From 44ec5c7f70a4ca37d2427c5f88aeebf457cd7c56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iago=20L=C3=B3pez=20Galeiras?= Date: Tue, 20 Oct 2020 19:12:40 +0200 Subject: [PATCH 1/2] gangway: add a serviceaccount Gangway relies on a service account (any service account) to be mounted on the pod file system to figure out the cluster CA. We've disabled automounting of the default service account with the our admission wehbook and this was breaking Gangway. This creates a dummy service account so the Gangway pod has access to the cluster CA file. --- .../components/gangway/templates/deployment.yaml | 1 + .../components/gangway/templates/serviceaccount.yaml | 6 ++++++ pkg/assets/generated_assets.go | 10 ++++++++-- 3 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 assets/charts/components/gangway/templates/serviceaccount.yaml diff --git a/assets/charts/components/gangway/templates/deployment.yaml b/assets/charts/components/gangway/templates/deployment.yaml index 410503a3f..79bec035d 100644 --- a/assets/charts/components/gangway/templates/deployment.yaml +++ b/assets/charts/components/gangway/templates/deployment.yaml @@ -20,6 +20,7 @@ spec: runAsNonRoot: true runAsUser: 65534 runAsGroup: 65534 + serviceAccountName: gangway initContainers: - name: download-theme image: alpine/git:1.0.7 diff --git a/assets/charts/components/gangway/templates/serviceaccount.yaml b/assets/charts/components/gangway/templates/serviceaccount.yaml new file mode 100644 index 000000000..c5cd969e7 --- /dev/null +++ b/assets/charts/components/gangway/templates/serviceaccount.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: gangway + name: gangway diff --git a/pkg/assets/generated_assets.go b/pkg/assets/generated_assets.go index 1567757b0..44e9ab5f0 100644 --- a/pkg/assets/generated_assets.go +++ b/pkg/assets/generated_assets.go @@ -1056,9 +1056,9 @@ var vfsgenAssets = func() http.FileSystem { "/charts/components/gangway/templates/deployment.yaml": &vfsgen۰CompressedFileInfo{ name: "deployment.yaml", modTime: time.Date(1970, 1, 1, 0, 0, 1, 0, time.UTC), - uncompressedSize: 2010, + uncompressedSize: 2044, - compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xb4\x54\xc1\x6e\xe3\x36\x10\xbd\xfb\x2b\x06\x3a\xd7\x96\x9d\x6d\xb6\x01\x6f\x46\x92\x06\x8b\x6d\x52\x23\xce\xb6\x08\x8a\x22\x60\xa4\x89\x44\x98\xe4\xb0\xe4\xc8\xa9\x10\xe4\xdf\x0b\x45\x96\x2d\x72\xbd\x8b\xf4\xb0\xba\x58\x9e\x37\xf3\xf8\x66\xe6\x51\xd2\xa9\x3f\xd0\x07\x45\x56\x80\x74\x2e\xe4\xdb\xc5\x64\xa3\x6c\x29\xe0\x02\x9d\xa6\xd6\xa0\xe5\x89\x41\x96\xa5\x64\x29\x26\x00\x56\x1a\x14\x50\x49\x5b\x3d\xcb\x76\x02\xa0\xe5\x23\xea\xd0\x21\xd0\x11\x1c\xa0\xe0\xb0\xe8\xc2\x1e\x9d\x56\x85\x0c\x02\x16\x13\x80\x80\x1a\x0b\x26\xdf\x17\x18\xc9\x45\xfd\xdb\x88\x21\xe1\x00\x08\xec\x25\x63\xd5\x76\x30\xa3\x71\x5a\x32\xee\x6a\x47\xa2\xba\x47\x47\x34\x5f\x11\xf5\x8f\xc7\xad\xea\x9b\xcd\x16\xd9\x5b\x74\x90\xf9\xf6\x8e\x45\xe3\x15\xb7\xe7\x64\x19\xff\xe5\x03\x97\x6f\xec\x32\xdc\x90\xbd\x25\x62\x01\xec\x1b\x8c\xa1\x2f\x01\xbd\x80\x8f\xa7\xa7\x1f\x7e\x8e\x81\x2b\x4f\x8d\x8b\x11\x65\x15\x77\x07\x48\x65\xd1\xef\xf5\x4e\x77\x83\x2d\xe9\xd9\x6a\x92\xe5\x94\x6b\x34\x87\x53\x94\x91\x15\x0a\x90\xda\x29\x8b\x79\xa5\x58\x2c\x66\xf3\xd9\x2f\x7b\xbc\x20\x63\xa4\x2d\x0f\x8a\x61\x0a\x95\xe2\xf1\xdf\x42\x93\xc5\x71\x20\xab\x99\x5d\x10\x79\x47\x57\x37\x8f\xb3\x82\x4c\xbe\x51\x76\x4b\x7a\x93\xef\xe6\xd6\xab\x98\x55\x8a\xb3\x71\x65\x1e\x8b\xdb\x92\x6e\x0c\x5e\x53\x63\x79\x34\xff\xa1\xa3\x38\x17\xc0\x74\x79\x2b\xc9\xb5\xd8\xf1\xe4\x93\xa1\x87\x74\x28\x07\x92\x74\x8f\xfb\x89\x54\x85\x9f\x29\xca\x6b\x74\xac\x68\xfa\x16\x0c\x83\x7a\xf1\xf2\x02\xb3\xf3\x5a\x7a\x9e\x2d\x9d\xdb\xd9\x1c\x5e\x5f\x53\x96\x55\xa3\xf5\x8a\xb4\x2a\x5a\x01\x4b\xfd\x2c\xdb\x30\xca\x18\x26\x0b\x7f\x65\x3b\xda\xec\x27\xc8\xa6\x05\xd9\x27\x55\x75\xaf\xc3\x69\xc3\xef\xac\x95\x46\x67\x7f\x8f\x28\xd0\x6e\x47\x8b\x19\x75\x75\xb5\xbc\xb9\xfa\x73\x79\xff\xb0\xbe\x5c\xaf\x3f\xfd\x7e\xf3\xb0\xbe\x3c\xff\x72\xfb\xe9\xee\xfe\xe1\xf3\xe5\x7d\x54\x00\xb0\x95\xba\xc1\x5f\x3d\x19\x91\x00\x6f\xae\xf5\xc8\x9f\xb1\xbd\xc5\xa7\xaf\xd1\xe4\xc6\x4e\x37\xd8\x1e\xc9\xd9\x60\x2b\x20\x60\xe8\x26\x14\x67\x38\xf2\xe3\xad\x8e\xe5\x77\xfe\x49\xb8\xf6\x3b\x5c\x91\x67\x01\x67\xf3\xb3\x79\x92\xe1\x3c\x31\x15\xa4\x05\xdc\x9d\xaf\x46\x98\xc7\x40\x8d\x2f\x30\x39\xcb\xe3\x3f\x0d\x86\x54\x01\x40\xe1\x9a\xee\x0e\xcf\xe7\x26\x4b\x10\x83\x86\x7c\xdb\x81\x27\x67\xd7\x2a\x46\xb5\x32\xea\x5b\x5c\x27\xdf\xe3\x3a\x5d\x9c\xc4\x5c\xc7\x3d\x0f\xdf\xb5\x2c\x24\xee\x1f\x8c\x73\xb4\x3c\xbd\x36\x69\x71\x74\x75\xfa\xde\xb6\x68\x31\x84\x95\xa7\x47\x8c\x25\x75\x8b\xba\x42\x4e\xfb\x76\x3d\x53\x1a\x3d\xbe\xb9\xee\xb3\xa5\xa4\xbe\x40\x2d\xdb\x35\x16\x64\xcb\x20\xe0\x24\xce\x61\x65\x90\x1a\xde\xc3\x8b\x08\x75\xe8\x15\x95\x7b\xf0\x63\x5c\xfb\x24\x95\x6e\x3c\xde\xd5\x1e\x43\x4d\xba\x14\xf0\x21\x72\x87\x2c\xd5\x0f\xec\xee\x7f\x29\x5f\xbc\x57\x79\x6f\x92\x77\x7d\xce\xfa\xef\xc9\xb5\x74\x71\x1b\xc7\xd3\xbf\xe5\x11\x34\x8e\xdb\x0b\xe5\x05\xbc\xbc\x4e\xfe\x0b\x00\x00\xff\xff\x6c\x88\xb7\x02\xda\x07\x00\x00"), + compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xb4\x54\x4d\x6f\xe3\x36\x10\xbd\xfb\x57\x0c\x74\xae\xbf\xb2\xcd\x36\xe0\xcd\x48\xd2\x60\xb1\x4d\x6a\xc4\xd9\x16\x41\x51\x04\x0c\x35\x91\x08\x93\x1c\x96\xa4\x94\x0a\x41\xfe\x7b\xc1\xc8\xb2\x45\xae\x77\x91\x1e\x56\x17\xcb\x7c\x33\x4f\xef\xcd\x07\xb9\x95\x7f\xa0\xf3\x92\x0c\x03\x6e\xad\x9f\xb7\xcb\xc9\x56\x9a\x92\xc1\x05\x5a\x45\x9d\x46\x13\x26\x1a\x03\x2f\x79\xe0\x6c\x02\x60\xb8\x46\x06\x15\x37\xd5\x33\xef\x26\x00\x8a\x3f\xa2\xf2\x11\x81\x48\x70\x80\xbc\x45\x11\x8f\x1d\x5a\x25\x05\xf7\x0c\x96\x13\x00\x8f\x0a\x45\x20\xd7\x27\x68\x1e\x44\xfd\xdb\x88\x21\xe3\x00\xf0\xc1\xf1\x80\x55\x17\xe1\x80\xda\x2a\x1e\x70\x97\x3b\x12\x15\x1f\x95\xd0\x7c\x45\xd4\x3f\x0e\x5b\xd9\x9b\x2d\x96\xc5\xdb\xe9\x20\xf3\xed\x1d\x45\xe3\x64\xe8\xce\xc9\x04\xfc\x37\x1c\xb8\x5c\x63\x56\xfe\x86\xcc\x2d\x51\x60\x10\x5c\x83\x29\xf4\xc5\xa3\x63\xf0\xf1\xf4\xf4\xc3\xcf\x29\x70\xe5\xa8\xb1\x29\xe2\xd1\xb5\x52\xe0\x4a\x08\x6a\x4c\xb8\xc9\xca\x19\x1f\x69\x64\x88\x12\xb8\x34\xe8\xf6\x8e\xa6\xbb\xd2\x97\xf4\x6c\x14\xf1\x72\x1a\x6a\xd4\x07\x1d\x52\xf3\x0a\x19\x70\x65\xa5\xc1\x79\x25\x03\x5b\xce\x16\xb3\x5f\xf6\xb8\x20\xad\xb9\x29\x0f\x9e\x60\x0a\x95\x0c\xe3\xbf\x42\x91\xc1\xf1\x41\x51\x87\x60\x3d\x9b\x47\xba\xba\x79\x9c\x09\xd2\xf3\xad\x34\x2d\xa9\xed\x7c\x27\xb9\x57\x31\xab\x64\x28\xc6\x99\xf3\x54\x5c\x4b\xaa\xd1\x78\x1d\x0d\x8f\x3a\x34\x38\x4a\x63\x01\x74\x8c\x5b\xf3\x50\xb3\x1d\xcf\x7c\x32\x78\xc8\x8b\x72\x20\xc9\x3b\xbd\xaf\x48\x25\xdc\x4c\xd2\xbc\x46\x1b\x24\x4d\xdf\x0e\xfd\xa0\x9e\xbd\xbc\xc0\xec\xbc\xe6\x2e\xcc\x56\xd6\xee\x16\x01\x5e\x5f\x73\x96\x75\xa3\xd4\x9a\x94\x14\x1d\x83\x95\x7a\xe6\x9d\x1f\x45\x0c\x95\x85\xbf\x8a\x1d\x6d\xf1\x13\x14\x53\x41\xe6\x49\x56\xf1\x75\xf8\xda\xf0\x3b\xeb\xb8\x56\xc5\xdf\x23\x0a\x34\xed\xa8\x31\x23\x57\x57\xab\x9b\xab\x3f\x57\xf7\x0f\x9b\xcb\xcd\xe6\xd3\xef\x37\x0f\x9b\xcb\xf3\x2f\xb7\x9f\xee\xee\x1f\x3e\x5f\xde\x27\x09\x00\x2d\x57\x0d\xfe\xea\x48\xb3\x0c\x78\x9b\x