Predeploy RoleBinding before unmanaged pods

RoleBindings should be deployed before unmanaged pods. This matters when
RoleBindings define Pod Security Policies. This might prevent unmanaged
pods from starting unless RoleBinding has been set up. Regular pods
retry so the race condition would not break anything.

lib/kubernetes-deploy/deploy_task.rb

@@ -52,6 +52,7 @@ class DeployTask
       ConfigMap
       PersistentVolumeClaim
       ServiceAccount
+      RoleBinding
       Pod
     )
 

lib/kubernetes-deploy/kubernetes_resource/role_binding.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module KubernetesDeploy
+  class RoleBinding < KubernetesResource
+    TIMEOUT = 30.seconds
+
+    def status
+      exists? ? "Created" : "Unknown"
+    end
+
+    def deploy_succeeded?
+      exists?
+    end
+
+    def deploy_failed?
+      false
+    end
+
+    def timeout_message
+      UNUSUAL_FAILURE_MESSAGE
+    end
+  end
+end

test/fixtures/hello-cloud/role-binding.yml

@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: build-robot

test/integration/kubernetes_deploy_test.rb

@@ -12,7 +12,7 @@ def test_full_hello_cloud_set_deploy_succeeds
       %r{Deploying Pod/unmanaged-pod-[-\w]+ \(timeout: 60s\)}, # annotation timeout override
       "Hello from the command runner!", # unmanaged pod logs
       "Result: SUCCESS",
-      "Successfully deployed 19 resources"
+      "Successfully deployed 20 resources"
     ], in_order: true)
 
     assert_logs_match_all([
@@ -52,6 +52,22 @@ def test_service_account_predeployed_before_unmanaged_pod
     ], in_order: true)
   end
 
+  def test_role_binding_predeployed_before_unmanaged_pod
+    result = deploy_fixtures("hello-cloud",
+      subset: ["configmap-data.yml", "unmanaged-pod.yml.erb", "role-binding.yml", "service-account.yml"])
+
+    # Expect that role binding account is deployed before the unmanaged pod
+    assert_deploy_success(result)
+    hello_cloud = FixtureSetAssertions::HelloCloud.new(@namespace)
+    hello_cloud.assert_configmap_data_present
+    hello_cloud.assert_all_service_accounts_up
+    hello_cloud.assert_unmanaged_pod_statuses("Succeeded")
+    assert_logs_match_all([
+      %r{Successfully deployed in \d.\ds: RoleBinding/role-binding},
+      %r{Successfully deployed in \d.\ds: Pod/unmanaged-pod-.*}
+    ], in_order: true)
+  end
+
   def test_pruning_works
     assert_deploy_success(deploy_fixtures("hello-cloud"))
     hello_cloud = FixtureSetAssertions::HelloCloud.new(@namespace)