From f310cd39705f4ae3dcfbae9725266eac555401cc Mon Sep 17 00:00:00 2001 From: Maciej Kwiek Date: Wed, 23 Aug 2017 12:27:52 +0200 Subject: [PATCH] Install serviceaccounts for tiller in e2e tests Scripts license headers --- .circleci/config.yml | 3 ++ e2e/e2e_test.go | 11 ++--- e2e/helm_client.go | 76 +++++++++++++++++++++++++++------- scripts/import-docker-image.sh | 14 +++++++ scripts/portforward.sh | 15 +++++++ 5 files changed, 100 insertions(+), 19 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 49968308e..9f8ea0c26 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -20,6 +20,9 @@ jobs: - run: name: Install socat command: apt-get update && apt-get install -y socat + - run: + name: update PATH + command: echo 'export PATH=~/.kubeadm-dind-cluster:$PATH' >> $BASH_ENV - checkout - run: name: install dependencies diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go index 8bbd0b219..38f3a97f5 100644 --- a/e2e/e2e_test.go +++ b/e2e/e2e_test.go @@ -42,11 +42,12 @@ var _ = Describe("Basic Suite", func() { namespace, err = clientset.Core().Namespaces().Create(namespaceObj) Expect(err).NotTo(HaveOccurred()) helm = &BinaryHelmManager{ - Namespace: namespace.Name, - Clientset: clientset, - HelmBin: helmBinPath, - TillerHost: tillerHost, - UseCanary: true, + Namespace: namespace.Name, + Clientset: clientset, + HelmBin: helmBinPath, + TillerHost: tillerHost, + UseCanary: true, + UseServiceAccount: true, } if !localTiller { Expect(helm.InstallTiller()).NotTo(HaveOccurred()) diff --git a/e2e/helm_client.go b/e2e/helm_client.go index d86087cc0..8728515fc 100644 --- a/e2e/helm_client.go +++ b/e2e/helm_client.go @@ -16,29 +16,23 @@ limitations under the License. package e2e import ( + "bytes" "fmt" + "io/ioutil" "os/exec" "regexp" "strconv" - + "strings" "time" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/pkg/api/v1" - "strings" - - "bytes" - . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) -const ( - tillerImage string = "tiller" -) - // HelmManager provides functionality to install client/server helm and use it type HelmManager interface { // InstallTiller will bootstrap tiller pod in k8s @@ -59,11 +53,12 @@ type HelmManager interface { // BinaryHelmManager uses helm binary to work with helm server type BinaryHelmManager struct { - Clientset kubernetes.Interface - Namespace string - HelmBin string - TillerHost string - UseCanary bool + Clientset kubernetes.Interface + Namespace string + HelmBin string + TillerHost string + UseCanary bool + UseServiceAccount bool } func (m *BinaryHelmManager) InstallTiller() error { @@ -73,6 +68,12 @@ func (m *BinaryHelmManager) InstallTiller() error { if m.UseCanary { arg = append(arg, "--canary-image") } + if m.UseServiceAccount { + arg = append(arg, "--service-account", "tiller") + if err = m.InstallServiceAccounts(); err != nil { + return err + } + } _, err = m.executeUsingHelm(arg...) if err != nil { return err @@ -183,6 +184,22 @@ func (m *BinaryHelmManager) executeCommandWithValues(releaseName, command string return m.executeUsingHelmInNamespace(arg...) } +func (m *BinaryHelmManager) InstallServiceAccounts() error { + objects := strings.Replace(serviceAccountTemplate, "TILLER_NAMESPACE", m.Namespace, -1) + + f, err := ioutil.TempFile("", m.Namespace) + if err != nil { + Logf("Failed creating tempfile: %s", err) + return err + } + + f.WriteString(objects) + f.Sync() + + _, err = m.executeUsingBinary("kubectl", "create", "-f", f.Name()) + return err +} + func regexpKeyFromStructuredOutput(key, output string) string { r := regexp.MustCompile(fmt.Sprintf("%v:[[:space:]]*(.*)", key)) // key will be captured in group with index 1 @@ -236,3 +253,34 @@ func prepareArgsFromValues(values map[string]string) string { } return b.String() } + +var serviceAccountTemplate = ` +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tiller + namespace: TILLER_NAMESPACE +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: tiller-manager + namespace: TILLER_NAMESPACE +rules: +- apiGroups: ["", "extensions", "apps", "*"] + resources: ["*"] + verbs: ["*"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: tiller-binding + namespace: TILLER_NAMESPACE +subjects: +- kind: ServiceAccount + name: tiller + namespace: TILLER_NAMESPACE +roleRef: + kind: Role + name: tiller-manager + apiGroup: rbac.authorization.k8s.io` diff --git a/scripts/import-docker-image.sh b/scripts/import-docker-image.sh index 701da6d1e..cbc3ddd2f 100755 --- a/scripts/import-docker-image.sh +++ b/scripts/import-docker-image.sh @@ -1,5 +1,19 @@ #!/bin/bash +# Copyright 2017 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + set -o errexit set -o nounset set -o pipefail diff --git a/scripts/portforward.sh b/scripts/portforward.sh index 3b8d97f4f..283602065 100755 --- a/scripts/portforward.sh +++ b/scripts/portforward.sh @@ -1,4 +1,19 @@ #!/bin/bash + +# Copyright 2017 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # Portforward hack for CircleCI remote docker set -o errexit set -o nounset