Feature/setup project existing sa #87
Conversation
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
k8s-ci-robot
added
size/L
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
deploy/kubernetes/deploy-driver.sh
Outdated
| @@ -15,6 +15,30 @@ set -o errexit | |||
|
|
|||
| readonly PKGDIR="${GOPATH}/src/sigs.k8s.io/gcp-compute-persistent-disk-csi-driver" | |||
| readonly KUBEDEPLOY="${PKGDIR}/deploy/kubernetes" | |||
| #readonly BIND_ROLES="roles/compute.storageAdmin roles/iam.serviceAccountUser projects/${PROJECT}/roles/gcp_compute_persistent_disk_csi_driver_custom_role" | |||
|
|
|||
| function check_service_account() | |||
There was a problem hiding this comment.
can you move the function definition to the bottom of the file
deploy/kubernetes/deploy-driver.sh
Outdated
| @@ -15,6 +15,30 @@ set -o errexit | |||
|
|
|||
| readonly PKGDIR="${GOPATH}/src/sigs.k8s.io/gcp-compute-persistent-disk-csi-driver" | |||
| readonly KUBEDEPLOY="${PKGDIR}/deploy/kubernetes" | |||
| #readonly BIND_ROLES="roles/compute.storageAdmin roles/iam.serviceAccountUser projects/${PROJECT}/roles/gcp_compute_persistent_disk_csi_driver_custom_role" | |||
There was a problem hiding this comment.
why did this get moved? can it be moved back?
There was a problem hiding this comment.
We need to first extract the project sadly
deploy/kubernetes/deploy-driver.sh
Outdated
| function check_service_account() | ||
| { | ||
| # Using bash magic to parse JSON for IAM | ||
| IAM_NAME=$(grep -Po '"client_email": *\K"[^"]*"' ${GCE_PD_SA_DIR}/cloud-sa.json | tr -d '"') |
There was a problem hiding this comment.
alternatively:
jq '.client_email' ${GCE_PD_SA_DIR}/cloud-sa.json | tr -d '"'
I'm not sure if every system has jq installed but mine certainly does and I would prefer using a JSON parser for JSON over bash magic :)
There was a problem hiding this comment.
Two of my standard dev machines don't have jq by default, that's why I offered to convert to python (can also be useful for Windows K8S deployments).
I also don't have a problem converting to jq and adding a message if it is missing if you prefer
deploy/kubernetes/deploy-driver.sh
Outdated
| fi | ||
| done | ||
| if [ "$MISSING_ROLES" = true ]; then | ||
| echo Cannot deploy with missing roles in service account, stopping |
There was a problem hiding this comment.
print out suggestion to use setup-project.sh to remedy this issue
deploy/setup-project.sh
Outdated
| gcloud iam roles create gcp_compute_persistent_disk_csi_driver_custom_role --quiet \ | ||
| --project "${PROJECT}" \ | ||
| --file "${PKGDIR}/deploy/gcp-compute-persistent-disk-csi-driver-custom-role.yaml" | ||
| function create_new_sa() |
There was a problem hiding this comment.
move function definitions to bottom of file
There was a problem hiding this comment.
Undid the extraction to a function as bash needs functions before usage, but it's not so bad inline
deploy/setup-project.sh
Outdated
|
|
||
| # Check if SA exists | ||
| CREATE_SA=true | ||
| SA_JSON=$(gcloud iam service-accounts list --filter="name:$IAM_NAME" --format="json") |
There was a problem hiding this comment.
could we just do a get instead of a list and filter since we're only looking for one?
There was a problem hiding this comment.
