From f22fbe15c543876bb9ec72ec3641f3ca5b02300e Mon Sep 17 00:00:00 2001 From: Sergii Leshchenko Date: Tue, 11 Sep 2018 17:27:32 +0300 Subject: [PATCH 1/3] CHE-10991 Add provisioning of service account into workspaces pods --- .../webapp/WEB-INF/classes/che/che.properties | 3 + .../KubernetesEnvironmentProvisioner.java | 7 ++- .../provision/ServiceAccountProvisioner.java | 55 +++++++++++++++++++ .../KubernetesEnvironmentProvisionerTest.java | 17 ++++-- .../OpenShiftEnvironmentProvisioner.java | 7 ++- .../OpenShiftEnvironmentProvisionerTest.java | 9 ++- 6 files changed, 88 insertions(+), 10 deletions(-) create mode 100644 infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/ServiceAccountProvisioner.java diff --git a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties index d9f1cc7be0..024a22902e 100644 --- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties +++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties @@ -353,6 +353,9 @@ che.infra.kubernetes.ingress.domain= # Ignored for OpenShift infra. Use `che.infra.openshift.project` instead che.infra.kubernetes.namespace= +# Defines Kubernetes Service Account name which should be specified to be bound to all workspaces pods. +# Note that Che Server won't create the service account and it should exist. +che.infra.kubernetes.service_account_name=NULL # Defines time frame that limits the Kubernetes workspace start time che.infra.kubernetes.workspace_start_timeout_min=8 diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisioner.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisioner.java index 5335298b1d..afcda69327 100644 --- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisioner.java +++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisioner.java @@ -25,6 +25,7 @@ import org.eclipse.che.workspace.infrastructure.kubernetes.provision.LogsVolumeM import org.eclipse.che.workspace.infrastructure.kubernetes.provision.PodTerminationGracePeriodProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.ProxySettingsProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.SecurityContextProvisioner; +import org.eclipse.che.workspace.infrastructure.kubernetes.provision.ServiceAccountProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.UniqueNamesProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.env.EnvVarsConverter; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.limits.ram.RamLimitProvisioner; @@ -60,6 +61,7 @@ public interface KubernetesEnvironmentProvisionerService account won't be set to pods if property value is `NULL` and then Kubernetes + * infrastructure will set default one. + * + * @author Sergii Leshchenko + */ +@Singleton +public class ServiceAccountProvisioner implements ConfigurationProvisioner { + + private final String serviceAccount; + + @Inject + public ServiceAccountProvisioner( + @Nullable @Named("che.infra.kubernetes.service_account_name") String serviceAccount) { + this.serviceAccount = serviceAccount; + } + + @Override + public void provision(KubernetesEnvironment k8sEnv, RuntimeIdentity identity) + throws InfrastructureException { + + if (!isNullOrEmpty(serviceAccount)) { + for (Pod pod : k8sEnv.getPods().values()) { + pod.getSpec().setServiceAccountName(serviceAccount); + pod.getSpec().setAutomountServiceAccountToken(true); + } + } + } +} diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisionerTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisionerTest.java index 02247b8c92..fa7bf4b9e7 100644 --- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisionerTest.java +++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/KubernetesEnvironmentProvisionerTest.java @@ -25,6 +25,7 @@ import org.eclipse.che.workspace.infrastructure.kubernetes.provision.LogsVolumeM import org.eclipse.che.workspace.infrastructure.kubernetes.provision.PodTerminationGracePeriodProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.ProxySettingsProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.SecurityContextProvisioner; +import