add the ability to turn off RBAC in helm and customize gcp test-cluster

also update build documentation and move variable next to target

build/Makefile

@@ -41,7 +41,8 @@ REGISTRY ?= $(release_registry)
 # Where the kubectl configuration files are being stored
 KUBEPATH ?= ~/.kube
 # The (gcloud) test cluster that is being worked against
-CLUSTER_NAME ?= test-cluster
+GCP_CLUSTER_NAME ?= test-cluster
+GCP_CLUSTER_ZONE ?= us-west1-c
 # the profile to use when developing on minikube
 MINIKUBE_PROFILE ?= agones
 
@@ -280,24 +281,28 @@ gcloud-init: ensure-build-config
 	docker run --rm -it $(common_mounts) $(build_tag) gcloud init
 
 # Creates and authenticates a small, 3 node GKE cluster to work against
+gcloud-test-cluster: GCP_CLUSTER_LEGACYABAC ?= false
+gcloud-test-cluster: GCP_CLUSTER_NODEPOOL_INITIALNODECOUNT ?= 4
+gcloud-test-cluster: GCP_CLUSTER_NODEPOOL_MACHINETYPE ?= n1-standard-4
 gcloud-test-cluster: ensure-build-image
 	docker run --rm -it $(common_mounts) $(DOCKER_RUN_ARGS) $(build_tag) gcloud \
-		deployment-manager deployments create test-cluster --config=$(mount_path)/build/gke-test-cluster/deployment.yml
+		deployment-manager deployments create $(GCP_CLUSTER_NAME)  \
+		--properties cluster.zone:$(GCP_CLUSTER_ZONE),cluster.name:$(GCP_CLUSTER_NAME),cluster.nodePool.initialNodeCount:$(GCP_CLUSTER_NODEPOOL_INITIALNODECOUNT),cluster.nodePool.machineType:$(GCP_CLUSTER_NODEPOOL_MACHINETYPE),cluster.legacyAbac:$(GCP_CLUSTER_LEGACYABAC)\
+		--template=$(mount_path)/build/gke-test-cluster/cluster.yml.jinja
 	$(MAKE) gcloud-auth-cluster
 	docker run --rm -it $(common_mounts) $(DOCKER_RUN_ARGS) $(build_tag) kubectl apply -f $(mount_path)/build/helm.yaml
 	docker run --rm $(common_mounts) $(DOCKER_RUN_ARGS) $(build_tag) helm init --service-account helm
 
 clean-gcloud-test-cluster: ensure-build-image
 	docker run --rm -it $(common_mounts) $(DOCKER_RUN_ARGS) $(build_tag) gcloud \
-		deployment-manager deployments delete test-cluster
+		deployment-manager deployments delete $(GCP_CLUSTER_NAME)
 
-# Pulls down authentication information for kubectl against a cluster, name can be specified through CLUSTER_NAME
+# Pulls down authentication information for kubectl against a cluster, name can be specified through GCP_CLUSTER_NAME
 # (defaults to 'test-cluster')
 gcloud-auth-cluster: ensure-build-image
-	docker run --rm $(common_mounts) $(build_tag) gcloud config set container/cluster $(CLUSTER_NAME)
-	docker run --rm $(common_mounts) $(build_tag) gcloud config set compute/zone \
-		`grep zone: $(build_path)/gke-test-cluster/deployment.yml | sed 's/zone: //'`
-	docker run --rm $(common_mounts) $(build_tag) gcloud container clusters get-credentials $(CLUSTER_NAME)
+	docker run --rm $(common_mounts) $(build_tag) gcloud config set container/cluster $(GCP_CLUSTER_NAME)
+	docker run --rm $(common_mounts) $(build_tag) gcloud config set compute/zone $(GCP_CLUSTER_ZONE)
+	docker run --rm $(common_mounts) $(build_tag) gcloud container clusters get-credentials $(GCP_CLUSTER_NAME)
 	-docker run --rm $(common_mounts) $(build_tag) bash -c 'kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $$(gcloud config get-value account)'
 
 # authenticate our docker configuration so that you can do a docker push directly

build/README.md

@@ -133,13 +133,26 @@ we will need to authenticate out gcloud tooling against it. To do that run `make
 prompts as directed.
 
