From 92554fe818076f50bc096556d882963c7a7ab672 Mon Sep 17 00:00:00 2001 From: greg pereira Date: Tue, 2 Apr 2024 13:06:17 -0700 Subject: [PATCH] swapping cr and crbs to r and rbs Signed-off-by: greg pereira --- api/v1alpha1/common.go | 2 +- .../rhtas.redhat.com_securesigns.yaml | 4 +- .../crd/bases/rhtas.redhat.com_fulcios.yaml | 2 +- config/crd/bases/rhtas.redhat.com_rekors.yaml | 2 +- .../bases/rhtas.redhat.com_securesigns.yaml | 4 +- config/samples/rhtas_v1alpha1_securesign.yaml | 4 +- controllers/common/utils/kubernetes/role.go | 10 --- .../common/utils/kubernetes/role_binding.go | 11 --- controllers/securesign/actions/rbac.go | 83 ++++++++++++++++--- 9 files changed, 82 insertions(+), 40 deletions(-) diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go index 4eeec693..966271ec 100644 --- a/api/v1alpha1/common.go +++ b/api/v1alpha1/common.go @@ -8,7 +8,7 @@ type ExternalAccess struct { // If set to true, the Operator will create an Ingress or a Route resource. //For the plain Ingress there is no TLS configuration provided Route object uses "edge" termination by default. //+kubebuilder:validation:XValidation:rule=(self || !oldSelf),message=Feature cannot be disabled - //+kubebuilder:default:=false + //+kubebuilder:default:=true Enabled bool `json:"enabled"` // Set hostname for your Ingress/Route. Host string `json:"host,omitempty"` diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml index f1371ede..a3c44aa6 100644 --- a/bundle/manifests/rhtas.redhat.com_securesigns.yaml +++ b/bundle/manifests/rhtas.redhat.com_securesigns.yaml @@ -347,7 +347,7 @@ spec: description: Enable Service monitors for fulcio properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean @@ -419,7 +419,7 @@ spec: description: Enable Service monitors for rekor properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml index d0da89e8..9a198ab4 100644 --- a/config/crd/bases/rhtas.redhat.com_fulcios.yaml +++ b/config/crd/bases/rhtas.redhat.com_fulcios.yaml @@ -241,7 +241,7 @@ spec: description: Enable Service monitors for fulcio properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean x-kubernetes-validations: diff --git a/config/crd/bases/rhtas.redhat.com_rekors.yaml b/config/crd/bases/rhtas.redhat.com_rekors.yaml index 36b81800..3a3dd461 100644 --- a/config/crd/bases/rhtas.redhat.com_rekors.yaml +++ b/config/crd/bases/rhtas.redhat.com_rekors.yaml @@ -91,7 +91,7 @@ spec: description: Enable Service monitors for rekor properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean x-kubernetes-validations: diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index fd51332d..29347d5a 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -347,7 +347,7 @@ spec: description: Enable Service monitors for fulcio properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean @@ -419,7 +419,7 @@ spec: description: Enable Service monitors for rekor properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean diff --git a/config/samples/rhtas_v1alpha1_securesign.yaml b/config/samples/rhtas_v1alpha1_securesign.yaml index 64ca2f22..0a72542b 100644 --- a/config/samples/rhtas_v1alpha1_securesign.yaml +++ b/config/samples/rhtas_v1alpha1_securesign.yaml @@ -12,7 +12,7 @@ spec: externalAccess: enabled: true monitoring: - enabled: false + enabled: true trillian: database: create: true @@ -30,7 +30,7 @@ spec: organizationEmail: jdoe@redhat.com commonName: fulcio.hostname monitoring: - enabled: false + enabled: true tuf: externalAccess: enabled: true diff --git a/controllers/common/utils/kubernetes/role.go b/controllers/common/utils/kubernetes/role.go index d8644fcc..f88b879b 100644 --- a/controllers/common/utils/kubernetes/role.go +++ b/controllers/common/utils/kubernetes/role.go @@ -15,13 +15,3 @@ func CreateRole(namespace, name string, labels map[string]string, rules []rbacv1 Rules: rules, } } - -func CreateClusterRole(name string, labels map[string]string, rules []rbacv1.PolicyRule) *rbacv1.ClusterRole { - return &rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Labels: labels, - }, - Rules: rules, - } -} diff --git a/controllers/common/utils/kubernetes/role_binding.go b/controllers/common/utils/kubernetes/role_binding.go index 860a5b4c..674efd97 100644 --- a/controllers/common/utils/kubernetes/role_binding.go +++ b/controllers/common/utils/kubernetes/role_binding.go @@ -16,14 +16,3 @@ func CreateRoleBinding(namespace string, name string, labels map[string]string, Subjects: subjects, } } - -func CreateClusterRoleBinding(name