diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index 1a350823..7bbdebe8 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -110,7 +110,7 @@ metadata: "enabled": true }, "monitoring": { - "enabled": false + "enabled": true } }, "rekor": { @@ -118,7 +118,7 @@ metadata: "enabled": true }, "monitoring": { - "enabled": false + "enabled": true } }, "trillian": { @@ -189,7 +189,7 @@ metadata: } ] capabilities: Basic Install - createdAt: "2024-04-02T16:39:44Z" + createdAt: "2024-04-02T21:10:39Z" operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 name: rhtas-operator.v1.0.0 diff --git a/bundle/manifests/rhtas.redhat.com_fulcios.yaml b/bundle/manifests/rhtas.redhat.com_fulcios.yaml index ac60e7c3..c96f1169 100644 --- a/bundle/manifests/rhtas.redhat.com_fulcios.yaml +++ b/bundle/manifests/rhtas.redhat.com_fulcios.yaml @@ -241,7 +241,7 @@ spec: description: Enable Service monitors for fulcio properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean x-kubernetes-validations: diff --git a/bundle/manifests/rhtas.redhat.com_rekors.yaml b/bundle/manifests/rhtas.redhat.com_rekors.yaml index 5c2781fb..c17d9f87 100644 --- a/bundle/manifests/rhtas.redhat.com_rekors.yaml +++ b/bundle/manifests/rhtas.redhat.com_rekors.yaml @@ -91,7 +91,7 @@ spec: description: Enable Service monitors for rekor properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean x-kubernetes-validations: diff --git a/controllers/common/utils/kubernetes/role.go b/controllers/common/utils/kubernetes/role.go index f88b879b..d8644fcc 100644 --- a/controllers/common/utils/kubernetes/role.go +++ b/controllers/common/utils/kubernetes/role.go @@ -15,3 +15,13 @@ func CreateRole(namespace, name string, labels map[string]string, rules []rbacv1 Rules: rules, } } + +func CreateClusterRole(name string, labels map[string]string, rules []rbacv1.PolicyRule) *rbacv1.ClusterRole { + return &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Labels: labels, + }, + Rules: rules, + } +} diff --git a/controllers/ctlog/actions/handle_fulcio_root_test.go b/controllers/ctlog/actions/handle_fulcio_root_test.go index 67a22100..da40027f 100644 --- a/controllers/ctlog/actions/handle_fulcio_root_test.go +++ b/controllers/ctlog/actions/handle_fulcio_root_test.go @@ -21,7 +21,7 @@ func Test_HandleFulcioCert_Autodiscover(t *testing.T) { instance := &v1alpha1.CTlog{ ObjectMeta: metav1.ObjectMeta{ - Name: "auto", + Name: "auto", Namespace: "default", }, Spec: v1alpha1.CTlogSpec{}, @@ -59,13 +59,12 @@ func Test_HandleFulcioCert_Autodiscover(t *testing.T) { g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, CertCondition)).To(BeTrue()) } - func Test_HandleFulcioCert_Empty(t *testing.T) { g := NewWithT(t) instance := &v1alpha1.CTlog{ ObjectMeta: metav1.ObjectMeta{ - Name: "empty", + Name: "empty", Namespace: "default", }, Spec: v1alpha1.CTlogSpec{}, @@ -102,17 +101,17 @@ func Test_HandleFulcioCert_Configured(t *testing.T) { instance := &v1alpha1.CTlog{ ObjectMeta: metav1.ObjectMeta{ - Name: "configured", + Name: "configured", Namespace: "default", }, Spec: v1alpha1.CTlogSpec{ RootCertificates: []v1alpha1.SecretKeySelector{ { - Key: "key", + Key: "key", LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret"}, }, { - Key: "key", + Key: "key", LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret-2"}, }, }, @@ -157,13 +156,13 @@ func Test_HandleFulcioCert_Configured_Priority(t *testing.T) { instance := &v1alpha1.CTlog{ ObjectMeta: metav1.ObjectMeta{ - Name: "configured-priority", + Name: "configured-priority", Namespace: "default", }, Spec: v1alpha1.CTlogSpec{ RootCertificates: []v1alpha1.SecretKeySelector{ { - Key: "key", + Key: "key", LocalObjectReference: v1alpha1.LocalObjectReference{Name: "my-secret"}, }, }, @@ -208,13 +207,13 @@ func Test_HandleFulcioCert_Delete_ServerConfig(t *testing.T) { instance := &v1alpha1.CTlog{ ObjectMeta: metav1.ObjectMeta{ - Name: "delete-config", + Name: "delete-config", Namespace: "default", }, Spec: v1alpha1.CTlogSpec{ RootCertificates: []v1alpha1.SecretKeySelector{ { - Key: "key", + Key: "key", LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret"}, }, }, @@ -232,7 +231,7 @@ func Test_HandleFulcioCert_Delete_ServerConfig(t *testing.T) { } c := testAction.FakeClientBuilder().WithObjects( - kubernetes.CreateImmutableSecret("ctlog-config", instance.Namespace, map[string][]byte{}, map[string]string{}), + kubernetes.CreateImmutableSecret("ctlog-config", instance.Namespace, map[string][]byte{}, map[string]string{}), instance, ).Build() @@ -250,4 +249,3 @@ func Test_HandleFulcioCert_Delete_ServerConfig(t *testing.T) { g.Expect(i.Status.ServerConfigRef).To(BeNil()) g.Expect(c.Get(context.TODO(), types.NamespacedName{Name: "ctlog-config", Namespace: instance.GetNamespace()}, &v1.Secret{})).To(HaveOccurred()) } - diff --git a/controllers/securesign/actions/rbac.go b/controllers/securesign/actions/rbac.go index 9cc5efa8..f40aabaf 100644 --- a/controllers/securesign/actions/rbac.go +++ b/controllers/securesign/actions/rbac.go @@ -16,6 +16,7 @@ import ( ) const namespacedNamePattern = SegmentRBACName + "-%s" +const namespacedResourcedNamePattern = SegmentRBACName + "-%s" + "-%s" func NewRBACAction() action.Action[rhtasv1alpha1.Securesign] { return &rbacAction{} @@ -57,16 +58,34 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesi return i.Failed(fmt.Errorf("could not set controll reference for SA: %w", err)) } // don't re-enqueue for RBAC in any case (except failure) - _, err = i.Ensure(ctx, sa) + i.Ensure(ctx, sa) // `openshift-monitoring` RBAC - roleOpenshiftMontiroing := kubernetes.CreateRole("openshift-monitoring", SegmentRBACName, labels, []rbacv1.PolicyRule{ + tmpNamespace := "openshift-monitoring" + + roleOpenshiftMontiroingConfigmaps := kubernetes.CreateRole("openshift-monitoring", fmt.Sprintf(namespacedResourcedNamePattern, tmpNamespace, "configmaps"), labels, []rbacv1.PolicyRule{ { APIGroups: []string{""}, Resources: []string{"configmaps"}, - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "list", "patch"}, }, + }) + + i.Ensure(ctx, roleOpenshiftMontiroingConfigmaps) + + rolebindingOpenshiftMontiroingConfigmaps := kubernetes.CreateRoleBinding("openshift-monitoring", fmt.Sprintf(namespacedResourcedNamePattern, tmpNamespace, "configmaps"), labels, rbacv1.RoleRef{ + APIGroup: v1.SchemeGroupVersion.Group, + Kind: "Role", + Name: fmt.Sprintf(namespacedResourcedNamePattern, tmpNamespace, "configmaps"), + }, + []rbacv1.Subject{ + {Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, + }) + + i.Ensure(ctx, rolebindingOpenshiftMontiroingConfigmaps) + + roleOpenshiftMontiroingRoutes := kubernetes.CreateRole("openshift-monitoring", fmt.Sprintf(namespacedResourcedNamePattern, tmpNamespace, "routes"), labels, []rbacv1.PolicyRule{ { APIGroups: []string{"route.openshift.io"}, Resources: []string{"routes"}, @@ -74,29 +93,24 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesi }, }) - if err = ctrl.SetControllerReference(instance, roleOpenshiftMontiroing, i.Client.Scheme()); err != nil { - return i.Failed(fmt.Errorf("could not set controll reference for role: %w", err)) - } - _, err = i.Ensure(ctx, roleOpenshiftMontiroing) + i.Ensure(ctx, roleOpenshiftMontiroingRoutes) - rolebindingOpenshiftMonitoring := kubernetes.CreateRoleBinding("openshift-monitoring", SegmentRBACName, labels, rbacv1.RoleRef{ + rolebindingOpenshiftMontiroingRoutes := kubernetes.CreateRoleBinding("openshift-monitoring", fmt.Sprintf(namespacedResourcedNamePattern, tmpNamespace, "routes"), labels, rbacv1.RoleRef{ APIGroup: v1.SchemeGroupVersion.Group, Kind: "Role", - Name: SegmentRBACName, + Name: fmt.Sprintf(namespacedResourcedNamePattern, tmpNamespace, "routes"), }, []rbacv1.Subject{ {Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, }) - if err = ctrl.SetControllerReference(instance, rolebindingOpenshiftMonitoring, i.Client.Scheme()); err != nil { - return i.Failed(fmt.Errorf("could not set controll reference for rolebinding: %w", err)) - } - - _, err = i.Ensure(ctx, rolebindingOpenshiftMonitoring) + i.Ensure(ctx, rolebindingOpenshiftMontiroingRoutes) // `openshift-console` RBAC - roleOpenshiftConsole := kubernetes.CreateRole("openshift-console", SegmentRBACName, labels, []rbacv1.PolicyRule{ + tmpNamespace = "openshift-console" + + clusterRoleOpenshiftConsole := kubernetes.CreateClusterRole(fmt.Sprintf(namespacedNamePattern, tmpNamespace), labels, []rbacv1.PolicyRule{ { APIGroups: []string{"operator.openshift.io"}, Resources: []string{"consoles"}, @@ -104,30 +118,24 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesi }, }) - if err = ctrl.SetControllerReference(instance, roleOpenshiftConsole, i.Client.Scheme()); err != nil { - return i.Failed(fmt.Errorf("could not set controll reference for role: %w", err)) - } + i.Ensure(ctx, clusterRoleOpenshiftConsole) - _, err = i.Ensure(ctx, roleOpenshiftConsole) - - rolebindingOpenshiftConsole := kubernetes.CreateRoleBinding("openshift-console", SegmentRBACName, labels, rbacv1.RoleRef{ + rolebindingOpenshiftConsole := kubernetes.CreateRoleBinding("openshift-console", fmt.Sprintf(namespacedNamePattern, tmpNamespace), labels, rbacv1.RoleRef{ APIGroup: v1.SchemeGroupVersion.Group, - Kind: "Role", - Name: SegmentRBACName, + Kind: "ClusterRole", + Name: fmt.Sprintf(namespacedNamePattern, tmpNamespace), }, []rbacv1.Subject{ {Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, }) - if err = ctrl.SetControllerReference(instance, rolebindingOpenshiftConsole, i.Client.Scheme()); err != nil { - return i.Failed(fmt.Errorf("could not set controll reference for rolebinding: %w", err)) - } - - _, err = i.Ensure(ctx, rolebindingOpenshiftConsole) + i.Ensure(ctx, rolebindingOpenshiftConsole) // `openshift-user-workload-monitoring` RBAC - roleOpenshiftUserWorkloadMonitoring := kubernetes.CreateRole("openshift-user-workload-monitoring", SegmentRBACName, labels, []rbacv1.PolicyRule{ + tmpNamespace = "openshift-user-workload-monitoring" + + roleOpenshiftUserWorkloadMonitoring := kubernetes.CreateRole("openshift-user-workload-monitoring", fmt.Sprintf(namespacedNamePattern, tmpNamespace), labels, []rbacv1.PolicyRule{ { APIGroups: []string{""}, Resources: []string{"secrets"}, @@ -135,26 +143,18 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesi }, }) - if err = ctrl.SetControllerReference(instance, roleOpenshiftUserWorkloadMonitoring, i.Client.Scheme()); err != nil { - return i.Failed(fmt.Errorf("could not set controll reference for role: %w", err)) - } - - _, err = i.Ensure(ctx, roleOpenshiftUserWorkloadMonitoring) + i.Ensure(ctx, roleOpenshiftUserWorkloadMonitoring) - rolebindingOpenshiftUserWorkloadMonitoring := kubernetes.CreateRoleBinding("openshift-user-workload-monitoring", SegmentRBACName, labels, rbacv1.RoleRef{ + rolebindingOpenshiftUserWorkloadMonitoring := kubernetes.CreateRoleBinding("openshift-user-workload-monitoring", fmt.Sprintf(namespacedNamePattern, tmpNamespace), labels, rbacv1.RoleRef{ APIGroup: v1.SchemeGroupVersion.Group, Kind: "Role", - Name: SegmentRBACName, + Name: fmt.Sprintf(namespacedNamePattern, tmpNamespace), }, []rbacv1.Subject{ {Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, }) - if err = ctrl.SetControllerReference(instance, rolebindingOpenshiftUserWorkloadMonitoring, i.Client.Scheme()); err != nil { - return i.Failed(fmt.Errorf("could not set controll reference for rolebinding: %w", err)) - } - - _, err = i.Ensure(ctx, rolebindingOpenshiftUserWorkloadMonitoring) + i.Ensure(ctx, rolebindingOpenshiftUserWorkloadMonitoring) return i.Continue() }