org.eclipse.che.workspace.infrastructure.kubernetes.provision.ServiceAccountProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.UniqueNamesProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.env.EnvVarsConverter; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.limits.ram.RamLimitProvisioner; @@ -51,7 +52,7 @@ public class KubernetesEnvironmentProvisionerTest { @Mock private KubernetesEnvironment k8sEnv; @Mock private RuntimeIdentity runtimeIdentity; @Mock private EnvVarsConverter envVarsProvisioner; - @Mock private ServersConverter serversProvisioner; + @Mock private ServersConverter serversProvisioner; @Mock private RestartPolicyRewriter restartPolicyRewriter; @Mock private RamLimitProvisioner ramLimitProvisioner; @Mock private LogsVolumeMachineProvisioner logsVolumeMachineProvisioner; @@ -60,14 +61,15 @@ public class KubernetesEnvironmentProvisionerTest { @Mock private IngressTlsProvisioner externalServerIngressTlsProvisioner; @Mock private ImagePullSecretProvisioner imagePullSecretProvisioner; @Mock private ProxySettingsProvisioner proxySettingsProvisioner; + @Mock private ServiceAccountProvisioner serviceAccountProvisioner; - private KubernetesEnvironmentProvisioner osInfraProvisioner; + private KubernetesEnvironmentProvisioner k8sInfraProvisioner; private InOrder provisionOrder; @BeforeMethod public void setUp() { - osInfraProvisioner = + k8sInfraProvisioner = new KubernetesEnvironmentProvisionerImpl( true, uniqueNamesProvisioner, @@ -82,7 +84,8 @@ public class KubernetesEnvironmentProvisionerTest { podTerminationGracePeriodProvisioner, externalServerIngressTlsProvisioner, imagePullSecretProvisioner, - proxySettingsProvisioner); + proxySettingsProvisioner, + serviceAccountProvisioner); provisionOrder = inOrder( installerServersPortProvisioner, @@ -97,12 +100,13 @@ public class KubernetesEnvironmentProvisionerTest { podTerminationGracePeriodProvisioner, externalServerIngressTlsProvisioner, imagePullSecretProvisioner, - proxySettingsProvisioner); + proxySettingsProvisioner, + serviceAccountProvisioner); } @Test public void performsOrderedProvisioning() throws Exception { - osInfraProvisioner.provision(k8sEnv, runtimeIdentity); + k8sInfraProvisioner.provision(k8sEnv, runtimeIdentity); provisionOrder .verify(installerServersPortProvisioner) @@ -123,6 +127,7 @@ public class KubernetesEnvironmentProvisionerTest { .provision(eq(k8sEnv), eq(runtimeIdentity)); provisionOrder.verify(imagePullSecretProvisioner).provision(eq(k8sEnv), eq(runtimeIdentity)); provisionOrder.verify(proxySettingsProvisioner).provision(eq(k8sEnv), eq(runtimeIdentity)); + provisionOrder.verify(serviceAccountProvisioner).provision(eq(k8sEnv), eq(runtimeIdentity)); provisionOrder.verifyNoMoreInteractions(); } } diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisioner.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisioner.java index 4fcfaa7aeb..a422497a52 100644 --- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisioner.java +++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisioner.java @@ -23,6 +23,7 @@ import org.eclipse.che.workspace.infrastructure.kubernetes.provision.InstallerSe import org.eclipse.che.workspace.infrastructure.kubernetes.provision.LogsVolumeMachineProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.PodTerminationGracePeriodProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.ProxySettingsProvisioner; +import org.eclipse.che.workspace.infrastructure.kubernetes.provision.ServiceAccountProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.UniqueNamesProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.env.EnvVarsConverter; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.limits.ram.RamLimitProvisioner; @@ -56,6 +57,7 @@ public class OpenShiftEnvironmentProvisioner private final PodTerminationGracePeriodProvisioner podTerminationGracePeriodProvisioner; private final