New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(vault): ensure that the created vault has a service account and a proper role binding #2378

Merged
merged 12 commits into from Nov 30, 2018

Conversation

Projects
None yet
3 participants
@ccojocar
Copy link
Member

ccojocar commented Nov 29, 2018

Submitter checklist

  • Change is code complete and matches issue description.
  • Change is covered by existing or new tests.

Description

Ensure that the created vault has a service account and a proper role binding

Starting with kubernetes 1.10, a cluster role binding is required for service account token review. Vault
uses this feature to authenticate with a Kubernetes service account.

Special notes for the reviewer(s)

Which issue this PR fixes

fixes #

@jenkins-x-bot jenkins-x-bot requested review from garethjevans and markawm Nov 29, 2018

@ccojocar ccojocar requested review from agentgonzo and jstrachan and removed request for garethjevans and markawm Nov 29, 2018

@agentgonzo
Copy link
Member

agentgonzo left a comment

Mostly minor points. The Creation of the CluterRoleBinding needs to give more feedback to the caller if the clusterrole and binding already exist

Show resolved Hide resolved pkg/kube/roles.go Outdated
Show resolved Hide resolved pkg/vault/vault.go Outdated
Show resolved Hide resolved pkg/kube/roles.go
Show resolved Hide resolved pkg/kube/roles.go

@ccojocar ccojocar force-pushed the ccojocar:fix-vault-rbac branch from 76a7201 to 7f56f64 Nov 29, 2018

@ccojocar

This comment has been minimized.

Copy link
Member

ccojocar commented Nov 30, 2018

/test bdd

1 similar comment
@ccojocar

This comment has been minimized.

Copy link
Member

ccojocar commented Nov 30, 2018

/test bdd

@agentgonzo
Copy link
Member

agentgonzo left a comment

There's still the same issue with Creating a ClusterRole

@@ -118,6 +119,11 @@ func (o *DeleteVaultOptions) Run() error {
return errors.Wrapf(err, "deleting secret '%s' where GCP service account is stored", gcpServiceAccountSecretName)
}

err = kube.DeleteClusterRoleBinding(client, vaultName)
if err != nil {
return errors.Wrapf(err, "deleteing the cluster role binding '%s' for vault", vaultName)

This comment has been minimized.

@agentgonzo

agentgonzo Nov 30, 2018

Member

typo:

Suggested change Beta
return errors.Wrapf(err, "deleteing the cluster role binding '%s' for vault", vaultName)
return errors.Wrapf(err, "deleting the cluster role binding '%s' for vault", vaultName)
Show resolved Hide resolved pkg/vault/vault.go

@jenkins-x-bot jenkins-x-bot added the lgtm label Nov 30, 2018

@jenkins-x-bot

This comment has been minimized.

Copy link
Contributor

jenkins-x-bot commented Nov 30, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: agentgonzo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jenkins-x-bot jenkins-x-bot merged commit 9d0089e into jenkins-x:master Nov 30, 2018

3 checks passed

Hound No violations found. Woof!
serverless-jenkins succeeded
tide In merge pool.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment