add the ability to turn off RBAC in helm and customize gcp test-cluster

googleforgames · May 23, 2018 · 117f9f7 · 117f9f7
1 parent 20a7af5
commit 117f9f7
Show file tree

Hide file tree

Showing 8 changed files with 55 additions and 61 deletions.
diff --git a/build/Makefile b/build/Makefile
@@ -38,7 +38,11 @@ REGISTRY ?= gcr.io/agones-images
 # Where the kubectl configuration files are being stored
 KUBEPATH ?= ~/.kube
 # The (gcloud) test cluster that is being worked against
-CLUSTER_NAME ?= test-cluster
+GCP_CLUSTER_NAME ?= test-cluster
+GCP_CLUSTER_ZONE ?= us-west1-c
+GCP_CLUSTER_LEGACYABAC ?= false
+GCP_CLUSTER_NODEPOOL_INITIALNODECOUNT ?= 3
+GCP_CLUSTER_NODEPOOL_MACHINETYPE ?= n1-standard-4
 # the profile to use when developing on minikube
 MINIKUBE_PROFILE ?= agones
 
@@ -268,22 +272,23 @@ gcloud-init: ensure-build-config
 # Creates and authenticates a small, 3 node GKE cluster to work against
 gcloud-test-cluster: ensure-build-image
 	docker run --rm -it $(common_mounts) $(DOCKER_RUN_ARGS) $(build_tag) gcloud \
-		deployment-manager deployments create test-cluster --config=$(mount_path)/build/gke-test-cluster/deployment.yml
+		deployment-manager deployments create $(GCP_CLUSTER_NAME)  \
+		--properties cluster.zone:$(GCP_CLUSTER_ZONE),cluster.name:$(GCP_CLUSTER_NAME),cluster.nodePool.initialNodeCount:$(GCP_CLUSTER_NODEPOOL_INITIALNODECOUNT),cluster.nodePool.machineType:$(GCP_CLUSTER_NODEPOOL_MACHINETYPE),cluster.legacyAbac:$(GCP_CLUSTER_LEGACYABAC)\
+		--template=$(mount_path)/build/gke-test-cluster/cluster.yml.jinja
 	$(MAKE) gcloud-auth-cluster
 	docker run --rm -it $(common_mounts) $(DOCKER_RUN_ARGS) $(build_tag) kubectl apply -f $(mount_path)/build/helm.yaml
 	docker run --rm $(common_mounts) $(DOCKER_RUN_ARGS) $(build_tag) helm init --service-account helm
 
 clean-gcloud-test-cluster: ensure-build-image
 	docker run --rm -it $(common_mounts) $(DOCKER_RUN_ARGS) $(build_tag) gcloud \
-		deployment-manager deployments delete test-cluster
+		deployment-manager deployments delete $(GCP_CLUSTER_NAME)
 
-# Pulls down authentication information for kubectl against a cluster, name can be specified through CLUSTER_NAME
+# Pulls down authentication information for kubectl against a cluster, name can be specified through GCP_CLUSTER_NAME
 # (defaults to 'test-cluster')
 gcloud-auth-cluster: ensure-build-image
-	docker run --rm $(common_mounts) $(build_tag) gcloud config set container/cluster $(CLUSTER_NAME)
-	docker run --rm $(common_mounts) $(build_tag) gcloud config set compute/zone \
-		`grep zone: $(build_path)/gke-test-cluster/deployment.yml | sed 's/zone: //'`
-	docker run --rm $(common_mounts) $(build_tag) gcloud container clusters get-credentials $(CLUSTER_NAME)
+	docker run --rm $(common_mounts) $(build_tag) gcloud config set container/cluster $(GCP_CLUSTER_NAME)
+	docker run --rm $(common_mounts) $(build_tag) gcloud config set compute/zone $(GCP_CLUSTER_ZONE)
+	docker run --rm $(common_mounts) $(build_tag) gcloud container clusters get-credentials $(GCP_CLUSTER_NAME)
 	-docker run --rm $(common_mounts) $(build_tag) bash -c 'kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $$(gcloud config get-value account)'
 
