-
-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm configure #7
Changes from 1 commit
0f16b4b
52f0e87
9e8c840
1447b75
cab460a
d068aaa
2554ffb
44533b2
cf9654c
2c807f7
22b04ef
c05bce7
05e9a7a
32eddd8
3d36430
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,10 @@ | ||
package main | ||
|
||
import ( | ||
"fmt" | ||
) | ||
|
||
// InvalidServiceAccountInfo error is returned when the encoded service account is not encoded correctly. | ||
type InvalidServiceAccountInfo struct { | ||
EncodedServiceAccount string | ||
// MutualExclusiveFlagError is returned when there is a violation of a mutually exclusive flag set. | ||
type MutuallyExclusiveFlagError struct { | ||
Message string | ||
} | ||
|
||
func (err InvalidServiceAccountInfo) Error() string { | ||
return fmt.Sprintf("Invalid encoding for ServiceAccount string %s. Expected NAMESPACE/NAME.", err.EncodedServiceAccount) | ||
func (err MutuallyExclusiveFlagError) Error() string { | ||
return err.Message | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -106,6 +106,10 @@ var ( | |
Name: "rbac-group", | ||
Usage: "The name of the RBAC group that should be granted access to tiller. Pass in multiple times for multiple groups.", | ||
} | ||
grantedRbacUsersFlag = cli.StringSliceFlag{ | ||
Name: "rbac-user", | ||
Usage: "The name of the RBAC user that should be granted access to Tiller. Pass in multiple times for multiple users.", | ||
} | ||
grantedServiceAccountsFlag = cli.StringSliceFlag{ | ||
Name: "service-account", | ||
Usage: "The name and namespace of the ServiceAccount (encoded as NAMESPACE/NAME) that should be granted access to tiller. Pass in multiple times for multiple accounts.", | ||
|
@@ -131,6 +135,18 @@ var ( | |
Name: "set-kubectl-namespace", | ||
Usage: "Set the kubectl context default namespace to match the namespace that Tiller deploys resources into.", | ||
} | ||
configuringRBACUserFlag = cli.StringFlag{ | ||
Name: "rbac-user", | ||
Usage: "Name of RBAC user that configuration is for. Only one of --rbac-user, --rbac-group, or --service-account can be specified.", | ||
} | ||
configuringRBACGroupFlag = cli.StringFlag{ | ||
Name: "rbac-group", | ||
Usage: "Name of RBAC group that configuration is for. Only one of --rbac-user, --rbac-group, or --service-account can be specified.", | ||
} | ||
configuringServiceAccountFlag = cli.StringFlag{ | ||
Name: "service-account", | ||
Usage: "Name of the Service Account that configuration is for. Only one of --rbac-user, --rbac-group, or --service-account can be specified.", | ||
} | ||
) | ||
|
||
// SetupHelmCommand creates the cli.Command entry for the helm subcommand of kubergrunt | ||
|
@@ -191,10 +207,15 @@ Note: By default, this will not undeploy the Helm server if there are any deploy | |
- Download the client TLS certificate key pair that you have access to. | ||
- Install the TLS certificate key pair in the helm home directory. The helm home directory can be modified with the --helm-home option. | ||
- Install an environment file compatible with your platform that can be sourced to setup variables to configure default parameters for the helm client to access the Tiller install. | ||
- Optionally set the kubectl context default namespace to be the one that Tiller manages.`, | ||
- Optionally set the kubectl context default namespace to be the one that Tiller manages. | ||
|
||
You must pass in an identifier for your account. This is either the name of the RBAC user (--rbac-user), RBAC group (--rbac-group), or ServiceAccount (--service-account) that you are authenticating as.`, | ||
Action: configureHelmClient, | ||
Flags: []cli.Flag{ | ||
helmHomeFlag, | ||
configuringRBACUserFlag, | ||
configuringRBACGroupFlag, | ||
configuringServiceAccountFlag, | ||
tillerNamespaceFlag, | ||
resourceNamespaceFlag, | ||
setKubectlNamespaceFlag, | ||
|
@@ -210,6 +231,7 @@ Note: By default, this will not undeploy the Helm server if there are any deploy | |
Flags: []cli.Flag{ | ||
tillerNamespaceFlag, | ||
grantedRbacGroupsFlag, | ||
grantedRbacUsersFlag, | ||
grantedServiceAccountsFlag, | ||
tlsCommonNameFlag, | ||
tlsOrgFlag, | ||
|
@@ -330,18 +352,37 @@ func configureHelmClient(cliContext *cli.Context) error { | |