6b\x87\xe1\x33\x76\xb7\xf8\xf4\x35\x9a\xed\xf4\x74\x8b\xdd\x91\x98\x2d\x76\x0c\x3c\xfa\x58\xa1\x34\xc2\x92\x1b\x77\x75\x2c\x3f\xce\x4f\xc6\xb5\xef\xe1\x9a\x5c\x60\x70\xb6\x38\x5b\x64\x11\xd6\x51\x20\x41\x8a\xc1\xdd\xf9\x7a\x84\x39\xf4\xd4\x38\x81\xd9\xb7\x1c\xfe\xd3\xa0\xcf\x15\x00\x08\xdb\xc4\x2d\x5f\x2c\x74\x91\x21\x1a\x35\xb9\x2e\x82\x27\x67\xd7\x32\x45\x95\xd4\xf2\x5b\x5c\x27\xdf\xe3\x3a\x5d\x9e\xa4\x5c\xc7\x67\x1e\xbe\x3b\xb2\x90\x4d\xff\x30\x38\x47\xd3\xf3\xb5\xc9\x93\x93\xd5\xe9\xbd\xb5\x68\xd0\xfb\xb5\xa3\x47\x4c\x25\xc5\x46\x5d\x61\xc8\x7d\xdb\x9e\x29\x3f\x3d\xde\xb9\x78\x6d\x49\xae\x2e\x50\xf1\x6e\x83\x82\x4c\xe9\x19\x9c\xa4\x31\x41\x6a\xa4\x26\xec\xe1\x65\x82\x5a\x74\x92\xca\x3d\xf8\x31\xcd\x7d\xe2\x52\x35\x0e\xef\x6a\x87\xbe\x26\x55\x32\xf8\x90\x4c\x07\x2f\xe5\x0f\x74\xf7\xbf\x94\x2f\xdf\xab\xbc\x1f\x92\x77\x5d\x67\xfd\x7d\x72\xcd\x6d\x6a\xe3\x78\xf8\xb7\x66\x04\xb5\x0d\xdd\x85\x74\x0c\x5e\x5e\x27\xff\x05\x00\x00\xff\xff\x97\xfa\xf0\xae\xfc\x07\x00\x00"), }, "/charts/components/gangway/templates/ingress.yaml": &vfsgen۰CompressedFileInfo{ name: "ingress.yaml", @@ -1079,6 +1079,11 @@ var vfsgenAssets = func() http.FileSystem { compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x6c\xce\x31\x0b\xc2\x30\x10\x05\xe0\x3d\xbf\xe2\xd1\x5d\xd0\x4d\xb2\x76\x72\x2b\x28\xee\x67\x7a\xd4\x60\x9a\x1c\x97\xb3\xd2\x7f\x2f\x2d\xb5\x93\xe3\x7d\x8f\x77\xbc\x57\xcc\xbd\xc7\x95\x75\x8a\x81\x1d\x49\xbc\xb3\xd6\x58\xb2\xc7\x74\x72\x23\x1b\xf5\x64\xe4\x1d\x90\x69\x64\x8f\x81\xf2\xf0\xa1\xb9\x4e\xc1\x01\x89\x1e\x9c\xea\x12\x02\x24\xb2\xa7\xae\x0a\x87\x85\x6d\x16\xf6\x68\xd3\xbb\x1a\xeb\xa5\x73\x80\x14\xb5\xad\x71\xd8\x5e\x36\x4f\x33\x69\x56\x02\x44\x8b\x95\x50\x92\xc7\xad\xed\x7e\x56\xd4\x3c\xce\xc7\xed\x34\xd2\x81\xad\x5b\x71\xef\x56\x4e\x1c\xac\xe8\x9f\x31\xdf\x00\x00\x00\xff\xff\x31\xaa\xa8\x94\xe2\x00\x00\x00"), }, + "/charts/components/gangway/templates/serviceaccount.yaml": &vfsgen۰FileInfo{ + name: "serviceaccount.yaml", + modTime: time.Date(1970, 1, 1, 0, 0, 1, 0, time.UTC), + content: []byte("\x61\x70\x69\x56\x65\x72\x73\x69\x6f\x6e\x3a\x20\x76\x31\x0a\x6b\x69\x6e\x64\x3a\x20\x53\x65\x72\x76\x69\x63\x65\x41\x63\x63\x6f\x75\x6e\x74\x0a\x6d\x65\x74\x61\x64\x61\x74\x61\x3a\x0a\x20\x20\x6c\x61\x62\x65\x6c\x73\x3a\x0a\x20\x20\x20\x20\x61\x70\x70\x3a\x20\x67\x61\x6e\x67\x77\x61\x79\x0a\x20\x20\x6e\x61\x6d\x65\x3a\x20\x67\x61\x6e\x67\x77\x61\x79\x0a"), + }, "/charts/components/gangway/values.yaml": &vfsgen۰CompressedFileInfo{ name: "values.yaml", modTime: time.Date(1970, 1, 1, 0, 0, 1, 0, time.UTC), @@ -6484,6 +6489,7 @@ var vfsgenAssets = func() http.FileSystem { fs["/charts/components/gangway/templates/ingress.yaml"].