE_NAME = 'cluster-admin' CLUSTER_ROLE_NAME = 'cluster-admin'
end end
......
...@@ -4,25 +4,32 @@ module Clusters ...@@ -4,25 +4,32 @@ module Clusters
module Gcp module Gcp
module Kubernetes module Kubernetes
class CreateServiceAccountService class CreateServiceAccountService
attr_reader :kubeclient attr_reader :kubeclient, :rbac
def initialize(kubeclient) def initialize(kubeclient, rbac:)
@kubeclient = kubeclient @kubeclient = kubeclient
@rbac = rbac
end end
def execute def execute
kubeclient.create_service_account(service_account_resource) kubeclient.create_service_account(service_account_resource)
kubeclient.create_cluster_role_binding(cluster_role_binding_resource) kubeclient.create_secret(service_account_token_resource)
kubeclient.create_cluster_role_binding(cluster_role_binding_resource) if rbac
end end
private private
def service_account_resource def service_account_resource
Gitlab::Kubernetes::ServiceAccount.new(SERVICE_ACCOUNT_NAME, 'default').generate Gitlab::Kubernetes::ServiceAccount.new(service_account_name, namespace).generate
end
def service_account_token_resource
Gitlab::Kubernetes::ServiceAccountToken.new(
SERVICE_ACCOUNT_TOKEN_NAME, service_account_name, namespace).generate
end end
def cluster_role_binding_resource def cluster_role_binding_resource
subjects = [{ kind: 'ServiceAccount', name: SERVICE_ACCOUNT_NAME, namespace: 'default' }] subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: namespace }]
Gitlab::Kubernetes::ClusterRoleBinding.new( Gitlab::Kubernetes::ClusterRoleBinding.new(
CLUSTER_ROLE_BINDING_NAME, CLUSTER_ROLE_BINDING_NAME,
...@@ -30,6 +37,14 @@ module Clusters ...@@ -30,6 +37,14 @@ module Clusters
subjects subjects
).generate ).generate
end end
def service_account_name
SERVICE_ACCOUNT_NAME
end
def namespace
'default'
end
end end
end end
end end
......
...@@ -4,37 +4,25 @@ module Clusters ...@@ -4,37 +4,25 @@ module Clusters
module Gcp module Gcp
module Kubernetes module Kubernetes
class FetchKubernetesTokenService class FetchKubernetesTokenService
attr_reader :kubeclient, :service_account_name attr_reader :kubeclient
def initialize(kubeclient, service_account_name) def initialize(kubeclient)
@kubeclient = kubeclient @kubeclient = kubeclient
@service_account_name = service_account_name
end end
def execute def execute
read_secrets.each do |secret| token_base64 = get_secret&.dig('data', 'token')
name = secret.dig('metadata', 'name') Base64.decode64(token_base64) if token_base64
if token_regex =~ name
token_base64 = secret.dig('data', 'token')
return Base64.decode64(token_base64) if token_base64
end
end
nil
end end
private private
def token_regex def get_secret
/#{service_account_name}-token/ kubeclient.get_secret(SERVICE_ACCOUNT_TOKEN_NAME).as_json
end
def read_secrets
kubeclient.get_secrets.as_json
rescue Kubeclient::HttpError => err rescue Kubeclient::HttpError => err
raise err unless err.error_code == 404 raise err unless err.error_code == 404
[] nil
end end
end end
end end
......
...@@ -25,6 +25,7 @@ module Gitlab ...@@ -25,6 +25,7 @@ module Gitlab
:get_config_map, :get_config_map,
:get_namespace, :get_namespace,
:get_pod, :get_pod,
:get_secret,
:get_service, :get_service,
:get_service_account, :get_service_account,
:delete_pod, :delete_pod,
......