 # authenticate our docker configuration so that you can do a docker push directly

diff --git a/build/gke-test-cluster/cluster.yml.jinja b/build/gke-test-cluster/cluster.yml.jinja
@@ -17,16 +17,16 @@ resources:
 - name: test-cluster
   type: container.v1.cluster
   properties:
-    zone: {{ properties["zone"] }}
+    zone: {{ properties["cluster.zone"] }}
     cluster:
-      name: test-cluster
+      name: {{ properties["cluster.name"] }}
       description: Test cluster for Agones
       initialClusterVersion: 1.9.6-gke.1 # be specific until 1.9.x becomes default
       nodePools:
         - name: "default"
-          initialNodeCount: 3
+          initialNodeCount: {{ properties["cluster.nodePool.initialNodeCount"] }}
           config:
-            machineType: n1-standard-4
+            machineType: {{ properties["cluster.nodePool.machineType"] }}
             tags:
               - game-server
             oauthScopes:
@@ -37,7 +37,7 @@ resources:
         username: admin
         password: supersecretpassword
       legacyAbac:
-        enabled: false
+        enabled: {{ properties["cluster.legacyAbac"] }}
 - name: game-server-firewall
   type: compute.beta.firewall
   properties:

diff --git a/build/gke-test-cluster/deployment.yml b/build/gke-test-cluster/deployment.yml
diff --git a/install/helm/README.md b/install/helm/README.md
@@ -47,6 +47,11 @@ $ kubectl create namespace ps4
 $ helm upgrade --set "gameservers.namespaces={default,xbox,ps4}" my-release agones
 ```
 
+## RBAC
+
+If role-based access control (RBAC) is enabled in your cluster, you must set `agones.rbacEnabled` to true.
+The chart will take care of creating required service accounts and roles for Agones.
+
 ## Uninstalling the Chart
 
 To uninstall/delete the `my-release` deployment:
@@ -63,6 +68,7 @@ The following tables lists the configurable parameters of the Agones chart and t
 
 | Parameter                            | Description                                                     | Default                    |
 | ------------------------------------ | ----------------------------------------------------------------| ---------------------------|
+| `agones.rbacEnabled`                          | Creates RBAC resources. Must be set for any cluster configured with RBAC                                     | `true`            |
 | `agones.namespace`                          | Namespace to use to deploy Agones                                     | `agones-system`            |
 | `agones.serviceaccount.controller`          | Service account name for the controller                         | `agones-controller`        |
 | `agones.serviceaccount.sdk`                 | Service account name for the sdk                                | `agones-sdk`               |

diff --git a/install/helm/agones/templates/serviceaccounts/controller.yaml b/install/helm/agones/templates/serviceaccounts/controller.yaml
@@ -23,6 +23,7 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 ---