(os.FileInfo), fs["/charts/components/gangway/templates/secret.yaml"].(os.FileInfo), fs["/charts/components/gangway/templates/service.yaml"].(os.FileInfo), + fs["/charts/components/gangway/templates/serviceaccount.yaml"].(os.FileInfo), } fs["/charts/components/headlamp"].(*vfsgen۰DirInfo).entries = []os.FileInfo{ fs["/charts/components/headlamp/.helmignore"].(os.FileInfo), From a4f08887df282547fe0c945490e6c33265f65a07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iago=20L=C3=B3pez=20Galeiras?= Date: Tue, 20 Oct 2020 19:40:36 +0200 Subject: [PATCH 2/2] test/gangway: add test for service account --- test/components/gangway/gangway_test.go | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/test/components/gangway/gangway_test.go b/test/components/gangway/gangway_test.go index 61d7b10c5..2c20c13dd 100644 --- a/test/components/gangway/gangway_test.go +++ b/test/components/gangway/gangway_test.go @@ -18,8 +18,11 @@ package gangway import ( + "context" "testing" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + testutil "github.com/kinvolk/lokomotive/test/components/util" ) @@ -35,3 +38,24 @@ func TestGangwayDeployment(t *testing.T) { testutil.WaitForDeployment(t, client, namespace, deployment, testutil.RetryInterval, testutil.Timeout) }) } + +func TestGangwayServiceAccount(t *testing.T) { + namespace := "gangway" + deployment := "gangway" + expectedServiceAccountName := "gangway" + + client := testutil.CreateKubeClient(t) + + testutil.WaitForDeployment(t, client, namespace, deployment, testutil.RetryInterval, testutil.Timeout) + + deploy, err := client.AppsV1().Deployments(namespace).Get(context.TODO(), deployment, metav1.GetOptions{}) + if err != nil { + t.Fatalf("Couldn't find gangway deployment") + } + + if deploy.Spec.Template.Spec.ServiceAccountName != expectedServiceAccountName { + t.Fatalf("Expected serviceAccountName %q, got: %q", + deploy.Spec.Template.Spec.ServiceAccountName, + deploy.Spec.Template.Spec.ServiceAccountName) + } +}