Fix RBAC configs (#295)

api/diff.go

@@ -162,6 +162,10 @@ func (r Ingress) IsStatsChanged(o Ingress) bool {
 		isMapKeyChanged(r.Annotations, o.Annotations, StatsSecret)
 }
 
+func (r Ingress) IsStatsSecretChanged(o Ingress) bool {
+	return isMapKeyChanged(r.Annotations, o.Annotations, StatsSecret)
+}
+
 func (r Ingress) IsKeepSourceChanged(o Ingress, cloudProvider string) bool {
 	return cloudProvider == "aws" &&
 		o.LBType() == LBTypeLoadBalancer &&

chart/voyager/templates/cluster-role.yaml

@@ -14,7 +14,7 @@ rules:
   - extensions
   resources:
   - thirdpartyresources
-  verbs: ["get", "create"]
+  verbs: ["get", "create", "list"]
 - apiGroups:
   - voyager.appscode.com
   resources: ["*"]
@@ -36,12 +36,13 @@ rules:
   - replicationcontrollers
   - services
   - endpoints
+  - configmaps
   verbs: ["*"]
 - apiGroups: [""]
   resources:
-  - configmaps
   - secrets
-  verbs: ["get", "create", "update"]
+  - namespaces
+  verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources:
   - events
@@ -54,4 +55,13 @@ rules:
   resources:
   - nodes
   verbs: ["list", "get"]
+- apiGroups: [""]
+  resources:
+  - serviceaccounts
+  verbs: ["get", "create", "delete"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources:
+  - roles
+  - rolebindings
+  verbs: ["get", "create", "delete"]
 {{ end }}

hack/deploy/voyager-with-rbac.yaml

@@ -2,12 +2,14 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
   name: voyager-operator
+  labels:
+    app: voyager
 rules:
 - apiGroups:
   - extensions
   resources:
   - thirdpartyresources
-  verbs: ["get", "create"]
+  verbs: ["get", "create", "list"]
 - apiGroups:
   - voyager.appscode.com
   resources: ["*"]
@@ -29,12 +31,13 @@ rules:
   - replicationcontrollers
   - services
   - endpoints
+  - configmaps
   verbs: ["*"]
 - apiGroups: [""]
   resources:
-  - configmaps
   - secrets
-  verbs: ["get", "create", "update"]
+  - namespaces
+  verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources:
   - events
@@ -47,11 +50,22 @@ rules:
   resources:
   - nodes
   verbs: ["list", "get"]
+- apiGroups: [""]
+  resources:
+  - serviceaccounts
+  verbs: ["get", "create", "delete"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources:
+  - roles
+  - rolebindings
+  verbs: ["get", "create", "delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
   name: voyager-operator
+  labels:
+    app: voyager
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -66,23 +80,22 @@ kind: ServiceAccount
 metadata:
   name: voyager-operator
   namespace: kube-system
+  labels:
+    app: voyager
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   labels:
-    app: voyager-operator
+    app: voyager
   name: voyager-operator
   namespace: kube-system
 spec:
   replicas: 1
-  selector:
-    matchLabels:
-      app: voyager-operator
   template:
     metadata:
       labels:
-        app: voyager-operator
+        app: voyager
     spec:
       serviceAccountName: voyager-operator
       containers:
@@ -92,6 +105,7 @@ spec:
         - --cloud-provider=$CLOUD_PROVIDER
         - --cloud-config=$CLOUD_CONFIG # ie. /etc/kubernetes/azure.json for azure
         - --v=3
+        - --rbac
         image: appscode/voyager:3.0.0
         env:
           - name: OPERATOR_SERVICE_ACCOUNT
@@ -115,7 +129,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app: voyager-operator
+    app: voyager
   name: voyager-operator
   namespace: kube-system  
 spec:
@@ -124,4 +138,4 @@ spec:
     port: 56790
     targetPort: http
   selector:
-    app: voyager-operator
+    app: voyager

pkg/cmds/run.go

@@ -33,6 +33,7 @@ var (
 		OperatorNamespace: namespace(),
 		OperatorService:   "voyager-operator",
 		HTTPChallengePort: 56791,
+		EnableRBAC:        false,
 	}
 	enableAnalytics bool = true
 

pkg/ingress/create.go

@@ -51,6 +51,14 @@ func (lbc *Controller) Create() error {
 	)
 
