Install serviceaccounts for tiller in e2e tests

Scripts license headers
8 years ago · f310cd3970
parent 7d694f16d1
commit f310cd3970
5 changed files with 100 additions and 19 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -20,6 +20,9 @@ jobs:
      - run:
          name: Install socat
          command: apt-get update && apt-get install -y socat
+      - run:
+          name: update PATH
+          command: echo 'export PATH=~/.kubeadm-dind-cluster:$PATH' >> $BASH_ENV
      - checkout
      - run:
          name: install dependencies
--- a/e2e/e2e_test.go
+++ b/e2e/e2e_test.go
@ -47,6 +47,7 @@ var _ = Describe("Basic Suite", func() {
 			HelmBin:           helmBinPath,
 			TillerHost:        tillerHost,
 			UseCanary:         true,
+			UseServiceAccount: true,
 		}
 		if !localTiller {
 			Expect(helm.InstallTiller()).NotTo(HaveOccurred())
--- a/e2e/helm_client.go
+++ b/e2e/helm_client.go
@ -16,29 +16,23 @@ limitations under the License.
 package e2e

 import (
+	"bytes"
 	"fmt"
+	"io/ioutil"
 	"os/exec"
 	"regexp"
 	"strconv"
-
+	"strings"
 	"time"

 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/pkg/api/v1"

-	"strings"
-
-	"bytes"
-
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )

-const (
-	tillerImage string = "tiller"
-)
-
 // HelmManager provides functionality to install client/server helm and use it
 type HelmManager interface {
 	// InstallTiller will bootstrap tiller pod in k8s
@ -64,6 +58,7 @@ type BinaryHelmManager struct {
 	HelmBin           string
 	TillerHost        string
 	UseCanary         bool
+	UseServiceAccount bool
 }

 func (m *BinaryHelmManager) InstallTiller() error {
@ -73,6 +68,12 @@ func (m *BinaryHelmManager) InstallTiller() error {
 	if m.UseCanary {
 		arg = append(arg, "--canary-image")
 	}
+	if m.UseServiceAccount {
+		arg = append(arg, "--service-account", "tiller")
+		if err = m.InstallServiceAccounts(); err != nil {
+			return err
+		}
+	}
 	_, err = m.executeUsingHelm(arg...)
 	if err != nil {
 		return err
@ -183,6 +184,22 @@ func (m *BinaryHelmManager) executeCommandWithValues(releaseName, command string
 	return m.executeUsingHelmInNamespace(arg...)
 }

+func (m *BinaryHelmManager) InstallServiceAccounts() error {
+	objects := strings.Replace(serviceAccountTemplate, "TILLER_NAMESPACE", m.Namespace, -1)
+
+	f, err := ioutil.TempFile("", m.Namespace)
+	if err != nil {
+		Logf("Failed creating tempfile: %s", err)
+		return err
+	}
+
+	f.WriteString(objects)
+	f.Sync()
+
+	_, err = m.executeUsingBinary("kubectl", "create", "-f", f.Name())
+	return err
+}
+
 func regexpKeyFromStructuredOutput(key, output string) string {
 	r := regexp.MustCompile(fmt.Sprintf("%v:[[:space:]]*(.*)", key))
 	// key will be captured in group with index 1
@ -236,3 +253,34 @@ func prepareArgsFromValues(values map[string]string) string {
 	}
 	return b.String()
 }
+
+var serviceAccountTemplate = `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tiller
+  namespace: TILLER_NAMESPACE
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: tiller-manager
+  namespace: TILLER_NAMESPACE
+rules:
+- apiGroups: ["", "extensions", "apps", "*"]
+  resources: ["*"]
+  verbs: ["*"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: tiller-binding
+  namespace: TILLER_NAMESPACE
+subjects:
+- kind: ServiceAccount
+  name: tiller
+  namespace: TILLER_NAMESPACE
+roleRef:
+  kind: Role
+  name: tiller-manager
+  apiGroup: rbac.authorization.k8s.io`
--- a/scripts/import-docker-image.sh
+++ b/scripts/import-docker-image.sh
@ -1,5 +1,19 @@
 #!/bin/bash

+# Copyright 2017 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 set -o errexit
 set -o nounset
 set -o pipefail
--- a/scripts/portforward.sh
+++ b/scripts/portforward.sh
@ -1,4 +1,19 @@
 #!/bin/bash
+
+# Copyright 2017 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Portforward hack for CircleCI remote docker
 set -o errexit
 set -o nounset