...@@ -116,6 +116,7 @@ describe Gitlab::Kubernetes::KubeClient do ...@@ -116,6 +116,7 @@ describe Gitlab::Kubernetes::KubeClient do
:get_config_map, :get_config_map,
:get_pod, :get_pod,
:get_namespace, :get_namespace,
:get_secret,
:get_service, :get_service,
:get_service_account, :get_service_account,
:delete_pod, :delete_pod,
......
...@@ -12,9 +12,11 @@ describe Clusters::Gcp::FinalizeCreationService do ...@@ -12,9 +12,11 @@ describe Clusters::Gcp::FinalizeCreationService do
let(:zone) { provider.zone } let(:zone) { provider.zone }
let(:cluster_name) { cluster.name } let(:cluster_name) { cluster.name }
subject { described_class.new.execute(provider) }
shared_examples 'success' do shared_examples 'success' do
it 'configures provider and kubernetes' do it 'configures provider and kubernetes' do
described_class.new.execute(provider) subject
expect(provider).to be_created expect(provider).to be_created
end end
...@@ -22,7 +24,7 @@ describe Clusters::Gcp::FinalizeCreationService do ...@@ -22,7 +24,7 @@ describe Clusters::Gcp::FinalizeCreationService do
shared_examples 'error' do shared_examples 'error' do
it 'sets an error to provider object' do it 'sets an error to provider object' do
described_class.new.execute(provider) subject
expect(provider.reload).to be_errored expect(provider.reload).to be_errored
end end
...@@ -33,6 +35,7 @@ describe Clusters::Gcp::FinalizeCreationService do ...@@ -33,6 +35,7 @@ describe Clusters::Gcp::FinalizeCreationService do
let(:api_url) { 'https://' + endpoint } let(:api_url) { 'https://' + endpoint }
let(:username) { 'sample-username' } let(:username) { 'sample-username' }
let(:password) { 'sample-password' } let(:password) { 'sample-password' }
let(:secret_name) { 'gitlab-token' }
before do before do
stub_cloud_platform_get_zone_cluster( stub_cloud_platform_get_zone_cluster(
...@@ -43,124 +46,98 @@ describe Clusters::Gcp::FinalizeCreationService do ...@@ -43,124 +46,98 @@ describe Clusters::Gcp::FinalizeCreationService do
password: password password: password
} }
) )
stub_kubeclient_discover(api_url)
end end
context 'when suceeded to fetch kuberenetes token' do context 'service account and token created' do
let(:secret_name) { 'default-token-Y1a' }
let(:token) { 'sample-token' }
before do before do
stub_kubeclient_get_secrets( stub_kubeclient_discover(api_url)
api_url, stub_kubeclient_create_service_account(api_url)
{ stub_kubeclient_create_secret(api_url)
metadata_name: secret_name,
token: Base64.encode64(token)
} )
end
it_behaves_like 'success'
it 'has corresponded data' do
described_class.new.execute(provider)
cluster.reload
provider.reload
platform.reload
expect(provider.endpoint).to eq(endpoint)
expect(platform.api_url).to eq(api_url)
expect(platform.ca_cert).to eq(Base64.decode64(load_sample_cert))
expect(platform.username).to eq(username)
expect(platform.password).to eq(password)
expect(platform.authorization_type).to eq('abac')
expect(platform.token).to eq(token)
end end
context 'rbac_clusters feature enabled' do shared_context 'kubernetes token successfully fetched' do
let(:secret_name) { 'gitlab-token-Y1a' } let(:token) { 'sample-token' }
before do before do
provider.legacy_abac = false stub_kubeclient_get_secret(
api_url,
stub_kubeclient_create_service_account(api_url) {
stub_kubeclient_create_cluster_role_binding(api_url) metadata_name: secret_name,