 	time.Sleep(time.Second * 5)
+
+	// If RBAC is enabled we need to ensure service account
+	if lbc.Opt.EnableRBAC {
+		if err := lbc.ensureRBAC(); err != nil {
+			return err
+		}
+	}
+
 	err = lbc.createLB()
 	if err != nil {
 		return errors.FromErr(err).Err()
@@ -63,7 +71,7 @@ func (lbc *Controller) Create() error {
 }
 
 func (lbc *Controller) ensureConfigMap() error {
-	log.Infoln("creating cmap for engress")
+	log.Infoln("Creating ConfigMap for engress")
 	cm, err := lbc.KubeClient.CoreV1().ConfigMaps(lbc.Ingress.Namespace).Get(lbc.Ingress.OffshootName(), metav1.GetOptions{})
 	if kerr.IsNotFound(err) {
 		cm = &apiv1.ConfigMap{
@@ -106,6 +114,25 @@ func (lbc *Controller) ensureConfigMap() error {
 	return nil
 }
 
+func (lbc *Controller) ensureRBAC() error {
+	log.Infoln("Creating ServiceAccount for ingress", lbc.Ingress.OffshootName())
+	if err := lbc.ensureServiceAccount(); err != nil {
+		return errors.FromErr(err).Err()
+	}
+
+	log.Infoln("Creating Roles for ingress", lbc.Ingress.OffshootName())
+	if err := lbc.ensureRoles(); err != nil {
+		return errors.FromErr(err).Err()
+	}
+
+	log.Infoln("Creating RoleBinding for ingress", lbc.Ingress.OffshootName())
+	if err := lbc.ensureRoleBinding(); err != nil {
+		return errors.FromErr(err).Err()
+	}
+
+	return nil
+}
+
 func (lbc *Controller) createLB() error {
 	if !lbc.SupportsLBType() {
 		err := errors.Newf("LBType %s is unsupported for cloud provider: %s", lbc.Ingress.LBType(), lbc.Opt.CloudProvider).Err()
@@ -119,6 +146,7 @@ func (lbc *Controller) createLB() error {
 	}
 
 	// Specifically Add Controller and Service Event Separately for all LBTypes.
+	log.Infof("Creating Resource for ingress %s, LBType detected %s", lbc.Ingress.OffshootName(), lbc.Ingress.LBType())
 	if lbc.Ingress.LBType() == api.LBTypeHostPort {
 		err := lbc.createHostPortPods()
 		if err != nil {
@@ -418,6 +446,10 @@ func (lbc *Controller) createHostPortPods() error {
 		},
 	}
 
+	if lbc.Opt.EnableRBAC {
+		daemon.Spec.Template.Spec.ServiceAccountName = lbc.Ingress.OffshootName()
+	}
+
 	exporter, err := lbc.getExporterSidecar()
 	if err != nil {
 		return errors.FromErr(err).Err()
@@ -628,6 +660,11 @@ func (lbc *Controller) createNodePortPods() error {
 			},
 		},
 	}
+
+	if lbc.Opt.EnableRBAC {
+		deployment.Spec.Template.Spec.ServiceAccountName = lbc.Ingress.OffshootName()
+	}
+
 	exporter, err := lbc.getExporterSidecar()
 	if err != nil {
 		return errors.FromErr(err).Err()

pkg/ingress/delete.go

@@ -24,6 +24,12 @@ func (lbc *Controller) Delete() error {
 		return errors.FromErr(err).Err()
 	}
 
+	if lbc.Opt.EnableRBAC {
+		if err := lbc.ensureRBACDeleted(); err != nil {
+			return err
+		}
+	}
+
 	if lbc.Parsed.Stats {
 		lbc.ensureStatsServiceDeleted()
 	}
@@ -199,3 +205,18 @@ func (lbc *Controller) ensureStatsServiceDeleted() error {
 	}
 	return nil
 }
+
+func (lbc *Controller) ensureRBACDeleted() error {
+	if err := lbc.ensureRoleBindingDeleted(); err != nil {
+		return errors.FromErr(err).Err()
+	}
+
+	if err := lbc.ensureRolesDeleted(); err != nil {
+		return errors.FromErr(err).Err()
+	}
+
+	if err := lbc.ensureServiceAccountDeleted(); err != nil {
+		return errors.FromErr(err).Err()
+	}
+	return nil
+}