string, labels map[string]string, roleRef rbacv1.RoleRef, subjects []rbacv1.Subject) *rbacv1.ClusterRoleBinding { - return &rbacv1.ClusterRoleBinding{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Labels: labels, - }, - RoleRef: roleRef, - Subjects: subjects, - } -} diff --git a/controllers/securesign/actions/rbac.go b/controllers/securesign/actions/rbac.go index 5a6b2b5f..9cc5efa8 100644 --- a/controllers/securesign/actions/rbac.go +++ b/controllers/securesign/actions/rbac.go @@ -59,12 +59,9 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesi // don't re-enqueue for RBAC in any case (except failure) _, err = i.Ensure(ctx, sa) - role := kubernetes.CreateClusterRole(SegmentRBACName, constants.LabelsRHTAS(), []rbacv1.PolicyRule{ - { - APIGroups: []string{""}, - Resources: []string{"secrets"}, - Verbs: []string{"get", "list"}, - }, + // `openshift-monitoring` RBAC + + roleOpenshiftMontiroing := kubernetes.CreateRole("openshift-monitoring", SegmentRBACName, labels, []rbacv1.PolicyRule{ { APIGroups: []string{""}, Resources: []string{"configmaps"}, @@ -75,23 +72,89 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesi Resources: []string{"routes"}, Verbs: []string{"get", "list"}, }, + }) + + if err = ctrl.SetControllerReference(instance, roleOpenshiftMontiroing, i.Client.Scheme()); err != nil { + return i.Failed(fmt.Errorf("could not set controll reference for role: %w", err)) + } + _, err = i.Ensure(ctx, roleOpenshiftMontiroing) + + rolebindingOpenshiftMonitoring := kubernetes.CreateRoleBinding("openshift-monitoring", SegmentRBACName, labels, rbacv1.RoleRef{ + APIGroup: v1.SchemeGroupVersion.Group, + Kind: "Role", + Name: SegmentRBACName, + }, + []rbacv1.Subject{ + {Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, + }) + + if err = ctrl.SetControllerReference(instance, rolebindingOpenshiftMonitoring, i.Client.Scheme()); err != nil { + return i.Failed(fmt.Errorf("could not set controll reference for rolebinding: %w", err)) + } + + _, err = i.Ensure(ctx, rolebindingOpenshiftMonitoring) + + // `openshift-console` RBAC + + roleOpenshiftConsole := kubernetes.CreateRole("openshift-console", SegmentRBACName, labels, []rbacv1.PolicyRule{ { APIGroups: []string{"operator.openshift.io"}, Resources: []string{"consoles"}, Verbs: []string{"get", "list"}, }, }) - _, err = i.Ensure(ctx, role) - rb := kubernetes.CreateClusterRoleBinding(fmt.Sprintf(namespacedNamePattern, instance.Namespace), labels, rbacv1.RoleRef{ + if err = ctrl.SetControllerReference(instance, roleOpenshiftConsole, i.Client.Scheme()); err != nil { + return i.Failed(fmt.Errorf("could not set controll reference for role: %w", err)) + } + + _, err = i.Ensure(ctx, roleOpenshiftConsole) + + rolebindingOpenshiftConsole := kubernetes.CreateRoleBinding("openshift-console", SegmentRBACName, labels, rbacv1.RoleRef{ + APIGroup: v1.SchemeGroupVersion.Group, + Kind: "Role", + Name: SegmentRBACName, + }, + []rbacv1.Subject{ + {Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, + }) + + if err = ctrl.SetControllerReference(instance, rolebindingOpenshiftConsole, i.Client.Scheme()); err != nil { + return i.Failed(fmt.Errorf("could not set controll reference for rolebinding: %w", err)) + } + + _, err = i.Ensure(ctx, rolebindingOpenshiftConsole) + + // `openshift-user-workload-monitoring` RBAC + + roleOpenshiftUserWorkloadMonitoring := kubernetes.CreateRole("openshift-user-workload-monitoring", SegmentRBACName, labels, []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"secrets"}, + Verbs: []string{"get", "list"}, + }, + }) + + if err = ctrl.SetControllerReference(instance, roleOpenshiftUserWorkloadMonitoring, i.Client.Scheme()); err != nil { + return i.Failed(fmt.Errorf("could not set controll reference for role: %w", err)) + } + + _, err = i.Ensure(ctx, roleOpenshiftUserWorkloadMonitoring) + + rolebindingOpenshiftUserWorkloadMonitoring := kubernetes.CreateRoleBinding("openshift-user-workload-monitoring", SegmentRBACName, labels, rbacv1.RoleRef{ APIGroup: v1.SchemeGroupVersion.Group, - Kind: "ClusterRole", + Kind: "Role", Name: SegmentRBACName, }, []rbacv1.Subject{ {Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, }) - _, err = i.Ensure(ctx, rb) + + if err = ctrl.SetControllerReference(instance, rolebindingOpenshiftUserWorkloadMonitoring, i.Client.Scheme()); err != nil { + return i.Failed(fmt.Errorf("could not set controll reference for rolebinding: %w", err)) + } + + _, err = i.Ensure(ctx, rolebindingOpenshiftUserWorkloadMonitoring) return i.Continue() }