I personally prefer this as trying to describe (get) instead of list prints an error to stdout if it fails, but I can still change it if you prefer
deploy/setup-project.sh
Outdated
| # Delete Service Account | ||
| gcloud iam service-accounts delete "${IAM_NAME}" --project "${PROJECT}" --quiet || true | ||
|
|
||
| # Create new Service Account and Keys |
There was a problem hiding this comment.
nit: Create new Service Account
k8s-ci-robot
added
size/M
deploy/kubernetes/deploy-driver.sh
Outdated
| fi | ||
| done | ||
| if [ "$MISSING_ROLES" = true ]; then | ||
| echo Cannot deploy with missing roles in service account, please run setup-project.sh to setup Service Account |
There was a problem hiding this comment.
nit: quotes around strings printed by echo
deploy/kubernetes/deploy-driver.sh
Outdated
| # Using bash magic to parse JSON for IAM | ||
| IAM_NAME=$(grep -Po '"client_email": *\K"[^"]*"' ${GCE_PD_SA_DIR}/cloud-sa.json | tr -d '"') | ||
| PROJECT=$(grep -Po '.*@\K[^.]+'<<<$IAM_NAME) | ||
| GOTTEN_BIND_ROLES=$(gcloud projects get-iam-policy $PROJECT --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:$IAM_NAME") |
There was a problem hiding this comment.
nit: all of these variables are readonly. I don't really know bash style guidelines but I'd like it to be at least internally consistent.
deploy/kubernetes/deploy-driver.sh
Outdated
| function check_service_account() | ||
| { | ||
| # Using bash magic to parse JSON for IAM | ||
| IAM_NAME=$(grep -Po '"client_email": *\K"[^"]*"' ${GCE_PD_SA_DIR}/cloud-sa.json | tr -d '"') |
There was a problem hiding this comment.
could you document in a comment what this Regex is doing approximately
deploy/kubernetes/deploy-driver.sh
Outdated
| GOTTEN_BIND_ROLES=$(gcloud projects get-iam-policy $PROJECT --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:$IAM_NAME") | ||
| readonly BIND_ROLES="roles/compute.storageAdmin roles/iam.serviceAccountUser projects/${PROJECT}/roles/gcp_compute_persistent_disk_csi_driver_custom_role" | ||
| MISSING_ROLES=false | ||
| for role in $BIND_ROLES |
There was a problem hiding this comment.
nit: all variables in "${var}" form for consistency. I think the quotes prevent/fix some sort of multi-part variable issues
deploy/setup-project.sh
Outdated
| CREATE_SA=false | ||
| echo "Service account $IAM_NAME exists. Would you like to create a new one (y) or reuse the existing one (n)" | ||
| read -p "(y/n)" -n 1 -r REPLY | ||
| echo # (optional) move to a new line |
deploy/setup-project.sh
Outdated
| # Check if SA exists | ||
| CREATE_SA=true | ||
| SA_JSON=$(gcloud iam service-accounts list --filter="name:$IAM_NAME" --format="json") | ||
| if [ "[]" != "$SA_JSON" ]; then |
There was a problem hiding this comment.
nit: then on new-line for file consistency
or fix the other one to be on the same line
deploy/setup-project.sh
Outdated
| # Create new Service Account and Keys | ||
| gcloud iam service-accounts create "${GCE_PD_SA_NAME}" --project "${PROJECT}" | ||
| # Bind service account to roles | ||
|
|
k8s-ci-robot
added
size/L
|
/lgtm |
k8s-ci-robot
added
do-not-merge/hold
Check that service account has needed roles
ehmm
force-pushed
the
feature/setupProjectExistingSa
branch
from
ae4c3b0 to
33681f9
Compare
k8s-ci-robot
removed
the
lgtm
|
/hold cancel |
k8s-ci-robot
added
lgtm
|
/approve |
1 similar comment
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: davidz627, ehmm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
Thanks @ehmm for jumping on this and submitting this PR! Feel free to reach out or open issues if you run into any other bugs or opportunities for improvement with the driver 👍 |
|
Sure thing @davidz627, thank you and @msau42 for the support, I will be playing around with the driver and if I see anything will definitely reach out. Also I added a link for a quick patch I'm using to support specifying a specific partition (#83), it is probably a bit rough and I'm not sure it's the direction you want to go (re the specification format) -- but for my projects it's currently good enough. |
Allowing use of existing sa for deploy-project/driver and checking that sa has needed roles.