 Once authenticated, to create the test cluster, run `make gcloud-test-cluster`, which will use the deployment template
-found in the `gke-test-cluster` directory. If you would like to change the region and zone the cluster is in, feel free
-to edit the `deployment.yaml` file before running this command.  This will take several minutes to complete, but once
-done you can go to the Google Cloud Platform console and see that a cluster is up and running! If you want to change the
-name of the test cluster you can set the `CLUSTER_NAME` environemnt varlable to value you would like.
+found in the `gke-test-cluster` directory.
+
+You can customize GKE cluster via environment variables or by using a [`local-includes`](./local-includes) file.
+See the table below for available customizations :
+
+| Parameter                             | Description                                                                   | Default       |
+|---------------------------------------|-------------------------------------------------------------------------------|---------------|
+| `GCP_CLUSTER_NAME`                    | The name of the cluster                                                       | `test-cluster`  |
+| `GCP_CLUSTER_ZONE`                    | The name of the Google Compute Engine zone in which the cluster will resides. |  `us-west1-c`   |
+| `GCP_CLUSTER_LEGACYABAC`              | Enables or disables the [ABAC](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters#LegacyAbac) authorization mechanism on a cluster.            | `false`         |
+| `GCP_CLUSTER_NODEPOOL_INITIALNODECOUNT`| The number of nodes to create in this cluster.                                |  `3`            |
+| `GCP_CLUSTER_NODEPOOL_MACHINETYPE`    | The name of a Google Compute Engine machine type.                             | `n1-standard-4` |
+
+If you would like to change more settings, feel free to edit the [`cluster.yml.jinja`](./gke-test-cluster/cluster.yml.jinja) file before running this command.  
+
+This will take several minutes to complete, but once done you can go to the Google Cloud Platform console and see that 
+a cluster is up and running!
 
 To grab the kubectl authentication details for this cluster, run `make gcloud-auth-cluster`, which will generate the
-required Kubernetes security credintials for `kubectl`. This will be stored in `~/.kube` by default, but can also be
+required Kubernetes security credentials for `kubectl`. This will be stored in `~/.kube` by default, but can also be
 overwritten by setting the `KUBEPATH` environment variable before running the command.
 
 Great! Now we are setup, let's try out the development shell, and see if our `kubectl` is working!

build/gke-test-cluster/cluster.yml.jinja

@@ -17,16 +17,16 @@ resources:
 - name: test-cluster
   type: container.v1.cluster
   properties:
-    zone: {{ properties["zone"] }}
+    zone: {{ properties["cluster.zone"] }}
     cluster:
-      name: test-cluster
+      name: {{ properties["cluster.name"] }}
       description: Test cluster for Agones
       initialClusterVersion: 1.9.6-gke.1 # be specific until 1.9.x becomes default
       nodePools:
         - name: "default"
-          initialNodeCount: 3
+          initialNodeCount: {{ properties["cluster.nodePool.initialNodeCount"] }}
           config:
-            machineType: n1-standard-4
+            machineType: {{ properties["cluster.nodePool.machineType"] }}
             tags:
               - game-server
             oauthScopes:
@@ -37,7 +37,7 @@ resources:
         username: admin
         password: supersecretpassword
       legacyAbac:
-        enabled: false
+        enabled: {{ properties["cluster.legacyAbac"] }}
 - name: game-server-firewall
   type: compute.beta.firewall
   properties:

install/helm/README.md

@@ -47,6 +47,14 @@ $ kubectl create namespace ps4
 $ helm upgrade --set "gameservers.namespaces={default,xbox,ps4}" my-release agones
 ```
 
+## RBAC
+
+By default, `agones.rbacEnabled` is set to true. This enable RBAC support in Agones and must be true if RBAC is enabled in your cluster.
+
+The chart will take care of creating the required service accounts and roles for Agones.
+
+If you have RBAC disabled, or to put it another way, ABAC enabled, you should set this value to `false`.
+
 ## Uninstalling the Chart
 
 To uninstall/delete the `my-release` deployment:
@@ -63,6 +71,7 @@ The following tables lists the configurable parameters of the Agones chart and t
 
 | Parameter                            | Description                                                     | Default                    |
 | ------------------------------------ | ----------------------------------------------------------------| ---------------------------|
+| `agones.rbacEnabled`                          | Creates RBAC resources. Must be set for any cluster configured with RBAC                                     | `true`            |
 | `agones.namespace`                          | Namespace to use to deploy Agones                                     | `agones-system`            |
 | `agones.serviceaccount.controller`          | Service account name for the controller                         | `agones-controller`        |
 | `agones.serviceaccount.sdk`                 | Service account name for the sdk                                | `agones-sdk`               |

install/helm/agones/templates/serviceaccounts/controller.yaml

@@ -23,6 +23,7 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 ---
+{{- if .Values.agones.rbacEnabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -71,3 +72,4 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: {{ .Values.agones.serviceaccount.controller }}
+{{- end }}

install/helm/agones/templates/serviceaccounts/sdk.yaml

@@ -24,6 +24,7 @@ metadata:
     heritage: {{ $.Release.Service }}
 ---
 {{- end }}
+{{- if .Values.agones.rbacEnabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -39,7 +40,7 @@ rules:
   resources: ["gameservers"]
   verbs: ["get", "update"]
 ---
-{{- range .Values.gameservers.namespaces }}
+  {{- range .Values.gameservers.namespaces }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -59,4 +60,5 @@ roleRef:
   kind: ClusterRole
   name: {{ $.Values.agones.serviceaccount.sdk }}
 ---
+  {{- end }}
 {{- end }}

install/helm/agones/values.yaml

@@ -16,6 +16,7 @@
 
 agones:
   namespace: agones-system
+  rbacEnabled: true
   serviceaccount:
     controller: agones-controller
     sdk: agones-sdk