Merge pull request #5367 from iocanel/feat-5345

Create and use a view role binding when the kubernetes-client extension is used.

docs/src/main/asciidoc/kubernetes.adoc

@@ -142,6 +142,22 @@ By default the Kubernetes resources do not contain readiness and liveness probes
 The values of the generated probes will be determined by the configured health properties: `quarkus.smallrye-health.root-path`, `quarkus.smallrye-health.liveness-path` and `quarkus.smallrye-health.readiness-path`.
 More information about the health extension can be found in the relevant link:microprofile-health[guide].
 
+=== Using the kubernetes client
+
+Applications, that are deployed to kubernetes and need to access the API server, will usually make use of the `kubernetes-client` exetension:
+
+[source,xml]
+----
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-kubernetes</artifactId>
+    </dependency>
+----
+
+To access the API server from within a kubernetes cluster, some RBAC related resources are required (e.g. a ServiceAccount, a RoleBinding etc).
+So, when the `kubernetes-client` extension is present, those resources are going to be automatically created, so that application will be greanted the `view` role.
+If more roles, are required they will have to be added manually. 
+
 == Tuning the generated resources using application.properties
 
 The Kubernetes extension allows tuning the generated manifest, using the `application.properties` file.

extensions/kubernetes-client/deployment/pom.xml

@@ -25,6 +25,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-kubernetes-client</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-kubernetes-spi</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

extensions/kubernetes-client/deployment/src/main/java/io/quarkus/kubernetes/client/deployment/KubernetesClientProcessor.java

@@ -27,6 +27,7 @@
 import io.quarkus.kubernetes.client.runtime.KubernetesClientBuildConfig;
 import io.quarkus.kubernetes.client.runtime.KubernetesClientProducer;
 import io.quarkus.kubernetes.client.runtime.KubernetesClientRecorder;
+import io.quarkus.kubernetes.spi.KubernetesRoleBuildItem;
 
 public class KubernetesClientProcessor {
 
@@ -45,6 +46,9 @@ public class KubernetesClientProcessor {
     @Inject
     BuildProducer<IgnoreJsonDeserializeClassBuildItem> ignoredJsonDeserializationClasses;
 
+    @Inject
+    BuildProducer<KubernetesRoleBuildItem> roleProducer;
+
     KubernetesClientBuildConfig buildConfig;
 
     @Record(STATIC_INIT)
@@ -55,6 +59,7 @@ public void process(ApplicationIndexBuildItem applicationIndex, CombinedIndexBui
             BuildProducer<AdditionalBeanBuildItem> additionalBeanBuildItemBuildItem,
             KubernetesClientRecorder recorder) {
         featureProducer.produce(new FeatureBuildItem(FeatureBuildItem.KUBERNETES_CLIENT));
+        roleProducer.produce(new KubernetesRoleBuildItem("view"));
 
         Set<String> watchedClasses = new HashSet<>();
         // make sure the watchers fully (and not weakly) register Kubernetes classes for reflection

extensions/kubernetes/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesProcessor.java

@@ -27,6 +27,9 @@
 import io.dekorate.kubernetes.configurator.AddPort;
 import io.dekorate.kubernetes.decorator.AddLivenessProbeDecorator;
 import io.dekorate.kubernetes.decorator.AddReadinessProbeDecorator;
+import io.dekorate.kubernetes.decorator.AddRoleBindingDecorator;
+import io.dekorate.kubernetes.decorator.AddServiceAccountDecorator;
+import io.dekorate.kubernetes.decorator.ApplyServiceAccountDecorator;
 import io.dekorate.processor.SimpleFileWriter;
 import io.dekorate.project.BuildInfo;
 import io.dekorate.project.FileProjectFactory;
@@ -43,6 +46,7 @@
 import io.quarkus.kubernetes.spi.KubernetesHealthLivenessPathBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesHealthReadinessPathBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesPortBuildItem;
+import io.quarkus.kubernetes.spi.KubernetesRoleBuildItem;
 
 class KubernetesProcessor {
 
@@ -63,6 +67,7 @@ class KubernetesProcessor {
     @BuildStep(onlyIf = IsNormal.class)
     public void build(ApplicationInfoBuildItem applicationInfo,
             ArchiveRootBuildItem archiveRootBuildItem,
+            List<KubernetesRoleBuildItem> kubernetesRoleBuildItems,
             List<KubernetesPortBuildItem> kubernetesPortBuildItems,
             Optional<KubernetesHealthLivenessPathBuildItem> kubernetesHealthLivenessPathBuildItem,
             Optional<KubernetesHealthReadinessPathBuildItem> kubernetesHealthReadinessPathBuildItem)
@@ -115,7 +120,8 @@ public void build(ApplicationInfoBuildItem applicationInfo,
 
             session.feed(Maps.fromProperties(configAsMap));
             //apply build item configurations to the dekorate session.
-            applyBuildItems(session, applicationInfo, kubernetesPortBuildItems, kubernetesHealthLivenessPathBuildItem,
+            applyBuildItems(session, applicationInfo, kubernetesRoleBuildItems, kubernetesPortBuildItems,
+                    kubernetesHealthLivenessPathBuildItem,
                     kubernetesHealthReadinessPathBuildItem);
 
             // write the generated resources to the filesystem
@@ -156,6 +162,7 @@ public void build(ApplicationInfoBuildItem applicationInfo,
     }
 
     private void applyBuildItems(Session session, ApplicationInfoBuildItem applicationInfo,
+            List<KubernetesRoleBuildItem> kubernetesRoleBuildItems,
             List<KubernetesPortBuildItem> kubernetesPortBuildItems,
             Optional<KubernetesHealthLivenessPathBuildItem> kubernetesHealthLivenessPathBuildItem,
             Optional<KubernetesHealthReadinessPathBuildItem> kubernetesHealthReadinessPathBuildItem) {
@@ -166,6 +173,15 @@ private void applyBuildItems(Session session, ApplicationInfoBuildItem applicati
                 .map(e -> new PortBuilder().withName(e.getKey()).withContainerPort(e.getValue()).build())
                 .forEach(p -> session.configurators().add(new AddPort(p)));
 