token: Base64.encode64(token)
} )
end end
end
context 'provider legacy_abac is enabled' do
include_context 'kubernetes token successfully fetched'
it_behaves_like 'success' it_behaves_like 'success'
it 'has corresponded data' do it 'properly configures database models' do
described_class.new.execute(provider) subject
cluster.reload cluster.reload
provider.reload
platform.reload
expect(provider.endpoint).to eq(endpoint) expect(provider.endpoint).to eq(endpoint)
expect(platform.api_url).to eq(api_url) expect(platform.api_url).to eq(api_url)
expect(platform.ca_cert).to eq(Base64.decode64(load_sample_cert)) expect(platform.ca_cert).to eq(Base64.decode64(load_sample_cert))
expect(platform.username).to eq(username) expect(platform.username).to eq(username)
expect(platform.password).to eq(password) expect(platform.password).to eq(password)
expect(platform.authorization_type).to eq('rbac') expect(platform).to be_abac
expect(platform.authorization_type).to eq('abac')
expect(platform.token).to eq(token) expect(platform.token).to eq(token)
end end
end end
end
context 'when no matching token is found' do
before do
stub_kubeclient_get_secrets(api_url, metadata_name: 'not-default-not-gitlab')
end
it_behaves_like 'error' context 'provider legacy_abac is disabled' do
context 'rbac_clusters feature enabled' do
before do before do
provider.legacy_abac = false provider.legacy_abac = false
stub_kubeclient_create_service_account(api_url)
stub_kubeclient_create_cluster_role_binding(api_url)
end end
it_behaves_like 'error' include_context 'kubernetes token successfully fetched'
end
end
context 'when token is empty' do context 'cluster role binding created' do
let(:secret_name) { 'default-token-123' } before do
stub_kubeclient_create_cluster_role_binding(api_url)
end
before do it_behaves_like 'success'
stub_kubeclient_get_secrets(api_url, token: '', metadata_name: secret_name)
end
it_behaves_like 'error' it 'properly configures database models' do
subject
context 'rbac_clusters feature enabled' do cluster.reload
let(:secret_name) { 'gitlab-token-321' }
before do expect(provider.endpoint).to eq(endpoint)
provider.legacy_abac = false expect(platform.api_url).to eq(api_url)
expect(platform.ca_cert).to eq(Base64.decode64(load_sample_cert))
expect(platform.username).to eq(username)
expect(platform.password).to eq(password)
expect(platform).to be_rbac
expect(platform.token).to eq(token)
end
end
end
stub_kubeclient_create_service_account(api_url) context 'when token is empty' do
stub_kubeclient_create_cluster_role_binding(api_url) before do
stub_kubeclient_get_secret(api_url, token: '', metadata_name: secret_name)
end end
it_behaves_like 'error' it_behaves_like 'error'
end end
end
context 'when failed to fetch kuberenetes token' do context 'when failed to fetch kubernetes token' do
before do before do
stub_kubeclient_get_secrets_error(api_url) stub_kubeclient_get_secret_error(api_url, secret_name)
end end
it_behaves_like 'error' it_behaves_like 'error'
end
context 'rbac_clusters feature enabled' do context 'when service account fails to create' do
before do before do
provider.legacy_abac = false stub_kubeclient_create_service_account_error(api_url)
stub_kubeclient_create_service_account(api_url)
stub_kubeclient_create_cluster_role_binding(api_url)
end end
it_behaves_like 'error' it_behaves_like 'error'
......
