forked from vmware-archive/kibosh
-
Notifications
You must be signed in to change notification settings - Fork 0
/
service_account_installer.go
113 lines (97 loc) · 2.89 KB
/
service_account_installer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
// kibosh
//
// Copyright (c) 2017-Present Pivotal Software, Inc. All Rights Reserved.
//
// This program and the accompanying materials are made available under the terms of the under the Apache License,
// Version 2.0 (the "License”); you may not use this file except in compliance with the License. You may
// obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software distributed under the
// License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
// express or implied. See the License for the specific language governing permissions and
// limitations under the License.
package k8s
import (
"code.cloudfoundry.org/lager"
api_v1 "k8s.io/api/core/v1"
"k8s.io/api/rbac/v1beta1"
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
serviceAccountName = "tiller"
)
type ServiceAccountInstaller interface {
Install() error
}
type serviceAccountInstaller struct {
cluster Cluster
logger lager.Logger
}
func NewServiceAccountInstaller(cluster Cluster, logger lager.Logger) ServiceAccountInstaller {
return &serviceAccountInstaller{
cluster: cluster,
logger: logger,
}
}
func (serviceAccountInstaller *serviceAccountInstaller) Install() error {
err := serviceAccountInstaller.ensureAccount()
if err != nil {
return err
}
return serviceAccountInstaller.ensureRole()
}
func (serviceAccountInstaller *serviceAccountInstaller) ensureAccount() error {
result, err := serviceAccountInstaller.cluster.ListServiceAccounts("kube-system", meta_v1.ListOptions{
LabelSelector: "kibosh=tiller-service-account",
})
if err != nil {
return err
}
if len(result.Items) < 1 {
_, err = serviceAccountInstaller.cluster.CreateServiceAccount("kube-system", &api_v1.ServiceAccount{
ObjectMeta: meta_v1.ObjectMeta{
Name: serviceAccountName,
Labels: map[string]string{"kibosh": "tiller-service-account"},
},
})
if err != nil {
return err
}
}
return nil
}
func (serviceAccountInstaller *serviceAccountInstaller) ensureRole() error {
result, err := serviceAccountInstaller.cluster.ListClusterRoleBindings(meta_v1.ListOptions{
LabelSelector: "kibosh=tiller-service-admin-binding",
})
if err != nil {
return err
}
if len(result.Items) < 1 {
// we should create
_, err := serviceAccountInstaller.cluster.CreateClusterRoleBinding(&v1beta1.ClusterRoleBinding{
ObjectMeta: meta_v1.ObjectMeta{
Name: "tiller-cluster-admin",
Labels: map[string]string{"kibosh": "tiller-service-admin-binding"},
},
RoleRef: v1beta1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "cluster-admin",
},
Subjects: []v1beta1.Subject{
{
Kind: "ServiceAccount",
Name: serviceAccountName,
Namespace: "kube-system",
},
},
})
if err != nil {
return err
}
}
return nil
}