CHE-10991 Add creating of workspace service account in Che Kubernetes…

… Helm chart
eclipse-che · Sep 13, 2018 · 5b848a6 · 5b848a6
1 parent b10c305
commit 5b848a6
Show file tree

Hide file tree

Showing 8 changed files with 100 additions and 1 deletion.
diff --git a/core/che-core-api-core/src/main/java/org/eclipse/che/everrest/CheMethodInvokerFilter.java b/core/che-core-api-core/src/main/java/org/eclipse/che/everrest/CheMethodInvokerFilter.java
@@ -36,6 +36,7 @@ public abstract class CheMethodInvokerFilter implements MethodInvokerFilter {
   public void accept(GenericResourceMethod genericMethodResource, Object[] arguments)
       throws WebApplicationException {
     try {
+
       filter(genericMethodResource, arguments);
     } catch (ApiException exception) {
       Response response;

diff --git a/deploy/kubernetes/helm/che/templates/_workspaceServiceAccountNameHelper.tpl b/deploy/kubernetes/helm/che/templates/_workspaceServiceAccountNameHelper.tpl
@@ -0,0 +1,5 @@
+{{- define "workspaceServiceAccountName" }}
+{{- if (.Values.global.cheWorkspacesNamespace) }}
+{{- printf "che-workspace" }}
+{{- end }}
+{{- end }}
diff --git a/deploy/kubernetes/helm/che/templates/configmap.yaml b/deploy/kubernetes/helm/che/templates/configmap.yaml
@@ -49,7 +49,7 @@ data:
   CHE_KEYCLOAK_USERNAME__CLAIM: {{ .Values.customOidcUsernameClaim }}
 {{- end }}
   CHE_INFRA_KUBERNETES_NAMESPACE: {{ .Values.global.cheWorkspacesNamespace }}
-  CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME: {{ .Values.global.cheWorkspacesServiceAccount }}
+  CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME: {{ template "workspaceServiceAccountName" . }}
   CHE_INFRA_KUBERNETES_TRUST__CERTS: "false"
   CHE_INFRA_KUBERNETES_PVC_STRATEGY: "common"
   CHE_INFRA_KUBERNETES_PVC_QUANTITY: {{ .Values.global.pvcClaim }}

diff --git a/deploy/kubernetes/helm/che/templates/deployment.yaml b/deploy/kubernetes/helm/che/templates/deployment.yaml
@@ -186,6 +186,11 @@ spec:
             configMapKeyRef:
               key: CHE_INFRA_KUBERNETES_NAMESPACE
               name: che
+        - name: CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME
+          valueFrom:
+            configMapKeyRef:
+              key: CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME
+              name: che
         - name: CHE_LOCAL_CONF_DIR
           valueFrom:
             configMapKeyRef:

diff --git a/deploy/kubernetes/helm/che/templates/exec-role.yaml b/deploy/kubernetes/helm/che/templates/exec-role.yaml
@@ -0,0 +1,24 @@
+#
+# Copyright (c) 2012-2017 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+
+{{- if (.Values.global.cheWorkspacesNamespace) }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: exec
+  namespace: {{ .Values.global.cheWorkspacesNamespace }}
+rules:
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+    - pods/exec
+  verbs:
+    - create
+{{- end }}
diff --git a/deploy/kubernetes/helm/che/templates/workspace-exec-role-binding.yaml b/deploy/kubernetes/helm/che/templates/workspace-exec-role-binding.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright (c) 2012-2017 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+
+{{- if (.Values.global.cheWorkspacesNamespace) }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: che-workspace-exec
+  namespace: {{ .Values.global.cheWorkspacesNamespace }}
+roleRef:
+  kind: Role
+  name: exec
+  namespace: {{ .Values.global.cheWorkspacesNamespace }}
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: che-workspace
+  namespace: {{ .Values.global.cheWorkspacesNamespace }}
+{{- end }}
diff --git a/deploy/kubernetes/helm/che/templates/workspace-service-account.yaml b/deploy/kubernetes/helm/che/templates/workspace-service-account.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2012-2017 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+
+{{- if (.Values.global.cheWorkspacesNamespace) }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: "che-workspace"
+  namespace: {{ .Values.global.cheWorkspacesNamespace }}
+{{- end }}
diff --git a/deploy/kubernetes/helm/che/templates/workspace-view-role-binding.yaml b/deploy/kubernetes/helm/che/templates/workspace-view-role-binding.yaml
@@ -0,0 +1,23 @@
+#
+# Copyright (c) 2012-2017 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+
+{{- if (.Values.global.cheWorkspacesNamespace) }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: che-workspace-view
+  namespace: {{ .Values.global.cheWorkspacesNamespace }}
+roleRef:
+  kind: Role
+  name: view
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: che-workspace
+{{- end }}