linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow setting a list of service accounts in multicluster install (#5113) 

Fixes #5098 

When setting up multicluster, a target cluster may wish to create multiple service accounts to be used by source clusters' service mirrors.  This allows the target cluster to individually revoke access to each of the source clusters.  When using the Linkerd CLI, this can be accomplished by running the `linkerd multicluster allow` command multiple times to create multiple service accounts.  However, there is no analogous workflow when installing with Helm.

We update the Helm templates to support interpreting the `remoteMirrorServiceAccountName` value as either a single string or a list of strings.  In the case where it is a list, we create a service account and associated RBAC for each entry in the list.

Signed-off-by: Alex Leong <alex@buoyant.io>
This commit is contained in:
Alex Leong 2020-10-21 11:45:56 -07:00 committed by GitHub
parent 177669b377
commit 5b77ae5259
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/linkerd2-multicluster/README.md
View File

@ -32,7 +32,7 @@ linkerd2-multicluster chart and their default values.
|`linkerdVersion` | Control plane version | latest version | |`linkerdVersion` | Control plane version | latest version |
|`namespace` | Service Mirror component namespace |`linkerd-multicluster` | |`namespace` | Service Mirror component namespace |`linkerd-multicluster` |
|`proxyOutboundPort` | The port on which the proxy accepts outbound traffic |`4140` | |`proxyOutboundPort` | The port on which the proxy accepts outbound traffic |`4140` |
|`remoteMirrorServiceAccountName` | The name of the service account used to allow remote clusters to mirror local services |`linkerd-service-mirror-remote-access-default`| |`remoteMirrorServiceAccountName` | The name (or list of names) of the service account(s) used to allow remote clusters to mirror local services |`linkerd-service-mirror-remote-access-default`|
|`remoteMirrorServiceAccount` | If the remote mirror service account should be installed |`true` | |`remoteMirrorServiceAccount` | If the remote mirror service account should be installed |`true` |
|`serviceMirror` | If the service mirror component should be installed |`true` | |`serviceMirror` | If the service mirror component should be installed |`true` |
|`logLevel` | Log level for the Multicluster components |`info` | |`logLevel` | Log level for the Multicluster components |`info` |

31
charts/linkerd2-multicluster/templates/remote-access-service-mirror-rbac.yaml
View File

@ -1,12 +1,17 @@
{{if .Values.remoteMirrorServiceAccount -}} {{if .Values.remoteMirrorServiceAccount -}}
{{- $names := .Values.remoteMirrorServiceAccountName -}}
{{- if not (kindIs "slice" .Values.remoteMirrorServiceAccountName) -}}
{{- $names = splitList "," .Values.remoteMirrorServiceAccountName -}}
{{- end -}}
{{- range $names -}}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: {{.Values.remoteMirrorServiceAccountName}} name: {{.}}
namespace: {{.Values.namespace}} namespace: {{$.Values.namespace}}
annotations: annotations:
{{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} {{$.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" $.Values.linkerdVersion) $.Values.cliVersion}}
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["services"] resources: ["services"]
@ -19,25 +24,25 @@ rules:
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{.Values.remoteMirrorServiceAccountName}} name: {{.}}
namespace: {{.Values.namespace}} namespace: {{$.Values.namespace}}
annotations: annotations:
{{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} {{$.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" $.Values.linkerdVersion) $.Values.cliVersion}}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: {{.Values.remoteMirrorServiceAccountName}} name: {{.}}
namespace: {{.Values.namespace}} namespace: {{$.Values.namespace}}
annotations: annotations:
{{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} {{$.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" $.Values.linkerdVersion) $.Values.cliVersion}}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: {{.Values.remoteMirrorServiceAccountName}} name: {{.}}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{.Values.remoteMirrorServiceAccountName}} name: {{.}}
namespace: {{.Values.namespace}} namespace: {{$.Values.namespace}}
{{end -}}
{{end -}} {{end -}}