swapping cr and crbs to r and rbs

Signed-off-by: greg pereira <grpereir@redhat.com>
securesign · Apr 2, 2024 · 92554fe · 92554fe
1 parent 46d2791
commit 92554fe
Show file tree

Hide file tree

Showing 9 changed files with 82 additions and 40 deletions.
diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go
@@ -8,7 +8,7 @@ type ExternalAccess struct {
 	// If set to true, the Operator will create an Ingress or a Route resource.
 	//For the plain Ingress there is no TLS configuration provided Route object uses "edge" termination by default.
 	//+kubebuilder:validation:XValidation:rule=(self || !oldSelf),message=Feature cannot be disabled
-	//+kubebuilder:default:=false
+	//+kubebuilder:default:=true
 	Enabled bool `json:"enabled"`
 	// Set hostname for your Ingress/Route.
 	Host string `json:"host,omitempty"`

diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml
@@ -347,7 +347,7 @@ spec:
                     description: Enable Service monitors for fulcio
                     properties:
                       enabled:
-                        default: false
+                        default: true
                         description: If true, the Operator will create monitoring
                           resources
                         type: boolean
@@ -419,7 +419,7 @@ spec:
                     description: Enable Service monitors for rekor
                     properties:
                       enabled:
-                        default: false
+                        default: true
                         description: If true, the Operator will create monitoring
                           resources
                         type: boolean

diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml
@@ -241,7 +241,7 @@ spec:
                 description: Enable Service monitors for fulcio
                 properties:
                   enabled:
-                    default: false
+                    default: true
                     description: If true, the Operator will create monitoring resources
                     type: boolean
                     x-kubernetes-validations:

diff --git a/config/crd/bases/rhtas.redhat.com_rekors.yaml b/config/crd/bases/rhtas.redhat.com_rekors.yaml
@@ -91,7 +91,7 @@ spec:
                 description: Enable Service monitors for rekor
                 properties:
                   enabled:
-                    default: false
+                    default: true
                     description: If true, the Operator will create monitoring resources
                     type: boolean
                     x-kubernetes-validations:

diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml
@@ -347,7 +347,7 @@ spec:
                     description: Enable Service monitors for fulcio
                     properties:
                       enabled:
-                        default: false
+                        default: true
                         description: If true, the Operator will create monitoring
                           resources
                         type: boolean
@@ -419,7 +419,7 @@ spec:
                     description: Enable Service monitors for rekor
                     properties:
                       enabled:
-                        default: false
+                        default: true
                         description: If true, the Operator will create monitoring
                           resources
                         type: boolean

diff --git a/config/samples/rhtas_v1alpha1_securesign.yaml b/config/samples/rhtas_v1alpha1_securesign.yaml
@@ -12,7 +12,7 @@ spec:
     externalAccess:
       enabled: true
     monitoring:
-      enabled: false
+      enabled: true
   trillian:
     database:
       create: true
@@ -30,7 +30,7 @@ spec:
       organizationEmail: jdoe@redhat.com
       commonName: fulcio.hostname
     monitoring:
-      enabled: false
+      enabled: true
   tuf:
     externalAccess:
       enabled: true

diff --git a/controllers/common/utils/kubernetes/role.go b/controllers/common/utils/kubernetes/role.go
@@ -15,13 +15,3 @@ func CreateRole(namespace, name string, labels map[string]string, rules []rbacv1
 		Rules: rules,
 	}
 }
-
-func CreateClusterRole(name string, labels map[string]string, rules []rbacv1.PolicyRule) *rbacv1.ClusterRole {
-	return &rbacv1.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:   name,
-			Labels: labels,
-		},
-		Rules: rules,
-	}
-}
diff --git a/controllers/common/utils/kubernetes/role_binding.go b/controllers/common/utils/kubernetes/role_binding.go
@@ -16,14 +16,3 @@ func CreateRoleBinding(namespace string, name string, labels map[string]string,
 		Subjects: subjects,
 	}
 }
-
-func CreateClusterRoleBinding(name string, labels map[string]string, roleRef rbacv1.RoleRef, subjects []rbacv1.Subject) *rbacv1.ClusterRoleBinding {
-	return &rbacv1.ClusterRoleBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:   name,
-			Labels: labels,
-		},
-		RoleRef:  roleRef,
-		Subjects: subjects,
-	}
-}
diff --git a/controllers/securesign/actions/rbac.go b/controllers/securesign/actions/rbac.go
@@ -59,12 +59,9 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesi
 	// don't re-enqueue for RBAC in any case (except failure)
 	_, err = i.Ensure(ctx, sa)
 
-	role := kubernetes.CreateClusterRole(SegmentRBACName, constants.LabelsRHTAS(), []rbacv1.PolicyRule{
-		{
-			APIGroups: []string{""},
-			Resources: []string{"secrets"},
-			Verbs:     []string{"get", "list"},
-		},
+	// `openshift-monitoring` RBAC
+
+	roleOpenshiftMontiroing := kubernetes.CreateRole("openshift-monitoring", SegmentRBACName, labels, []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{""},
 			Resources: []string{"configmaps"},
@@ -75,23 +72,89 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesi
 			Resources: []string{"routes"},
 			Verbs:     []string{"get", "list"},
 		},
+	})
+
+	if err = ctrl.SetControllerReference(instance, roleOpenshiftMontiroing, i.Client.Scheme()); err != nil {
+		return i.Failed(fmt.Errorf("could not set controll reference for role: %w", err))
+	}
+	_, err = i.Ensure(ctx, roleOpenshiftMontiroing)
+
+	rolebindingOpenshiftMonitoring := kubernetes.CreateRoleBinding("openshift-monitoring", SegmentRBACName, labels, rbacv1.RoleRef{
+		APIGroup: v1.SchemeGroupVersion.Group,
+		Kind:     "Role",
+		Name:     SegmentRBACName,
+	},
+		[]rbacv1.Subject{
+			{Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace},
+		})
+
+	if err = ctrl.SetControllerReference(instance, rolebindingOpenshiftMonitoring, i.Client.Scheme()); err != nil {
+		return i.Failed(fmt.Errorf("could not set controll reference for rolebinding: %w", err))
+	}
+
+	_, err = i.Ensure(ctx, rolebindingOpenshiftMonitoring)
+
+	// `openshift-console` RBAC
+
+	roleOpenshiftConsole := kubernetes.CreateRole("openshift-console", SegmentRBACName, labels, []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{"operator.openshift.io"},
 			Resources: []string{"consoles"},
 			Verbs:     []string{"get", "list"},
 		},
 	})
-	_, err = i.Ensure(ctx, role)
 
-	rb := kubernetes.CreateClusterRoleBinding(fmt.Sprintf(namespacedNamePattern, instance.Namespace), labels, rbacv1.RoleRef{
+	if err = ctrl.SetControllerReference(instance, roleOpenshiftConsole, i.Client.Scheme()); err != nil {
+		return i.Failed(fmt.Errorf("could not set controll reference for role: %w", err))
+	}
+
+	_, err = i.Ensure(ctx, roleOpenshiftConsole)
+
+	rolebindingOpenshiftConsole := kubernetes.CreateRoleBinding("openshift-console", SegmentRBACName, labels, rbacv1.RoleRef{
+		APIGroup: v1.SchemeGroupVersion.Group,
+		Kind:     "Role",
+		Name:     SegmentRBACName,
+	},
+		[]rbacv1.Subject{
+			{Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace},
+		})
+
+	if err = ctrl.SetControllerReference(instance, rolebindingOpenshiftConsole, i.Client.Scheme()); err != nil {
+		return i.Failed(fmt.Errorf("could not set controll reference for rolebinding: %w", err))
+	}
+
+	_, err = i.Ensure(ctx, rolebindingOpenshiftConsole)
+
+	// `openshift-user-workload-monitoring` RBAC
+
+	roleOpenshiftUserWorkloadMonitoring := kubernetes.CreateRole("openshift-user-workload-monitoring", SegmentRBACName, labels, []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{""},
+			Resources: []string{"secrets"},
+			Verbs:     []string{"get", "list"},
+		},
+	})
+
+	if err = ctrl.SetControllerReference(instance, roleOpenshiftUserWorkloadMonitoring, i.Client.Scheme()); err != nil {
+		return i.Failed(fmt.Errorf("could not set controll reference for role: %w", err))
+	}
+
+	_, err = i.Ensure(ctx, roleOpenshiftUserWorkloadMonitoring)
+
+	rolebindingOpenshiftUserWorkloadMonitoring := kubernetes.CreateRoleBinding("openshift-user-workload-monitoring", SegmentRBACName, labels, rbacv1.RoleRef{
 		APIGroup: v1.SchemeGroupVersion.Group,
-		Kind:     "ClusterRole",
+		Kind:     "Role",
 		Name:     SegmentRBACName,
 	},
 		[]rbacv1.Subject{
 			{Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace},
 		})
-	_, err = i.Ensure(ctx, rb)
+
+	if err = ctrl.SetControllerReference(instance, rolebindingOpenshiftUserWorkloadMonitoring, i.Client.Scheme()); err != nil {
+		return i.Failed(fmt.Errorf("could not set controll reference for rolebinding: %w", err))
+	}
+
+	_, err = i.Ensure(ctx, rolebindingOpenshiftUserWorkloadMonitoring)
 
 	return i.Continue()
 }