-
Notifications
You must be signed in to change notification settings - Fork 2
/
role.go
118 lines (99 loc) · 3.51 KB
/
role.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
package applicationconfig
import (
"fmt"
"github.com/equinor/radix-operator/pkg/apis/defaults"
"github.com/equinor/radix-operator/pkg/apis/kube"
radixv1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
auth "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/api/errors"
)
func (app *ApplicationConfig) grantAccessToBuildSecrets(namespace string) error {
err := app.grantPipelineAccessToBuildSecrets(namespace)
if err != nil {
return err
}
err = app.grantAppAdminAccessToBuildSecrets(namespace)
if err != nil {
return err
}
return nil
}
func (app *ApplicationConfig) grantAppAdminAccessToBuildSecrets(namespace string) error {
role := roleAppAdminBuildSecrets(app.GetRadixRegistration(), defaults.BuildSecretsName)
err := app.kubeutil.ApplyRole(namespace, role)
if err != nil {
return err
}
rolebinding := rolebindingAppAdminToBuildSecrets(app.GetRadixRegistration(), role)
return app.kubeutil.ApplyRoleBinding(namespace, rolebinding)
}
func (app *ApplicationConfig) grantPipelineAccessToBuildSecrets(namespace string) error {
role := rolePipelineBuildSecrets(app.GetRadixRegistration(), defaults.BuildSecretsName)
err := app.kubeutil.ApplyRole(namespace, role)
if err != nil {
return err
}
rolebinding := rolebindingPipelineToBuildSecrets(app.GetRadixRegistration(), role)
return app.kubeutil.ApplyRoleBinding(namespace, rolebinding)
}
func (app *ApplicationConfig) garbageCollectAccessToBuildSecrets(namespace string) error {
pipelineRoleName := getPipelineRoleNameToBuildSecrets(defaults.BuildSecretsName)
appAdminRoleName := getAppAdminRoleNameToBuildSecrets(defaults.BuildSecretsName)
// Delete role pipeline-build-secrets
_, err := app.kubeutil.GetRole(namespace, pipelineRoleName)
if err != nil && !errors.IsNotFound(err) {
return err
}
if err == nil {
err = app.kubeutil.DeleteRole(namespace, pipelineRoleName)
if err != nil {
return err
}
}
// Delete rolebinding pipeline-build-secrets
_, err = app.kubeutil.GetRoleBinding(namespace, pipelineRoleName)
if err != nil && !errors.IsNotFound(err) {
return err
}
if err == nil {
err = app.kubeutil.DeleteRoleBinding(namespace, pipelineRoleName)
if err != nil {
return err
}
}
// Delete role radix-app-admin-build-secrets
_, err = app.kubeutil.GetRole(namespace, appAdminRoleName)
if err != nil && !errors.IsNotFound(err) {
return err
}
if err == nil {
err = app.kubeutil.DeleteRole(namespace, appAdminRoleName)
if err != nil {
return err
}
}
// Delete rolebinding radix-app-admin-build-secrets
_, err = app.kubeutil.GetRoleBinding(namespace, appAdminRoleName)
if err != nil && !errors.IsNotFound(err) {
return err
}
if err == nil {
err = app.kubeutil.DeleteRoleBinding(namespace, appAdminRoleName)
if err != nil {
return err
}
}
return nil
}
func roleAppAdminBuildSecrets(registration *radixv1.RadixRegistration, buildSecretName string) *auth.Role {
return kube.CreateManageSecretRole(registration.Name, getAppAdminRoleNameToBuildSecrets(buildSecretName), []string{buildSecretName}, nil)
}
func rolePipelineBuildSecrets(registration *radixv1.RadixRegistration, buildSecretName string) *auth.Role {
return kube.CreateManageSecretRole(registration.Name, getPipelineRoleNameToBuildSecrets(buildSecretName), []string{buildSecretName}, nil)
}
func getAppAdminRoleNameToBuildSecrets(buildSecretName string) string {
return fmt.Sprintf("%s-%s", defaults.AppAdminRoleName, buildSecretName)
}
func getPipelineRoleNameToBuildSecrets(buildSecretName string) string {
return fmt.Sprintf("%s-%s", "pipeline", buildSecretName)
}