Shopify · KnVerey · Oct 29, 2018 · Oct 18, 2018 · Oct 27, 2018 · dturn
diff --git a/lib/kubernetes-deploy/deploy_task.rb b/lib/kubernetes-deploy/deploy_task.rb
@@ -52,6 +52,7 @@ class DeployTask
       ConfigMap
       PersistentVolumeClaim
       ServiceAccount
+      RoleBinding
       Pod
     )
 

diff --git a/lib/kubernetes-deploy/kubeclient_builder.rb b/lib/kubernetes-deploy/kubeclient_builder.rb
@@ -76,6 +76,14 @@ def build_autoscaling_v1_kubeclient(context)
       )
     end
 
+    def build_rbac_v1beta1_kubeclient(context)
+      _build_kubeclient(
+        api_version: "v1",
+        context: context,
+        endpoint_path: "/apis/rbac.authorization.k8s.io"
+      )
+    end
+
     def _build_kubeclient(api_version:, context:, endpoint_path: nil)
       # Find a context defined in kube conf files that matches the input context by name
       friendly_configs = config_files.map { |f| GoogleFriendlyConfig.read(f) }

diff --git a/lib/kubernetes-deploy/kubernetes_resource/role_binding.rb b/lib/kubernetes-deploy/kubernetes_resource/role_binding.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module KubernetesDeploy
+  class RoleBinding < KubernetesResource
+    TIMEOUT = 30.seconds
+
+    def status
+      exists? ? "Created" : "Unknown"
+    end
+
+    def deploy_succeeded?
+      exists?
+    end
+
+    def deploy_failed?
+      false
+    end
+
+    def timeout_message
+      UNUSUAL_FAILURE_MESSAGE
+    end
+  end
+end
diff --git a/test/fixtures/hello-cloud/role-binding.yml b/test/fixtures/hello-cloud/role-binding.yml
@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: build-robot
diff --git a/test/helpers/fixture_set.rb b/test/helpers/fixture_set.rb
@@ -144,6 +144,12 @@ def assert_service_account_present(name)
       assert desired.present?, "Service account #{name} does not exist"
     end
 
+    def assert_role_binding_present(name)
+      role_bindings = rbac_v1beta1_kubeclient.get_role_bindings(namespace: namespace)
+      desired = role_bindings.find { |sa| sa.metadata.name == name }
+      assert desired.present?, "Role binding #{name} does not exist"
+    end
+
     def assert_annotated(obj, annotation)
       annotations = obj.metadata.annotations.to_h.stringify_keys
       assert annotations.key?(annotation), "Expected secret to have annotation #{annotation}, but it did not"

diff --git a/test/helpers/fixture_sets/hello_cloud.rb b/test/helpers/fixture_sets/hello_cloud.rb
@@ -15,6 +15,7 @@ def assert_all_up
       assert_poddisruptionbudget
       assert_bare_replicaset_up
       assert_all_service_accounts_up
+      assert_all_role_bindings_up
       assert_daemon_set_up
       assert_stateful_set_up
       assert_job_up
@@ -88,6 +89,10 @@ def assert_all_service_accounts_up
       assert_service_account_present("build-robot")
     end
 
+    def assert_all_role_bindings_up
+      assert_role_binding_present("role-binding")
+    end
+
     def assert_daemon_set_up
       assert_daemon_set_present("ds-app")
     end

diff --git a/test/helpers/kubeclient_helper.rb b/test/helpers/kubeclient_helper.rb
@@ -41,4 +41,8 @@ def apiextensions_v1beta1_kubeclient
   def autoscaling_v1_kubeclient
     @autoscaling_v1_kubeclient ||= build_autoscaling_v1_kubeclient(TEST_CONTEXT)
   end
+
+  def rbac_v1beta1_kubeclient
+    @rbac_v1beta1_kubeclient ||= build_rbac_v1beta1_kubeclient(TEST_CONTEXT)
+  end
 end
diff --git a/test/integration/kubernetes_deploy_test.rb b/test/integration/kubernetes_deploy_test.rb
@@ -12,7 +12,7 @@ def test_full_hello_cloud_set_deploy_succeeds
       %r{Deploying Pod/unmanaged-pod-[-\w]+ \(timeout: 60s\)}, # annotation timeout override
       "Hello from the command runner!", # unmanaged pod logs
       "Result: SUCCESS",
-      "Successfully deployed 19 resources"
+      "Successfully deployed 20 resources"
     ], in_order: true)
 
     num_ds = expected_daemonset_pod_count
@@ -53,6 +53,23 @@ def test_service_account_predeployed_before_unmanaged_pod
     ], in_order: true)
   end
 
+  def test_role_binding_predeployed_before_unmanaged_pod
+    result = deploy_fixtures("hello-cloud",
+      subset: ["configmap-data.yml", "unmanaged-pod.yml.erb", "role-binding.yml", "service-account.yml"])
+
+    # Expect that role binding account is deployed before the unmanaged pod
+    assert_deploy_success(result)
+    hello_cloud = FixtureSetAssertions::HelloCloud.new(@namespace)
+    hello_cloud.assert_configmap_data_present
+    hello_cloud.assert_all_service_accounts_up
+    hello_cloud.assert_all_role_bindings_up
+    hello_cloud.assert_unmanaged_pod_statuses("Succeeded")
+    assert_logs_match_all([
+      %r{Successfully deployed in \d.\ds: RoleBinding/role-binding},
+      %r{Successfully deployed in \d.\ds: Pod/unmanaged-pod-.*}
+    ], in_order: true)
+  end
+
   def test_pruning_works
     assert_deploy_success(deploy_fixtures("hello-cloud"))
     hello_cloud = FixtureSetAssertions::HelloCloud.new(@namespace)