WIP: Automatically create service account/role restricted to only the project's namespace
What does this MR do?
Automatically create service account/role restricted to only the project's namespace and expose it as environment variable
What are the relevant issue numbers?
https://gitlab.com/gitlab-org/gitlab-ce/issues/51716
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
Tests added for this feature/bug -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the database guides
Backend - To do
-
Modify ServiceAccount to use project namespace -
Create a token for the new ServiceAccount -
If RBAC enabled create RoleBinding with edit access for the ServiceAccount -
If RBAC disabled, don’t create RoleBinding -
-Expose ServiceAccount as environment variable KUBE_SERVICE_ACCOUNT -
Replace KUBE_TOKEN with KUBECONFIG with new credentials
Refactor/Clean up
-
Clarify CreateServiceAccountService specs -
Clean up constants on Clusters::GCP::Kubernetes -
Test for kubernetes variables -
Delete ClusterRoleBinding
class?
Manual QA
-
Create ABAC Cluster -
Install all applications on ABAC -
Create RBAC Cluster -
Install all applications on RBAC
Edited by 🤖 GitLab Bot 🤖