+{{- if .Values.agones.rbacEnabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -71,3 +72,4 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: {{ .Values.agones.serviceaccount.controller }}
+{{- end }}
diff --git a/install/helm/agones/templates/serviceaccounts/sdk.yaml b/install/helm/agones/templates/serviceaccounts/sdk.yaml
@@ -24,6 +24,7 @@ metadata:
     heritage: {{ $.Release.Service }}
 ---
 {{- end }}
+{{- if .Values.agones.rbacEnabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -39,7 +40,7 @@ rules:
   resources: ["gameservers"]
   verbs: ["get", "update"]
 ---
-{{- range .Values.gameservers.namespaces }}
+  {{- range .Values.gameservers.namespaces }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -59,4 +60,5 @@ roleRef:
   kind: ClusterRole
   name: {{ $.Values.agones.serviceaccount.sdk }}
 ---
+  {{- end }}
 {{- end }}
diff --git a/install/helm/agones/values.yaml b/install/helm/agones/values.yaml
@@ -16,6 +16,7 @@
 
 agones:
   namespace: agones-system
+  rbacEnabled: true
   serviceaccount:
     controller: agones-controller
     sdk: agones-sdk

diff --git a/install/yaml/install.yaml b/install/yaml/install.yaml
@@ -1,4 +1,29 @@
 ---
+# Source: agones/templates/namespace.yaml
+# Copyright 2018 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: agones-system
+  labels:
+    app: agones
+    chart: agones-0.2.0
+    release: agones-manual
+    heritage: Tiller
+---
 # Source: agones/templates/serviceaccounts/controller.yaml
 # Copyright 2018 Google Inc. All Rights Reserved.
 #
@@ -800,28 +825,3 @@ data:
   server.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLVENDQXhHZ0F3SUJBZ0lKQU9KUDY0MTB3dkdTTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdxTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFUE1BMEdBMVVFQ2d3R1FXZHZibVZ6TVE4dwpEUVlEVlFRTERBWkJaMjl1WlhNeE5EQXlCZ05WQkFNTUsyRm5iMjVsY3kxamIyNTBjbTlzYkdWeUxYTmxjblpwClkyVXVZV2R2Ym1WekxYTjVjM1JsYlM1emRtTXhMakFzQmdrcWhraUc5dzBCQ1FFV0gyRm5iMjVsY3kxa2FYTmoKZFhOelFHZHZiMmRzWldkeWIzVndjeTVqYjIwd0hoY05NVGd3TWpFME1EUTBORFEyV2hjTk1qZ3dNakV5TURRMApORFEyV2pDQnFqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeER6QU5CZ05WCkJBb01Ca0ZuYjI1bGN6RVBNQTBHQTFVRUN3d0dRV2R2Ym1Wek1UUXdNZ1lEVlFRRERDdGhaMjl1WlhNdFkyOXUKZEhKdmJHeGxjaTF6WlhKMmFXTmxMbUZuYjI1bGN5MXplWE4wWlcwdWMzWmpNUzR3TEFZSktvWklodmNOQVFrQgpGaDloWjI5dVpYTXRaR2x6WTNWemMwQm5iMjluYkdWbmNtOTFjSE11WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnVlQ5MGVqeE5ud0NvL09qTUQyNmZVNGRya1NlZndkUWd3aWJpZmEKbDhyazZZMFZ2T0lWMUgrbFJvd2UwNm1XTnVSNUZPWEZBMGZYbHZ4Q0tLWVZRcFNQRUsyWVN5aC9hU25KUUw2cQpvOGVBWVRKQmtPWUxCNUNiekl6aVdlb1FmT1lOOE1sRW44YlhKZGllSmhISDhVbnlqdHlvVGx4emhabVgrcGZ0CmhVZGVhM1Zrek8yMW40K1FFM1JYNWYxMzJGVEZjdXFYT1VBL3BpOGNjQU5HYzN6akxlWkp2QTlvZFBFaEdmN2cKQzhleUE2OFNWY3NoK1BqejBsdzk1QVB2bE12MWptcVVSRldjRVNUTGFRMEZ4NUt3UnlWMHppWm1VdkFBRjJaeApEWmhIVWNvRlBIQXdUbDc1TkFobkhwTWxMTnA1TDd0Y1ZkeVQ4QjJHUnMrc2xRSURBUUFCbzFBd1RqQWRCZ05WCkhRNEVGZ1FVZ3YxblRQYVFKU04zTHFtNWpJalc0eEhtZEcwd0h3WURWUjBqQkJnd0ZvQVVndjFuVFBhUUpTTjMKTHFtNWpJalc0eEhtZEcwd0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEtFQwprdEVqWU5VQ0ErbXlzejRvclc3cFJVdmhCSERWU2dzWTZlRVZSTHpmLzF5SVpFMHU2NTZrcEs2T1Q3TWhKR2xVCkt3R1NTb1VCQnpWZ1VzWmpEbTdQZ2JrNGlZem40TTF4THpiTFFCcjNNYzV6WEhlZlB2YmltaEQ1NWNMenBWRnUKVlFtQm1aVjJOalU1RHVTZFJuZGxjUGFOY2cvdU9jdlpLNEtZMUtDQkEzRW9BUUlrcHpIWDJpVU1veGlSdlpWTgpORXdnRlR0SUdCWW4wSGZML3ZnT3NIOGZWck1Va3VHMnZoR2RlWEJwWmlxL0JaSmJaZU4yckNmMmdhWDFRSXYwCkVLYmN1RnFNOThXVDVaVlpSdFgxWTNSd2V2ZzRteFlKWEN1SDZGRjlXOS9TejI5NEZ5Mk9CS0I4SkFWYUV4OW4KMS9pNmZJZmZHbkhUWFdIc1ZRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
   server.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBemdWVDkwZWp4Tm53Q28vT2pNRDI2ZlU0ZHJrU2Vmd2RRZ3dpYmlmYWw4cms2WTBWCnZPSVYxSCtsUm93ZTA2bVdOdVI1Rk9YRkEwZlhsdnhDS0tZVlFwU1BFSzJZU3loL2FTbkpRTDZxbzhlQVlUSkIKa09ZTEI1Q2J6SXppV2VvUWZPWU44TWxFbjhiWEpkaWVKaEhIOFVueWp0eW9UbHh6aFptWCtwZnRoVWRlYTNWawp6TzIxbjQrUUUzUlg1ZjEzMkZURmN1cVhPVUEvcGk4Y2NBTkdjM3pqTGVaSnZBOW9kUEVoR2Y3Z0M4ZXlBNjhTClZjc2grUGp6MGx3OTVBUHZsTXYxam1xVVJGV2NFU1RMYVEwRng1S3dSeVYwemlabVV2QUFGMlp4RFpoSFVjb0YKUEhBd1RsNzVOQWhuSHBNbExOcDVMN3RjVmR5VDhCMkdScytzbFFJREFRQUJBb0lCQUVvVTVHS1E0alRRNFY0Swo1QXo4L2t5V254MGg0NkQxcFZld29WalcvK1dCVWRzaG5tVnpMc0pndS8rb054V0piN2lCWTRDK05wKzlYNnF0ClB1VDdBNzRUU1hhSDFiR0ErSC9LUk5JQlBiN3k2QmtMUjBSaFZDbitOK2ZQNlR6SHkvSDlqNW03NWU5R1F1c2EKLzVOVTVYN0FSblpVcGppM1Nkc0twZm00VS9LT1YrcDJqV1NQWDdIT0J1L0tZYTFqdmVDdDZKTVBRMzZLQlhrUgpNbFZDa0FEY3ZBQUd1T2JwYS9zbTBNQTYzK2loZGVTWWhrRVhLcXhINEF6M1BWREx3UDgwVDhmNVZxd1dZbW5xCkwvQmc2SG5WNUdIbmxUWEErV2VwTmJIa29rTjlHMEg2bTBJdGo0YWwzYkdUQjRqZUJDSlpwNUZIVzVvYko0cVAKV2tjZlhjRUNnWUVBOFVJWnZkTlNzU3BSWlZUZTRoaHRYbmNPcHRGVGRvVktJelR1VVZLZktlOU9CNWkzMkI5dQo0aEROcEJEcWtnRWt0ZzRSOC9jbjU3ejZaVWRVQ2NvYmpXUWJKTFhFNXdwN0h0ZjdqQ0duTDJRbUljcDIwcmJGCkhyRTJsSHIwb05yM01MVXJ1QnZBclZCM0xMR21PRWduM05RdzlhSndnLzU0MkVEUzd4NXYzWGtDZ1lFQTJwd0cKSGlHWVhUSmZZTmcvK1NtRHVTRFdGZTRpTVBUUncxVFQ4NXVHRTlVRXJZUFFkOE9xWVFRT2dJQVQ3eHAxejBvcQo2cG1zalBPNkhabmc5b0hLZUFPL0pQZVN1WEUrYko4SFlLcDdXOTI5RitMR0pvcWl0T0xQTW0vOU9vdllEQ3ZoCjYrcURZNUxOUkhkQWVUcXd3STJ5dWdmNFluQmpZNnpJZkJwNUxQMENnWUVBeXJydjVKcVNienVQUUdaTUVKUFUKTzhBeCtLNEh3NTJIeWdQdGl6cXhjc3lidGpoM3JFM2xvR1BjV2RTNU9FMXJxdXd4Mjk5QmtqTXoraTB4Q2pUaQphRExKdUZSaURIKzdMQlQwVlRIbVNpV1BBWEFmM3pza2M0RVl5elp6SUVRLzJaYzBFTGFKZDFvWmV0NGhQa1FyCjh4My9zamw0OFFIQ1RINVVnZ2tDbVlrQ2dZQWZLL3BQVjVrRFNRaUNwYk5Sa3hMZVZnbFE3VGpnNURmNDgyS1oKclFhTVUyYXNXMHhobDN2M0EzNFI0ckYwK2Ivc3cvV2txQzhMbGtGbXNTZDczdndBNnYvWmhKZmVhNEJzT3F6eApvcjJlVnRyOHlmQlpWSkZvMjZLUjNaZ3RQZjJibHJKTFVwQlRwWDR4a2hPV2RjRDRZL3dsUExlMVNiTlNaalBjClJtWWEvUUtCZ1FDNmE3ek5BU1AwQTBxTVBocXlKWmxiZzRGOFdNUnRnSEZmc3kvaUx3ZGlFVUd1Q2hRV1VMa2MKaHpQV3BqRDB6d3JTeFp0eWhTTDBiNlRIbnFUaWluMjNPdnRJTmxWaVptb3M1bVdXMFZlR3NiSG5KdVJhM1RIeQpFalNrU1A0bVI3dEpsSm9rYm9aK2xZTDdnQUJIbjJFUm5Ec3FYOG9FVTZRcERQMXJaaFlTemc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
 
----
-# Source: agones/templates/namespace.yaml
-# Copyright 2018 Google Inc. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: agones-system
-  labels:
-    app: agones
-    chart: agones-0.2.0
-    release: agones-manual
-    heritage: Tiller