Adding rbac definition for v1 api endpoint.

[n3wscott]

For rbac v1 issue, I duplicated the v1beta1 definition of rbac endpoints.

I am not sure this is how the bug wanted this solved. Please let me know if this is off base. The other option is to wrap each definition with something like:

{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }}
- apiVersion: rbac.authorization.k8s.io/v1beta1
{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
- apiVersion: rbac.authorization.k8s.io/v1
{{- end }}

But usage of this does tends to wrap the file with {{- if .Values.rbac.enabled }} see traekif for an example.

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: helpdesk@rt.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[MHBauer]

Seems cool to me. I'll try and remember to test it in the morning.

[MHBauer]

variable for this one?

[n3wscott]

Thanks!

[MHBauer]

Not sure if rbac isn't on on jenkins or the variable assignment trick isn't working.

Error: parse error in "catalog/templates/rbac.yaml": template: catalog/templates/rbac.yaml:1: undefined variable "$apiVersion"

[kibbles-n-bytes]

@MHBauer It looks unrelated to RBAC on Jenkins. Jenkins is able to successfully create RBAC roles, it just won't enforce them 100% at the moment. This error is from Helm, so something must be off with the variable assignment.

[MHBauer]

I did not get any rbac objects created on a 1.8 cluster.

# helm install ../../charts/catalog     --name ${HELM_RELEASE_NAME} --namespace ${SVCCAT_NAMESPACE}     --set apiserver.auth.enabled=true         --set useAggregator=true         --set apiserver.tls.ca=$(base64 --wrap 0 ${SC_SERVING_CA})         --set apiserver.tls.cert=$(base64 --wrap 0 ${SC_SERVING_CERT})         --set apiserver.tls.key=$(base64 --wrap 0 ${SC_SERVING_KEY})
NAME:   catalog
LAST DEPLOYED: Mon Oct  2 12:57:32 2017
NAMESPACE: catalog
STATUS: DEPLOYED

RESOURCES:
==> v1beta1/APIService
NAME                            KIND
v1alpha1.servicecatalog.k8s.io  APIService.v1beta1.apiregistration.k8s.io

==> v1/ServiceAccount
NAME                                SECRETS  AGE
service-catalog-apiserver           1        0s
service-catalog-controller-manager  1        0s

==> v1/Secret
NAME                            TYPE    DATA  AGE
catalog-catalog-apiserver-cert  Opaque  2     0s

==> v1/Service
NAME                       CLUSTER-IP     EXTERNAL-IP  PORT(S)        AGE
catalog-catalog-apiserver  10.98.188.189  <nodes>      443:30443/TCP  0s

==> v1beta1/Deployment
NAME                                DESIRED  CURRENT  UP-TO-DATE  AVAILABLE  AGE
catalog-catalog-apiserver           1        1        1           0          0s
catalog-catalog-controller-manager  1        1        1           0          0s

# k api-versions
...
rbac.authorization.k8s.io/v1
rbac.authorization.k8s.io/v1beta1
...

Do not know how to debug this.

[MHBauer]

I do not see the output I expect in Jenkins either.

Example with the chart as it currently exists:

# helm install ../../charts/catalog     --name ${HELM_RELEASE_NAME} --namespace ${SVCCAT_NAMESPACE}     --set apiserver.auth.enabled=true         --set useAggregator=true         --set apiserver.tls.ca=$(base64 --wrap 0 ${SC_SERVING_CA})         --set apiserver.tls.cert=$(base64 --wrap 0 ${SC_SERVING_CERT})         --set apiserver.tls.key=$(base64 --wrap 0 ${SC_SERVING_KEY})
NAME:   catalog
LAST DEPLOYED: Mon Oct  2 13:04:29 2017
NAMESPACE: catalog
STATUS: DEPLOYED

RESOURCES:
==> v1beta1/RoleBinding
NAME                                                   AGE
servicecatalog.k8s.io:apiserver-authentication-reader  0s
service-catalog-controller-manager                     0s

==> v1beta1/Deployment
NAME                                DESIRED  CURRENT  UP-TO-DATE  AVAILABLE  AGE
catalog-catalog-apiserver           1        0        0           0          0s
catalog-catalog-controller-manager  1        0        0           0          0s

==> v1beta1/ClusterRole
NAME                                      AGE
servicecatalog.k8s.io:apiserver           0s
servicecatalog.k8s.io:controller-manager  0s

==> v1beta1/APIService
NAME                            KIND
v1alpha1.servicecatalog.k8s.io  APIService.v1beta1.apiregistration.k8s.io

==> v1beta1/ClusterRoleBinding
NAME                                            AGE
servicecatalog.k8s.io:apiserver                 0s
servicecatalog.k8s.io:apiserver-auth-delegator  0s
servicecatalog.k8s.io:controller-manager        0s

==> v1beta1/Role
NAME                                                     AGE
servicecatalog.k8s.io:leader-locking-controller-manager  0s

==> v1/ServiceAccount
NAME                                SECRETS  AGE
service-catalog-apiserver           1        0s
service-catalog-controller-manager  1        0s

==> v1/Secret
NAME                            TYPE    DATA  AGE
catalog-catalog-apiserver-cert  Opaque  2     0s

==> v1/Service
NAME                       CLUSTER-IP      EXTERNAL-IP  PORT(S)        AGE
catalog-catalog-apiserver  10.110.113.151  <nodes>      443:30443/TCP  0s

[MHBauer]

I do not know what needs to change, but this does not work as it is.

[n3wscott]

I wonder if .Has is matching "rbac.authorization.k8s.io/v1" when APIVersions is "rbac.authorization.k8s.io/v1beta1" from .Capabilities.APIVersions.Has

This is why semver is awesome... Let me look into that direction.

[pmorie]

I wonder if .Has is matching "rbac.authorization.k8s.io/v1" when APIVersions is "rbac.authorization.k8s.io/v1beta1" from .Capabilities.APIVersions.Has

This is why semver is awesome... Let me look into that direction.

If that's the case, it's definitely a helm bug.

[n3wscott]

I am following the steps here: https://github.com/kubernetes-incubator/service-catalog/blob/master/docs/install-1.7.md

But get stuck at this step:

⦿ source ../../contrib/svc-cat-apiserver-aggregation-tls-setup.sh
Killed: 9
Killed: 9

[n3wscott]

This should work now. The do not merge tag can be removed. Thanks!