...@@ -5,11 +5,12 @@ require 'spec_helper' ...@@ -5,11 +5,12 @@ require 'spec_helper'
describe Clusters::Gcp::Kubernetes::CreateServiceAccountService do describe Clusters::Gcp::Kubernetes::CreateServiceAccountService do
include KubernetesHelpers include KubernetesHelpers
let(:service) { described_class.new(kubeclient) } let(:service) { described_class.new(kubeclient, rbac: rbac) }
describe '#execute' do describe '#execute' do
subject { service.execute } subject { service.execute }
let(:rbac) { false }
let(:api_url) { 'http://111.111.111.111' } let(:api_url) { 'http://111.111.111.111' }
let(:username) { 'admin' } let(:username) { 'admin' }
let(:password) { 'xxx' } let(:password) { 'xxx' }
...@@ -25,29 +26,69 @@ describe Clusters::Gcp::Kubernetes::CreateServiceAccountService do ...@@ -25,29 +26,69 @@ describe Clusters::Gcp::Kubernetes::CreateServiceAccountService do
before do before do
stub_kubeclient_discover(api_url) stub_kubeclient_discover(api_url)
stub_kubeclient_create_service_account(api_url) stub_kubeclient_create_service_account(api_url)
stub_kubeclient_create_cluster_role_binding(api_url) stub_kubeclient_create_secret(api_url)
end end
it 'creates a kubernetes service account' do shared_examples 'creates service account and token' do
subject it 'creates a kubernetes service account' do
subject
expect(WebMock).to have_requested(:post, api_url + '/api/v1/namespaces/default/serviceaccounts').with( expect(WebMock).to have_requested(:post, api_url + '/api/v1/namespaces/default/serviceaccounts').with(
body: hash_including( body: hash_including(
metadata: { name: 'gitlab', namespace: 'default' } kind: 'ServiceAccount',
metadata: { name: 'gitlab', namespace: 'default' }
)
) )
) end
it 'creates a kubernetes secret of type ServiceAccountToken' do
subject
expect(WebMock).to have_requested(:post, api_url + '/api/v1/namespaces/default/secrets').with(
body: hash_including(
kind: 'Secret',
metadata: {
name: 'gitlab-token',
namespace: 'default',
annotations: {
'kubernetes.io/service-account.name': 'gitlab'
}
},
type: 'kubernetes.io/service-account-token'
)
)
end
end
context 'abac enabled cluster' do
it_behaves_like 'creates service account and token'
end end
it 'creates a kubernetes cluster role binding' do context 'rbac enabled cluster' do
subject let(:rbac) { true }
before do
stub_kubeclient_create_cluster_role_binding(api_url)
end
it_behaves_like 'creates service account and token'
it 'creates a kubernetes cluster role binding' do
subject
expect(WebMock).to have_requested(:post, api_url + '/apis/rbac.authorization.k8s.io/v1/clusterrolebindings').with( expect(WebMock).to have_requested(:post, api_url + '/apis/rbac.authorization.k8s.io/v1/clusterrolebindings').with(
body: hash_including( body: hash_including(
metadata: { name: 'gitlab-admin' }, kind: 'ClusterRoleBinding',
roleRef: { apiGroup: 'rbac.authorization.k8s.io', kind: 'ClusterRole', name: 'cluster-admin' }, metadata: { name: 'gitlab-admin' },
subjects: [{ kind: 'ServiceAccount', namespace: 'default', name: 'gitlab' }] roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: 'cluster-admin'
},
subjects: [{ kind: 'ServiceAccount', namespace: 'default', name: 'gitlab' }]
)
) )
) end
end end
end end
end end
......
require 'spec_helper' require 'fast_spec_helper'
describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do
describe '#execute' do describe '#execute' do
subject { described_class.new(kubeclient, service_account_name).execute } subject { described_class.new(kubeclient).execute }
let(:service_account_name) { 'gitlab-sa' }
let(:api_url) { 'http://111.111.111.111' } let(:api_url) { 'http://111.111.111.111' }
let(:username) { 'admin' } let(:username) { 'admin' }
let(:password) { 'xxx' } let(:password) { 'xxx' }
...@@ -18,42 +17,39 @@ describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do ...@@ -18,42 +17,39 @@ describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do
end end
context 'when params correct' do context 'when params correct' do
let(:token) { 'xxx.token.xxx' } let(:decoded_token) { 'xxx.token.xxx' }
let(:token) { Base64.encode64(decoded_token) }
let(:secrets_json) do
[ let(:secret_json) do
{ {
'metadata': { 'metadata': {
name: 'default-token-123' name: 'gitlab-token'
},
'data': {
'token': Base64.encode64('yyy.token.yyy')
}
}, },
{ 'data': {
'metadata': { 'token': token
name: metadata_name
},
'data': {
'token': Base64.encode64(token)
}
} }
] }
end end
before do before do
allow_any_instance_of(Kubeclient::Client) allow_any_instance_of(Kubeclient::Client)
.to receive(:get_secrets).and_return(secrets_json) .to receive(:get_secret).and_return(secret_json)
end end
context 'when token for service account exists' do context 'when gitlab-token exists' do
let(:metadata_name) { 'gitlab-sa-token-123' } let(:metadata_name) { 'gitlab-token' }
it { is_expected.to eq(token) } it { is_expected.to eq(decoded_token) }
end end
context 'when gitlab-token does not exist' do context 'when gitlab-token does not exist' do
let(:metadata_name) { 'another-token-123' } let(:secret_json) { {} }
it { is_expected.to be_nil }
end
context 'when token is nil' do
let(:token) { nil }
it { is_expected.to be_nil } it { is_expected.to be_nil }
end end
......