ImagePullSecretProvisioner imagePullSecretProvisioner; private final ProxySettingsProvisioner proxySettingsProvisioner; + private final ServiceAccountProvisioner serviceAccountProvisioner; @Inject public OpenShiftEnvironmentProvisioner( @@ -71,7 +73,8 @@ public class OpenShiftEnvironmentProvisioner LogsVolumeMachineProvisioner logsVolumeMachineProvisioner, PodTerminationGracePeriodProvisioner podTerminationGracePeriodProvisioner, ImagePullSecretProvisioner imagePullSecretProvisioner, - ProxySettingsProvisioner proxySettingsProvisioner) { + ProxySettingsProvisioner proxySettingsProvisioner, + ServiceAccountProvisioner serviceAccountProvisioner) { this.pvcEnabled = pvcEnabled; this.volumesStrategy = volumesStrategy; this.uniqueNamesProvisioner = uniqueNamesProvisioner; @@ -85,6 +88,7 @@ public class OpenShiftEnvironmentProvisioner this.podTerminationGracePeriodProvisioner = podTerminationGracePeriodProvisioner; this.imagePullSecretProvisioner = imagePullSecretProvisioner; this.proxySettingsProvisioner = proxySettingsProvisioner; + this.serviceAccountProvisioner = serviceAccountProvisioner; } @Override @@ -111,5 +115,6 @@ public class OpenShiftEnvironmentProvisioner podTerminationGracePeriodProvisioner.provision(osEnv, identity); imagePullSecretProvisioner.provision(osEnv, identity); proxySettingsProvisioner.provision(osEnv, identity); + serviceAccountProvisioner.provision(osEnv, identity); } } diff --git a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisionerTest.java b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisionerTest.java index 3b04a7e679..84f087b300 100644 --- a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisionerTest.java +++ b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftEnvironmentProvisionerTest.java @@ -21,6 +21,7 @@ import org.eclipse.che.workspace.infrastructure.kubernetes.provision.InstallerSe import org.eclipse.che.workspace.infrastructure.kubernetes.provision.LogsVolumeMachineProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.PodTerminationGracePeriodProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.ProxySettingsProvisioner; +import org.eclipse.che.workspace.infrastructure.kubernetes.provision.ServiceAccountProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.env.EnvVarsConverter; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.limits.ram.RamLimitProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.restartpolicy.RestartPolicyRewriter; @@ -57,6 +58,7 @@ public class OpenShiftEnvironmentProvisionerTest { @Mock private PodTerminationGracePeriodProvisioner podTerminationGracePeriodProvisioner; @Mock private ImagePullSecretProvisioner imagePullSecretProvisioner; @Mock private ProxySettingsProvisioner proxySettingsProvisioner; + @Mock private ServiceAccountProvisioner serviceAccountProvisioner; private OpenShiftEnvironmentProvisioner osInfraProvisioner; @@ -78,7 +80,8 @@ public class OpenShiftEnvironmentProvisionerTest { logsVolumeMachineProvisioner, podTerminationGracePeriodProvisioner, imagePullSecretProvisioner, - proxySettingsProvisioner); + proxySettingsProvisioner, + serviceAccountProvisioner); provisionOrder = inOrder( installerServersPortProvisioner, @@ -92,7 +95,8 @@ public class OpenShiftEnvironmentProvisionerTest { ramLimitProvisioner, podTerminationGracePeriodProvisioner, imagePullSecretProvisioner, - proxySettingsProvisioner); + proxySettingsProvisioner, + serviceAccountProvisioner); } @Test @@ -115,6 +119,7 @@ public class OpenShiftEnvironmentProvisionerTest { .provision(eq(osEnv), eq(runtimeIdentity)); provisionOrder.verify(imagePullSecretProvisioner).provision(eq(osEnv), eq(runtimeIdentity)); provisionOrder.verify(proxySettingsProvisioner).provision(eq(osEnv), eq(runtimeIdentity)); + provisionOrder.verify(serviceAccountProvisioner).provision(eq(osEnv), eq(runtimeIdentity)); provisionOrder.verifyNoMoreInteractions(); } } From b10c305d106b287bf86a7a08a6a42ae34ac1ce40 Mon Sep 17 00:00:00 2001 From: Sergii Leshchenko Date: Tue, 11 Sep 2018 17:28:34 +0300 Subject: [PATCH 2/3] CHE-10991 Add creating of workspace service account in deployment Che on OpenShift --- .../helm/che/templates/configmap.yaml | 1 + deploy/openshift/deploy_che.sh | 8 +++ .../templates/che-server-template.yaml | 6 ++ .../che-workspace-service-account.yaml | 63 +++++++++++++++++++ 4 files changed, 78 insertions(+) create mode 100644 deploy/openshift/templates/che-workspace-service-account.yaml diff --git a/deploy/kubernetes/helm/che/templates/configmap.yaml b/deploy/kubernetes/helm/che/templates/configmap.yaml index 6a581ca7d7..8758d98155 100644 --- a/deploy/kubernetes/helm/che/templates/configmap.yaml +++ b/deploy/kubernetes/helm/che/templates/configmap.yaml @@ -49,6 +49,7 @@ data: CHE_KEYCLOAK_USERNAME__CLAIM: {{ .Values.customOidcUsernameClaim }} {{- end }} CHE_INFRA_KUBERNETES_NAMESPACE: {{ .Values.global.cheWorkspacesNamespace }} + CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME: {{ .Values.global.cheWorkspacesServiceAccount }} CHE_INFRA_KUBERNETES_TRUST__CERTS: "false" CHE_INFRA_KUBERNETES_PVC_STRATEGY: "common" CHE_INFRA_KUBERNETES_PVC_QUANTITY: {{ .Values.global.pvcClaim }} diff --git a/deploy/openshift/deploy_che.sh b/deploy/openshift/deploy_che.sh index b5b5bc6d55..730e366e17 100755 --- a/deploy/openshift/deploy_che.sh +++ b/deploy/openshift/deploy_che.sh @@ -445,6 +445,13 @@ ${CHE_VAR_ARRAY}" PLUGIN__REGISTRY__URL="${HTTP_PROTOCOL}://${PLUGIN_REGISTRY_ROUTE}" fi + if [ ! -z ${CHE_INFRA_OPENSHIFT_PROJECT} ]; then + ${OC_BINARY} new-app -f ${BASE_DIR}/templates/che-workspace-service-account.yaml \ + -p SERVICE_ACCOUNT_NAME='che-workspace' \ + -p SERVICE_ACCOUNT_NAMESPACE=${CHE_INFRA_OPENSHIFT_PROJECT} + WORKSPACE_SERVICE_ACCOUNT_NAME="che-workspace" + fi + ${OC_BINARY} new-app -f ${BASE_DIR}/templates/che-server-template.yaml \ -p ROUTING_SUFFIX=${OPENSHIFT_ROUTING_SUFFIX} \ -p IMAGE_CHE=${CHE_IMAGE_REPO} \ @@ -458,6 +465,7 @@ ${CHE_VAR_ARRAY}" -p CHE_INFRA_OPENSHIFT_OAUTH__IDENTITY__PROVIDER=${CHE_INFRA_OPENSHIFT_OAUTH__IDENTITY__PROVIDER} \ -p TLS=${TLS} \ -p CHE_WORKSPACE_PLUGIN__REGISTRY__URL=${PLUGIN__REGISTRY__URL} \ + -p CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME=${WORKSPACE_SERVICE_ACCOUNT_NAME} \ ${ENV} if [ ${UPDATE_STRATEGY} == "Recreate" ]; then diff --git a/deploy/openshift/templates/che-server-template.yaml b/deploy/openshift/templates/che-server-template.yaml index 822d76c895..fc72c610d5 100644 --- a/deploy/openshift/templates/che-server-template.yaml +++ b/deploy/openshift/templates/che-server-template.yaml @@ -102,6 +102,8 @@ objects: value: "${CHE_INFRA_KUBERNETES_MASTER__URL}" - name: CHE_INFRA_OPENSHIFT_PROJECT value: "${CHE_INFRA_OPENSHIFT_PROJECT}" + - name: CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME + value: "${CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME}" - name: CHE_INFRA_KUBERNETES_PVC_STRATEGY value: "${CHE_INFRA_KUBERNETES_PVC_STRATEGY}" - name: CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS @@ -241,6 +243,10 @@ parameters: displayName: PVC strategy description: PVC strategy. Unique implies creating PVC per workspace. Common uses one PVC with subpaths in PV. Defaults to unique value: 'unique' +- name: CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME + displayName: Workspace service account name + description: Service accont name that should be specified to be bound to workspaces pods. Defauls to 'NULL' that means that Che Server won't specify any and default one will be bound. + value: 'NULL' - name: CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD displayName: Admin password update description: Force an admin to update password after 1st login. True by default diff --git a/deploy/openshift/templates/che-workspace-service-account.yaml b/deploy/openshift/templates/che-workspace-service-account.yaml new file mode 100644 index 0000000000..20f338f65b --- /dev/null +++ b/deploy/openshift/templates/che-workspace-service-account.yaml @@ -0,0 +1,63 @@ +# +# Copyright (c) 2012-2018 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +--- +apiVersion: v1 +kind: Template +metadata: + name: che-workspace-service-account +objects: +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: ${SERVICE_ACCOUNT_NAME} + namespace: ${SERVICE_ACCOUNT_NAMESPACE} +- apiVersion: v1 + kind: Role + metadata: + name: exec + namespace: ${SERVICE_ACCOUNT_NAMESPACE} + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods/exec + verbs: + - create +- apiVersion: v1 + kind: RoleBinding + metadata: + name: che-workspace-exec + namespace: ${SERVICE_ACCOUNT_NAMESPACE} + roleRef: + name: exec + namespace: ${SERVICE_ACCOUNT_NAMESPACE} + subjects: + - kind: ServiceAccount + name: ${SERVICE_ACCOUNT_NAME} + namespace: ${SERVICE_ACCOUNT_NAMESPACE} +- apiVersion: v1 + kind: RoleBinding + metadata: + name: che-workspace-view + namespace: ${SERVICE_ACCOUNT_NAMESPACE} + roleRef: + name: view + subjects: + - kind: ServiceAccount + name: ${SERVICE_ACCOUNT_NAME} +parameters: +- name: SERVICE_ACCOUNT_NAME + value: che-workspace + displayName: Eclipse Che plugin registry image + description: Service Account name that should be bound to workspaces. Defaults to 'che-workspace' +- name: SERVICE_ACCOUNT_NAMESPACE + displayName: Service account namespace + description: Namespace where service account should be created + required: true From 5b848a6b027365b39a8648e8e0c54883aefeb971 Mon Sep 17 00:00:00 2001 From: Sergii Leshchenko Date: Tue, 11 Sep 2018 18:14:20 +0300 Subject: [PATCH 3/3] CHE-10991 Add creating of workspace service account in Che Kubernetes Helm chart --- .../che/everrest/CheMethodInvokerFilter.java | 1 + .../_workspaceServiceAccountNameHelper.tpl | 5 ++++ .../helm/che/templates/configmap.yaml | 2 +- .../helm/che/templates/deployment.yaml | 5 ++++ .../helm/che/templates/exec-role.yaml | 24 ++++++++++++++++++ .../workspace-exec-role-binding.yaml | 25 +++++++++++++++++++ .../templates/workspace-service-account.yaml | 16 ++++++++++++ .../workspace-view-role-binding.yaml | 23 +++++++++++++++++ 8 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 deploy/kubernetes/helm/che/templates/_workspaceServiceAccountNameHelper.tpl create mode 100644 deploy/kubernetes/helm/che/templates/exec-role.yaml create mode 100644 deploy/kubernetes/helm/che/templates/workspace-exec-role-binding.yaml create mode 100644 deploy/kubernetes/helm/che/templates/workspace-service-account.yaml create mode 100644 deploy/kubernetes/helm/che/templates/workspace-view-role-binding.yaml diff --git a/core/che-core-api-core/src/main/java/org/eclipse/che/everrest/CheMethodInvokerFilter.java b/core/che-core-api-core/src/main/java/org/eclipse/che/everrest/CheMethodInvokerFilter.java index 4f1d4c851d..e7f79b0b4a 100644 --- a/core/che-core-api-core/src/main/java/org/eclipse/che/everrest/CheMethodInvokerFilter.java +++ b/core/che-core-api-core/src/main/java/org/eclipse/che/everrest/CheMethodInvokerFilter.java @@ -36,6 +36,7 @@ public abstract class CheMethodInvokerFilter implements MethodInvokerFilter { public void accept(GenericResourceMethod genericMethodResource, Object[] arguments) throws WebApplicationException { try { + filter(genericMethodResource, arguments); } catch (ApiException exception) { Response response; diff --git a/deploy/kubernetes/helm/che/templates/_workspaceServiceAccountNameHelper.tpl b/deploy/kubernetes/helm/che/templates/_workspaceServiceAccountNameHelper.tpl new file mode 100644 index 0000000000..75bf601247 --- /dev/null +++ b/deploy/kubernetes/helm/che/templates/_workspaceServiceAccountNameHelper.tpl @@ -0,0 +1,5 @@ +{{- define "workspaceServiceAccountName" }} +{{- if (.Values.global.cheWorkspacesNamespace) }} +{{- printf "che-workspace" }} +{{- end }} +{{- end }} diff --git a/deploy/kubernetes/helm/che/templates/configmap.yaml b/deploy/kubernetes/helm/che/templates/configmap.yaml index 8758d98155..4ba217ca70 100644 --- a/deploy/kubernetes/helm/che/templates/configmap.yaml +++ b/deploy/kubernetes/helm/che/templates/configmap.yaml @@ -49,7 +49,7 @@ data: CHE_KEYCLOAK_USERNAME__CLAIM: {{ .Values.customOidcUsernameClaim }} {{- end }} CHE_INFRA_KUBERNETES_NAMESPACE: {{ .Values.global.cheWorkspacesNamespace }} - CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME: {{ .Values.global.cheWorkspacesServiceAccount }} + CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME: {{ template "workspaceServiceAccountName" . }} CHE_INFRA_KUBERNETES_TRUST__CERTS: "false" CHE_INFRA_KUBERNETES_PVC_STRATEGY: "common" CHE_INFRA_KUBERNETES_PVC_QUANTITY: {{ .Values.global.pvcClaim }} diff --git a/deploy/kubernetes/helm/che/templates/deployment.yaml b/deploy/kubernetes/helm/che/templates/deployment.yaml index 2537c22bc5..c845945115 100644 --- a/deploy/kubernetes/helm/che/templates/deployment.yaml +++ b/deploy/kubernetes/helm/che/templates/deployment.yaml @@ -186,6 +186,11 @@ spec: configMapKeyRef: key: CHE_INFRA_KUBERNETES_NAMESPACE name: che + - name: CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME + valueFrom: + configMapKeyRef: + key: CHE_INFRA_KUBERNETES_SERVICE__ACCOUNT__NAME + name: che - name: CHE_LOCAL_CONF_DIR valueFrom: configMapKeyRef: diff --git a/deploy/kubernetes/helm/che/templates/exec-role.yaml b/deploy/kubernetes/helm/che/templates/exec-role.yaml new file mode 100644 index 0000000000..e0de8d9ab5 --- /dev/null +++ b/deploy/kubernetes/helm/che/templates/exec-role.yaml @@ -0,0 +1,24 @@ +# +# Copyright (c) 2012-2017 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# + +{{- if (.Values.global.cheWorkspacesNamespace) }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: exec + namespace: {{ .Values.global.cheWorkspacesNamespace }} +rules: +- apiGroups: + - "" + attributeRestrictions: null + resources: + - pods/exec + verbs: + - create +{{- end }} diff --git a/deploy/kubernetes/helm/che/templates/workspace-exec-role-binding.yaml b/deploy/kubernetes/helm/che/templates/workspace-exec-role-binding.yaml new file mode 100644 index 0000000000..c3f5f408ce --- /dev/null +++ b/deploy/kubernetes/helm/che/templates/workspace-exec-role-binding.yaml @@ -0,0 +1,25 @@ +# +# Copyright (c) 2012-2017 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# + +{{- if (.Values.global.cheWorkspacesNamespace) }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: che-workspace-exec + namespace: {{ .Values.global.cheWorkspacesNamespace }} +roleRef: + kind: Role + name: exec + namespace: {{ .Values.global.cheWorkspacesNamespace }} + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: che-workspace + namespace: {{ .Values.global.cheWorkspacesNamespace }} +{{- end }} diff --git a/deploy/kubernetes/helm/che/templates/workspace-service-account.yaml b/deploy/kubernetes/helm/che/templates/workspace-service-account.yaml new file mode 100644 index 0000000000..aa1a64f7b4 --- /dev/null +++ b/deploy/kubernetes/helm/che/templates/workspace-service-account.yaml @@ -0,0 +1,16 @@ +# +# Copyright (c) 2012-2017 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# + +{{- if (.Values.global.cheWorkspacesNamespace) }} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: "che-workspace" + namespace: {{ .Values.global.cheWorkspacesNamespace }} +{{- end }} diff --git a/deploy/kubernetes/helm/che/templates/workspace-view-role-binding.yaml b/deploy/kubernetes/helm/che/templates/workspace-view-role-binding.yaml new file mode 100644 index 0000000000..8188af85fe --- /dev/null +++ b/deploy/kubernetes/helm/che/templates/workspace-view-role-binding.yaml @@ -0,0 +1,23 @@ +# +# Copyright (c) 2012-2017 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# + +{{- if (.Values.global.cheWorkspacesNamespace) }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: che-workspace-view + namespace: {{ .Values.global.cheWorkspacesNamespace }} +roleRef: + kind: Role + name: view + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: che-workspace +{{- end }}