Local client configure on deploy #14
Conversation
| assert.NoError(t, Deploy(kubectlOptions, namespaceName, serviceAccountName, tlsOptions)) | ||
|
|
||
| // Grant and configure client as a new service account, testing the flow | ||
| serviceAccountKubectlOptions := grantAndConfigureClientAsServiceAccount(t, terratestKubectlOptions, kubectlOptions, tlsOptions) |
There was a problem hiding this comment.
Note: we still test the same underlying functions, since that is what is used by Deploy.
| @@ -0,0 +1,222 @@ | |||
| # What is Helm? | |||
| @@ -168,16 +170,16 @@ basic helm server, this subcommand contains features such as: | |||
| - Tying certificate access to RBAC roles to harden access to the Tiller server. | |||
|
|
|||
| **Note**: This command does not create `Namespaces` or `ServiceAccounts`, delegating that responsibility to other | |||
| systems. Checkout our [terraform-kubernetes-helm module](https://github.com/gruntwork-io/terraform-kubernetes-helm) for | |||
| an end to end implementation. | |||
| systems. | |||
There was a problem hiding this comment.
Should we give an example of the systems, such as our modules or the operator using kubectl?
There was a problem hiding this comment.
Ah yes good point. I guess I had this thought that things are changing quickly and fast so I wasn't sure what examples to give here. I'll add a TODO for now, and a github issue so it isn't lost.
README.md
Outdated
| @@ -194,6 +196,8 @@ This will: | |||
| - Store the Certificate Authority private key in a new `Secret` in the `kube-system` namespace. | |||
| - Launch Tiller using the generated TLS certificate in the specified `Namespace` with the specified `ServiceAccount`. | |||
|
|
|||
| You can also optionally grant access to an RBAC entity and configure the local helm client to use that using one of `--rbac-user`, `--rbac-group`, `--rbac-service-account` options., | |||
There was a problem hiding this comment.
As a reader, it's not immediately clear why I wouldn't want to always include one of these?
There was a problem hiding this comment.
Hmm, you know what? You bring up a good point. I originally had the thought that you wouldn't want to setup the local helm client in a CI job during development, but I realized that you most likely wouldn't do development like that.
| return rbacEntity, setEntities, err | ||
| } | ||
| } | ||
| if setEntities != 1 { |
There was a problem hiding this comment.
Why do we pass out setEntities and check for 0 there instead of making this check > 1?
There was a problem hiding this comment.
Simplified this by requiring that you pass in an rbac entity to deploy.
|
UPDATE: I made one more change 900a0e7 Instead of using a
|
|
Merging and releasing. |
This adds additional optional flags to
helm deployso that you can grant and configure the local client in one step as part of the deploy.This also additionally copies in the helm docs from
terraform-kubernetes-helmso that that is available here as well as a reference.