...@@ -33,13 +33,15 @@ module KubernetesHelpers ...@@ -33,13 +33,15 @@ module KubernetesHelpers
WebMock.stub_request(:get, deployments_url).to_return(response || kube_deployments_response) WebMock.stub_request(:get, deployments_url).to_return(response || kube_deployments_response)
end end
def stub_kubeclient_get_secrets(api_url, **options) def stub_kubeclient_get_secret(api_url, **options)
WebMock.stub_request(:get, api_url + '/api/v1/secrets') options[:metadata_name] ||= "default-token-1"
.to_return(kube_response(kube_v1_secrets_body(options)))
WebMock.stub_request(:get, api_url + "/api/v1/secrets/#{options[:metadata_name]}")
.to_return(kube_response(kube_v1_secret_body(options)))
end end
def stub_kubeclient_get_secrets_error(api_url) def stub_kubeclient_get_secret_error(api_url, name)
WebMock.stub_request(:get, api_url + '/api/v1/secrets') WebMock.stub_request(:get, api_url + "/api/v1/secrets/#{name}")
.to_return(status: [404, "Internal Server Error"]) .to_return(status: [404, "Internal Server Error"])
end end
...@@ -48,26 +50,32 @@ module KubernetesHelpers ...@@ -48,26 +50,32 @@ module KubernetesHelpers
.to_return(kube_response({})) .to_return(kube_response({}))
end end
def stub_kubeclient_create_service_account_error(api_url, namespace: 'default')
WebMock.stub_request(:post, api_url + "/api/v1/namespaces/#{namespace}/serviceaccounts")
.to_return(status: [500, "Internal Server Error"])
end
def stub_kubeclient_create_secret(api_url, namespace: 'default')
WebMock.stub_request(:post, api_url + "/api/v1/namespaces/#{namespace}/secrets")
.to_return(kube_response({}))
end
def stub_kubeclient_create_cluster_role_binding(api_url) def stub_kubeclient_create_cluster_role_binding(api_url)
WebMock.stub_request(:post, api_url + '/apis/rbac.authorization.k8s.io/v1/clusterrolebindings') WebMock.stub_request(:post, api_url + '/apis/rbac.authorization.k8s.io/v1/clusterrolebindings')
.to_return(kube_response({})) .to_return(kube_response({}))
end end
def kube_v1_secrets_body(**options) def kube_v1_secret_body(**options)
{ {
"kind" => "SecretList", "kind" => "SecretList",
"apiVersion": "v1", "apiVersion": "v1",
"items" => [ "metadata": {
{ "name": options[:metadata_name] || "default-token-1",
"metadata": { "namespace": "kube-system"
"name": options[:metadata_name] || "default-token-1", },
"namespace": "kube-system" "data": {
}, "token": options[:token] || Base64.encode64('token-sample-123')
"data": { }
"token": options[:token] || Base64.encode64('token-sample-123')
}
}
]
} }
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment