Merge pull request #505 from fluxcd/tenant-sa

Add service accounts to tenant command
4 years ago · 0db06c8962
parent c2967240bb a8e5876b2e
commit 0db06c8962
4 changed files with 124 additions and 8 deletions
--- a/cmd/flux/create_tenant.go
+++ b/cmd/flux/create_tenant.go
@ -38,7 +38,7 @@ var createTenantCmd = &cobra.Command{
 	Use:   "tenant",
 	Short: "Create or update a tenant",
 	Long: `
-The create tenant command generates namespaces and role bindings to limit the
+The create tenant command generates namespaces, service accounts and role bindings to limit the
 reconcilers scope to the tenant namespaces.`,
 	Example: `  # Create a tenant with access to a namespace 
  flux create tenant dev-team \
@ -65,7 +65,6 @@ var (
 )

 func init() {
-	createTenantCmd.Hidden = true
 	createTenantCmd.Flags().StringSliceVar(&tenantNamespaces, "with-namespace", nil, "namespace belonging to this tenant")
 	createTenantCmd.Flags().StringVar(&tenantClusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
 	createCmd.AddCommand(createTenantCmd)
@ -89,6 +88,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	var namespaces []corev1.Namespace
+	var accounts []corev1.ServiceAccount
 	var roleBindings []rbacv1.RoleBinding

 	for _, ns := range tenantNamespaces {
@ -111,6 +111,16 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		namespaces = append(namespaces, namespace)

+		account := corev1.ServiceAccount{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      tenant,
+				Namespace: ns,
+				Labels:    objLabels,
+			},
+		}
+
+		accounts = append(accounts, account)
+
 		roleBinding := rbacv1.RoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      tenantRoleBinding,
@ -119,10 +129,13 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 			},
 			Subjects: []rbacv1.Subject{
 				{
-					APIGroup: "rbac.authorization.k8s.io",
 					Kind: "User",
 					Name: fmt.Sprintf("gotk:%s:reconciler", ns),
 				},
+				{
+					Kind: "ServiceAccount",
+					Name: tenant,
+				},
 			},
 			RoleRef: rbacv1.RoleRef{
 				APIGroup: "rbac.authorization.k8s.io",
@ -135,7 +148,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {

 	if export {
 		for i, _ := range tenantNamespaces {
-			if err := exportTenant(namespaces[i], roleBindings[i]); err != nil {
+			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i]); err != nil {
 				return err
 			}
 		}
@ -156,6 +169,11 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 			return err
 		}

+		logger.Actionf("applying service account %s", accounts[i].Name)
+		if err := upsertServiceAccount(ctx, kubeClient, accounts[i]); err != nil {
+			return err
+		}
+
 		logger.Actionf("applying role binding %s", roleBindings[i].Name)
 		if err := upsertRoleBinding(ctx, kubeClient, roleBindings[i]); err != nil {
 			return err
@ -195,6 +213,35 @@ func upsertNamespace(ctx context.Context, kubeClient client.Client, namespace co
 	return nil
 }

+func upsertServiceAccount(ctx context.Context, kubeClient client.Client, account corev1.ServiceAccount) error {
+	namespacedName := types.NamespacedName{
+		Namespace: account.GetNamespace(),
+		Name:      account.GetName(),
+	}
+
+	var existing corev1.ServiceAccount
+	err := kubeClient.Get(ctx, namespacedName, &existing)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if err := kubeClient.Create(ctx, &account); err != nil {
+				return err
+			} else {
+				return nil
+			}
+		}
+		return err
+	}
+
+	if !equality.Semantic.DeepDerivative(account.Labels, existing.Labels) {
+		existing.Labels = account.Labels
+		if err := kubeClient.Update(ctx, &existing); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func upsertRoleBinding(ctx context.Context, kubeClient client.Client, roleBinding rbacv1.RoleBinding) error {
 	namespacedName := types.NamespacedName{
 		Namespace: roleBinding.GetNamespace(),
@ -228,7 +275,7 @@ func upsertRoleBinding(ctx context.Context, kubeClient client.Client, roleBindin
 	return nil
 }

-func exportTenant(namespace corev1.Namespace, roleBinding rbacv1.RoleBinding) error {
+func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, roleBinding rbacv1.RoleBinding) error {
 	namespace.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",
 		Kind:       "Namespace",
@ -242,6 +289,19 @@ func exportTenant(namespace corev1.Namespace, roleBinding rbacv1.RoleBinding) er
 	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
 	fmt.Println(resourceToString(data))

+	account.TypeMeta = metav1.TypeMeta{
+		APIVersion: "",
+		Kind:       "ServiceAccount",
+	}
+	data, err = yaml.Marshal(account)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("---")
+	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
+	fmt.Println(resourceToString(data))
+
 	roleBinding.TypeMeta = metav1.TypeMeta{
 		APIVersion: "rbac.authorization.k8s.io/v1",
 		Kind:       "RoleBinding",
--- a/docs/cmd/flux_create.md
+++ b/docs/cmd/flux_create.md
@ -34,4 +34,5 @@ The create sub-commands generate sources and resources.
 * [flux create kustomization](flux_create_kustomization.md)	 - Create or update a Kustomization resource
 * [flux create receiver](flux_create_receiver.md)	 - Create or update a Receiver resource
 * [flux create source](flux_create_source.md)	 - Create or update sources
+* [flux create tenant](flux_create_tenant.md)	 - Create or update a tenant

--- a/docs/cmd/flux_create_tenant.md
+++ b/docs/cmd/flux_create_tenant.md
@ -0,0 +1,55 @@
+## flux create tenant
+
+Create or update a tenant
+
+### Synopsis
+
+
+The create tenant command generates namespaces, service accounts and role bindings to limit the
+reconcilers scope to the tenant namespaces.
+
+```
+flux create tenant [flags]
+```
+
+### Examples
+
+```
+  # Create a tenant with access to a namespace 
+  flux create tenant dev-team \
+    --with-namespace=frontend \
+    --label=environment=dev
+
+  # Generate tenant namespaces and role bindings in YAML format
+  flux create tenant dev-team \
+    --with-namespace=frontend \
+    --with-namespace=backend \
+	--export > dev-team.yaml
+
+```
+
+### Options
+
+```
+      --cluster-role string      cluster role of the tenant role binding (default "cluster-admin")
+  -h, --help                     help for tenant
+      --with-namespace strings   namespace belonging to this tenant
+```
+
+### Options inherited from parent commands
+
+```
+      --context string      kubernetes context to use
+      --export              export in YAML format to stdout
+      --interval duration   source sync interval (default 1m0s)
+      --kubeconfig string   path to the kubeconfig file (default "~/.kube/config")
+      --label strings       set labels on the resource (can specify multiple labels with commas: label1=value1,label2=value2)
+  -n, --namespace string    the namespace scope for this operation (default "flux-system")
+      --timeout duration    timeout for this operation (default 5m0s)
+      --verbose             print generated objects
+```
+
+### SEE ALSO
+
+* [flux create](flux_create.md)	 - Create or update sources and resources
+
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -95,7 +95,7 @@ nav:
    - Create alert provider: cmd/flux_create_alert-provider.md
    - Create alert: cmd/flux_create_alert.md
    - Create receiver: cmd/flux_create_receiver.md
-    #- Create tenant: cmd/flux_create_tenant.md
+    - Create tenant: cmd/flux_create_tenant.md
    - Delete: cmd/flux_delete.md
    - Delete kustomization: cmd/flux_delete_kustomization.md
    - Delete helmrelease: cmd/flux_delete_helmrelease.md