Commit dd93b878 authored by Thong Kuah's avatar Thong Kuah

Recreate rolebinding because roleRef attr is immutable

As we now use admin roleRef (previously edit) there will be existing SA
rolebindings that need to be updated.
parent 89e74fbc
...@@ -69,7 +69,13 @@ module Clusters ...@@ -69,7 +69,13 @@ module Clusters
def create_role_or_cluster_role_binding def create_role_or_cluster_role_binding
if namespace_creator if namespace_creator
kubeclient.create_or_update_role_binding(role_binding_resource) begin
kubeclient.delete_role_binding(role_binding_name, service_account_namespace)
rescue Kubeclient::ResourceNotFoundError
# Do nothing as we will create new role binding below
end
kubeclient.update_role_binding(role_binding_resource)
else else
kubeclient.create_or_update_cluster_role_binding(cluster_role_binding_resource) kubeclient.create_or_update_cluster_role_binding(cluster_role_binding_resource)
end end
......
...@@ -61,18 +61,11 @@ module Gitlab ...@@ -61,18 +61,11 @@ module Gitlab
# RBAC methods delegates to the apis/rbac.authorization.k8s.io api # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
# group client # group client
delegate :update_cluster_role_binding, delegate :update_cluster_role_binding,
to: :rbac_client :create_role,
# RBAC methods delegates to the apis/rbac.authorization.k8s.io api
# group client
delegate :create_role,
:get_role, :get_role,
:update_role, :update_role,
to: :rbac_client :delete_role_binding,
:update_role_binding,
# RBAC methods delegates to the apis/rbac.authorization.k8s.io api
# group client
delegate :update_role_binding,
to: :rbac_client to: :rbac_client
# non-entity methods that can only work with the core client # non-entity methods that can only work with the core client
...@@ -186,6 +179,7 @@ module Gitlab ...@@ -186,6 +179,7 @@ module Gitlab
update_cluster_role_binding(resource) update_cluster_role_binding(resource)
end end
# Note that we cannot update roleRef as that is immutable
def create_or_update_role_binding(resource) def create_or_update_role_binding(resource)
update_role_binding(resource) update_role_binding(resource)
end end
......
...@@ -302,6 +302,8 @@ RSpec.describe Gitlab::Kubernetes::KubeClient do ...@@ -302,6 +302,8 @@ RSpec.describe Gitlab::Kubernetes::KubeClient do
:create_role, :create_role,
:get_role, :get_role,
:update_role, :update_role,
:delete_role_binding,
:update_role_binding,
:update_cluster_role_binding :update_cluster_role_binding
].each do |method| ].each do |method|
describe "##{method}" do describe "##{method}" do
......
...@@ -28,6 +28,7 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute' ...@@ -28,6 +28,7 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateNamespaceService, '#execute'
stub_kubeclient_get_secret_error(api_url, 'gitlab-token') stub_kubeclient_get_secret_error(api_url, 'gitlab-token')
stub_kubeclient_create_secret(api_url) stub_kubeclient_create_secret(api_url)
stub_kubeclient_delete_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
stub_kubeclient_put_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace) stub_kubeclient_put_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
stub_kubeclient_get_namespace(api_url, namespace: namespace) stub_kubeclient_get_namespace(api_url, namespace: namespace)
stub_kubeclient_get_service_account_error(api_url, "#{namespace}-service-account", namespace: namespace) stub_kubeclient_get_service_account_error(api_url, "#{namespace}-service-account", namespace: namespace)
......
...@@ -141,6 +141,7 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do ...@@ -141,6 +141,7 @@ RSpec.describe Clusters::Kubernetes::CreateOrUpdateServiceAccountService do
before do before do
cluster.platform_kubernetes.rbac! cluster.platform_kubernetes.rbac!
stub_kubeclient_delete_role_binding(api_url, role_binding_name, namespace: namespace)
stub_kubeclient_put_role_binding(api_url, role_binding_name, namespace: namespace) stub_kubeclient_put_role_binding(api_url, role_binding_name, namespace: namespace)
stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace) stub_kubeclient_put_role(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_NAME, namespace: namespace)
stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace) stub_kubeclient_put_role_binding(api_url, Clusters::Kubernetes::GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME, namespace: namespace)
......
...@@ -250,6 +250,11 @@ module KubernetesHelpers ...@@ -250,6 +250,11 @@ module KubernetesHelpers
.to_return(kube_response({})) .to_return(kube_response({}))
end end
def stub_kubeclient_delete_role_binding(api_url, name, namespace: 'default')
WebMock.stub_request(:delete, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{name}")
.to_return(kube_response({}))
end
def stub_kubeclient_put_role_binding(api_url, name, namespace: 'default') def stub_kubeclient_put_role_binding(api_url, name, namespace: 'default')
WebMock.stub_request(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{name}") WebMock.stub_request(:put, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings/#{name}")
.to_return(kube_response({})) .to_return(kube_response({}))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment