Skip to content

Commit 0fe78e2

Browse files
FuristoFuristo
committed
[installer] Ensure objects in secrets namespace are only created with mk2 option
1 parent ef697aa commit 0fe78e2

File tree

2 files changed

+40
-19
lines changed

2 files changed

+40
-19
lines changed

install/installer/pkg/components/ws-daemon/role.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,25 @@ package wsdaemon
66

77
import (
88
"github.com/gitpod-io/gitpod/installer/pkg/common"
9+
"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"
910

1011
rbacv1 "k8s.io/api/rbac/v1"
1112
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1213
"k8s.io/apimachinery/pkg/runtime"
1314
)
1415

1516
func role(ctx *common.RenderContext) ([]runtime.Object, error) {
17+
var useMk2 bool
18+
_ = ctx.WithExperimental(func(ucfg *experimental.Config) error {
19+
if ucfg.Workspace != nil {
20+
useMk2 = ucfg.Workspace.UseWsmanagerMk2
21+
}
22+
return nil
23+
})
24+
if !useMk2 {
25+
return nil, nil
26+
}
27+
1628
return []runtime.Object{
1729
&rbacv1.Role{
1830
TypeMeta: common.TypeMetaRole,

install/installer/pkg/components/ws-daemon/rolebinding.go

Lines changed: 28 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import (
88
"fmt"
99

1010
"github.com/gitpod-io/gitpod/installer/pkg/common"
11+
"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"
1112

1213
rbacv1 "k8s.io/api/rbac/v1"
1314
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -17,7 +18,7 @@ import (
1718
func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
1819
labels := common.DefaultLabels(Component)
1920

20-
return []runtime.Object{
21+
bindings := []runtime.Object{
2122
&rbacv1.ClusterRoleBinding{
2223
TypeMeta: common.TypeMetaClusterRoleBinding,
2324
ObjectMeta: metav1.ObjectMeta{
@@ -54,25 +55,33 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
5455
Namespace: ctx.Namespace,
5556
}},
5657
},
58+
}
5759

58-
&rbacv1.RoleBinding{
59-
TypeMeta: common.TypeMetaRoleBinding,
60-
ObjectMeta: metav1.ObjectMeta{
61-
Name: Component,
62-
Namespace: common.WorkspaceSecretsNamespace,
63-
},
64-
RoleRef: rbacv1.RoleRef{
65-
APIGroup: "rbac.authorization.k8s.io",
66-
Kind: "Role",
67-
Name: Component,
68-
},
69-
Subjects: []rbacv1.Subject{
70-
{
71-
Kind: "ServiceAccount",
60+
_ = ctx.WithExperimental(func(ucfg *experimental.Config) error {
61+
if ucfg.Workspace != nil && ucfg.Workspace.UseWsmanagerMk2 {
62+
bindings = append(bindings, &rbacv1.RoleBinding{
63+
TypeMeta: common.TypeMetaRoleBinding,
64+
ObjectMeta: metav1.ObjectMeta{
7265
Name: Component,
73-
Namespace: ctx.Namespace,
66+
Namespace: common.WorkspaceSecretsNamespace,
7467
},
75-
},
76-
},
77-
}, nil
68+
RoleRef: rbacv1.RoleRef{
69+
APIGroup: "rbac.authorization.k8s.io",
70+
Kind: "Role",
71+
Name: Component,
72+
},
73+
Subjects: []rbacv1.Subject{
74+
{
75+
Kind: "ServiceAccount",
76+
Name: Component,
77+
Namespace: ctx.Namespace,
78+
},
79+
},
80+
})
81+
}
82+
83+
return nil
84+
})
85+
86+
return bindings, nil
7887
}

0 commit comments

Comments
 (0)