if err != nil { | ||
return err | ||
} | ||
resourceNamespace, err := entrypoint.StringFlagRequiredE(cliContext, resourceNamespaceFlag.Name) | ||
kubectlOptions, err := parseKubectlOptions(cliContext) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
// Get mutexed info (entity name) | ||
configuringRBACUser := cliContext.String(configuringRBACUserFlag) | ||
configuringRBACGroup := cliContext.String(configuringRBACGroupFlag) | ||
configuringServiceAccount := cliContext.String(configuringServiceAccountFlag) | ||
setEntities := 0 | ||
var entityName string | ||
if configuringRBACUser != "" { | ||
setEntities += 1 | ||
entityName = configuringRBACUser | ||
} | ||
if configuringRBACGroup != "" { | ||
setEntities += 1 | ||
entityName = configuringRBACGroup | ||
} | ||
if configuringServiceAccount != "" { | ||
setEntities += 1 | ||
entityName = configuringServiceAccount | ||
} | ||
if setEntities != 1 { | ||
return MutuallyExclusiveFlagError("Exactly one of --rbac-user, --rbac-group, or --service-account must be set") | ||
} | ||
|
||
// Get optional info | ||
setKubectlNamespace := cliContext.Bool(setKubectlNamespaceFlag.Name) | ||
resourceNamespace := cliContext.String(resourceNamespaceFlag.Name) | ||
if resourceNamespace == "" { | ||
logger.Warnf("Did not get a specific resource namespace. Defaulting to the provided Tiller namespace.") | ||
resourceNamespace = tillerNamespace | ||
} | ||
|
||
return helm.ConfigureClient(kubectlOptions, helmHome, tillerNamespace, resourceNamespace, setKubectlNamespace) | ||
} | ||
|
@@ -361,15 +402,12 @@ func grantHelmAccess(cliContext *cli.Context) error { | |
return err | ||
} | ||
rbacGroups := cliContext.StringSlice(grantedRbacGroupsFlag.Name) | ||
rbacUsers := cliContext.StringSlice(grantedRbacUsersFlag.Name) | ||
serviceAccounts := cliContext.StringSlice(grantedServiceAccountsFlag.Name) | ||
if len(rbacGroups) == 0 && len(serviceAccounts) == 0 { | ||
if len(rbacGroups) == 0 && len(rbacUsers) && len(serviceAccounts) == 0 { | ||
return entrypoint.NewRequiredArgsError("At least one --rbac-group or --service-account is required") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. But not There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks forgot that when I added in rbac user support There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. fixed |
||
} | ||
serviceAccountInfo, err := serviceAccountsToServiceAccountInfo(serviceAccounts) | ||
if err != nil { | ||
return err | ||
} | ||
return helm.GrantAccess(kubectlOptions, tlsOptions, tillerNamespace, rbacGroups, serviceAccountInfo) | ||
return helm.GrantAccess(kubectlOptions, tlsOptions, tillerNamespace, rbacGroups, rbacUsers, serviceAccounts) | ||
} | ||
|
||
// revokeHelmAccess is the action function for the helm revoke command. | ||
|
@@ -442,20 +480,3 @@ func tlsDistinguishedNameFlagsAsPkixName(cliContext *cli.Context) (pkix.Name, er | |
} | ||
return distinguishedName, nil | ||
} | ||
|
||
// serviceAccountsToServiceAccountInfo takes string encoded service account information and converts them to the | ||
// ServiceAccountInfo struct. | ||
func serviceAccountsToServiceAccountInfo(serviceAccounts []string) ([]helm.ServiceAccountInfo, error) { | ||
serviceAccountInfo := []helm.ServiceAccountInfo{} | ||
for _, serviceAccount := range serviceAccounts { | ||
splitServiceAccount := strings.Split(serviceAccount, "/") | ||
if len(splitServiceAccount) != 2 { | ||
return nil, InvalidServiceAccountInfo{serviceAccount} | ||
} | ||
serviceAccountInfo = append(serviceAccountInfo, helm.ServiceAccountInfo{ | ||
Namespace: splitServiceAccount[0], | ||
Name: splitServiceAccount[1], | ||
}) | ||
} | ||
return serviceAccountInfo, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not
rbac-service-account
for consistency? It's a little awkward to type, but namespacing all 3 underrbac
makes the grouping more clear.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well,
ServiceAccounts
are technically not a part of the RBAC system. They are grouped under core API.But I think that is a minor detail and I agree with you about the namespace grouping so will do that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
adjusted to
--rbac-service-account