+        //Handle RBAC
+        if (!kubernetesPortBuildItems.isEmpty()) {
+            session.resources().decorate(new ApplyServiceAccountDecorator(applicationInfo.getName(),
+                    applicationInfo.getName()));
+            session.resources().decorate(new AddServiceAccountDecorator(session.resources()));
+            kubernetesRoleBuildItems.forEach(r -> session.resources()
+                    .decorate(new AddRoleBindingDecorator(session.resources(), r.getRole())));
+        }
+
         //Handle probes
         kubernetesHealthLivenessPathBuildItem
                 .ifPresent(l -> session.resources()

extensions/kubernetes/spi/src/main/java/io/quarkus/kubernetes/spi/KubernetesRoleBuildItem.java

@@ -0,0 +1,16 @@
+package io.quarkus.kubernetes.spi;
+
+import io.quarkus.builder.item.MultiBuildItem;
+
+public final class KubernetesRoleBuildItem extends MultiBuildItem {
+
+    private final String role;
+
+    public KubernetesRoleBuildItem(String role) {
+        this.role = role;
+    }
+
+    public String getRole() {
+        return this.role;
+    }
+}

integration-tests/kubernetes/src/it/kubernetes-with-client/pom.xml

@@ -0,0 +1,121 @@
+<?xml version="1.0"?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>org.acme</groupId>
+  <artifactId>kubernetes-with-client</artifactId>
+  <version>0.1-SNAPSHOT</version>
+  <properties>
+    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+    <surefire-plugin.version>2.22.0</surefire-plugin.version>
+    <maven.compiler.source>1.8</maven.compiler.source>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.target>1.8</maven.compiler.target>
+  </properties>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.quarkus</groupId>
+        <artifactId>quarkus-bom</artifactId>
+        <version>@project.version@</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+  <dependencies>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-resteasy</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-kubernetes</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-kubernetes-client</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-junit5</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.rest-assured</groupId>
+      <artifactId>rest-assured</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>io.quarkus</groupId>
+        <artifactId>quarkus-maven-plugin</artifactId>
+        <version>@project.version@</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>build</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>${surefire-plugin.version}</version>
+        <configuration>
+          <systemProperties>
+            <java.util.logging.manager>org.jboss.logmanager.LogManager</java.util.logging.manager>
+          </systemProperties>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+  <profiles>
+    <profile>
+      <id>native</id>
+      <activation>
+        <property>
+          <name>native</name>
+        </property>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-maven-plugin</artifactId>
+            <version>@project.version@</version>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>native-image</goal>
+                </goals>
+                <configuration>
+                  <enableHttpUrlHandler>true</enableHttpUrlHandler>
+                </configuration>
+              </execution>
+            </executions>
+          </plugin>
+          <plugin>
+            <artifactId>maven-failsafe-plugin</artifactId>
+            <version>${surefire-plugin.version}</version>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>integration-test</goal>
+                  <goal>verify</goal>
+                </goals>
+                <configuration>
+                  <systemProperties>
+                    <native.image.path>${project.build.directory}/${project.build.finalName}-runner</native.image.path>
+                  </systemProperties>
+                </configuration>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
+</project>

integration-tests/kubernetes/src/it/kubernetes-with-client/src/main/docker/Dockerfile.jvm

@@ -0,0 +1,22 @@
+####
+# This Dockerfile is used in order to build a container that runs the Quarkus application in JVM mode
+#
+# Before building the docker image run:
+#
+# mvn package
+#
+# Then, build the image with:
+#
+# docker build -f src/main/docker/Dockerfile.jvm -t quarkus/kubernetes-jvm .
+#
+# Then run the container using:
+#
+# docker run -i --rm -p 8080:8080 quarkus/kubernetes-jvm
+#
+###
+FROM fabric8/java-alpine-openjdk8-jre
+ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager"
+ENV AB_ENABLED=jmx_exporter
+COPY target/lib/* /deployments/lib/
+COPY target/*-runner.jar /deployments/app.jar
+ENTRYPOINT [ "/deployments/run-java.sh" ]

integration-tests/kubernetes/src/it/kubernetes-with-client/src/main/docker/Dockerfile.native

@@ -0,0 +1,22 @@
+####
+# This Dockerfile is used in order to build a container that runs the Quarkus application in native (no JVM) mode
+#
+# Before building the docker image run:
+#
+# mvn package -Pnative -Dquarkus.native.container-build=true
+#
+# Then, build the image with:
+#
+# docker build -f src/main/docker/Dockerfile.native -t quarkus/kubernetes .
+#
+# Then run the container using:
+#
+# docker run -i --rm -p 8080:8080 quarkus/kubernetes
+#
+###
+FROM registry.access.redhat.com/ubi8/ubi-minimal
+WORKDIR /work/
+COPY target/*-runner /work/application
+RUN chmod 775 /work
+EXPOSE 8080
+CMD ["./application", "-Dquarkus.http.host=0.0.0.0"]

integration-tests/kubernetes/src/it/kubernetes-with-client/src/main/java/org/acme/Hello.java

@@ -0,0 +1,16 @@
+package org.acme;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+@Path("/hello")
+public class Hello {
+
+    @GET
+    @Produces(MediaType.TEXT_PLAIN)
+    public String hello() {
+        return "hello";
+    }
+}