-
Notifications
You must be signed in to change notification settings - Fork 176
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Justin Kolberg <amd.prophet@gmail.com>
- Loading branch information
1 parent
0af4d20
commit 9b5e390
Showing
8 changed files
with
502 additions
and
299 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
package seeds | ||
|
||
import ( | ||
"context" | ||
"errors" | ||
"fmt" | ||
"time" | ||
|
||
corev2 "github.com/sensu/sensu-go/api/core/v2" | ||
"github.com/sensu/sensu-go/backend/store" | ||
storev2 "github.com/sensu/sensu-go/backend/store/v2" | ||
) | ||
|
||
func setupAPIKeys(ctx context.Context, s storev2.Interface, config Config) error { | ||
apiKeys := []*corev2.APIKey{} | ||
|
||
if config.AdminAPIKey != "" { | ||
apiKey := adminAPIKey(config.AdminUsername, config.AdminAPIKey) | ||
apiKeys = append(apiKeys, apiKey) | ||
} | ||
|
||
for _, apiKey := range apiKeys { | ||
name := apiKey.ObjectMeta.Name | ||
|
||
if err := createResource(ctx, s, apiKey); err != nil { | ||
var alreadyExists *store.ErrAlreadyExists | ||
if !errors.As(err, &alreadyExists) { | ||
msg := fmt.Sprintf("could not initialize the %s api key", name) | ||
logger.WithError(err).Error(msg) | ||
return fmt.Errorf("%s: %w", msg, err) | ||
} | ||
logger.Warnf("%s api key already exists", name) | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func adminAPIKey(username, apiKey string) *corev2.APIKey { | ||
return &corev2.APIKey{ | ||
ObjectMeta: corev2.ObjectMeta{ | ||
Name: apiKey, | ||
CreatedBy: username, | ||
}, | ||
Username: username, | ||
CreatedAt: time.Now().Unix(), | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
package seeds | ||
|
||
import ( | ||
"context" | ||
"errors" | ||
"fmt" | ||
|
||
corev2 "github.com/sensu/sensu-go/api/core/v2" | ||
"github.com/sensu/sensu-go/backend/store" | ||
storev2 "github.com/sensu/sensu-go/backend/store/v2" | ||
) | ||
|
||
func setupClusterRoleBindings(ctx context.Context, s storev2.Interface, config Config) error { | ||
clusterRoleBindings := []*corev2.ClusterRoleBinding{ | ||
clusterAdminClusterRoleBinding(), | ||
systemAgentClusterRoleBinding(), | ||
systemUserClusterRoleBinding(), | ||
} | ||
|
||
for _, clusterRoleBinding := range clusterRoleBindings { | ||
name := clusterRoleBinding.ObjectMeta.Name | ||
|
||
if err := createResource(ctx, s, clusterRoleBinding); err != nil { | ||
var alreadyExists *store.ErrAlreadyExists | ||
if !errors.As(err, &alreadyExists) { | ||
msg := fmt.Sprintf("could not initialize the %s cluster role binding", name) | ||
logger.WithError(err).Error(msg) | ||
return fmt.Errorf("%s: %w", msg, err) | ||
} | ||
logger.Warnf("%s cluster role binding already exists", name) | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func clusterAdminClusterRoleBinding() *corev2.ClusterRoleBinding { | ||
// The cluster-admin ClusterRoleBinding grants permission found in the | ||
// cluster-admin ClusterRole to any user belonging to the cluster-admins group | ||
return &corev2.ClusterRoleBinding{ | ||
ObjectMeta: corev2.NewObjectMeta("cluster-admin", ""), | ||
RoleRef: corev2.RoleRef{ | ||
Type: "ClusterRole", | ||
Name: "cluster-admin", | ||
}, | ||
Subjects: []corev2.Subject{ | ||
{ | ||
Type: "Group", | ||
Name: "cluster-admins", | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func systemAgentClusterRoleBinding() *corev2.ClusterRoleBinding { | ||
// The system:agent ClusterRoleBinding grants permission found in the | ||
// system-agent ClusterRole to any agents belonging to the system:agents group | ||
return &corev2.ClusterRoleBinding{ | ||
ObjectMeta: corev2.NewObjectMeta("system:agent", ""), | ||
RoleRef: corev2.RoleRef{ | ||
Type: "ClusterRole", | ||
Name: "system:agent", | ||
}, | ||
Subjects: []corev2.Subject{ | ||
{ | ||
Type: "Group", | ||
Name: "system:agents", | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func systemUserClusterRoleBinding() *corev2.ClusterRoleBinding { | ||
// The system:user ClusterRoleBinding grants permission found in the | ||
// system:user ClusterRole to any user belonging to the system:users group | ||
return &corev2.ClusterRoleBinding{ | ||
ObjectMeta: corev2.NewObjectMeta("system:user", ""), | ||
RoleRef: corev2.RoleRef{ | ||
Type: "ClusterRole", | ||
Name: "system:user", | ||
}, | ||
Subjects: []corev2.Subject{ | ||
{ | ||
Type: "Group", | ||
Name: "system:users", | ||
}, | ||
}, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,149 @@ | ||
package seeds | ||
|
||
import ( | ||
"context" | ||
"errors" | ||
"fmt" | ||
|
||
corev2 "github.com/sensu/sensu-go/api/core/v2" | ||
"github.com/sensu/sensu-go/backend/store" | ||
storev2 "github.com/sensu/sensu-go/backend/store/v2" | ||
) | ||
|
||
func setupClusterRoles(ctx context.Context, s storev2.Interface, config Config) error { | ||
clusterRoles := []*corev2.ClusterRole{ | ||
clusterAdminClusterRole(), | ||
adminClusterRole(), | ||
editClusterRole(), | ||
viewClusterRole(), | ||
systemAgentClusterRole(), | ||
systemUserClusterRole(), | ||
} | ||
|
||
for _, clusterRole := range clusterRoles { | ||
name := clusterRole.ObjectMeta.Name | ||
|
||
if err := createResource(ctx, s, clusterRole); err != nil { | ||
var alreadyExists *store.ErrAlreadyExists | ||
if !errors.As(err, &alreadyExists) { | ||
msg := fmt.Sprintf("could not initialize the %s cluster role", name) | ||
logger.WithError(err).Error(msg) | ||
return fmt.Errorf("%s: %w", msg, err) | ||
} | ||
logger.Warnf("%s cluster role already exists", name) | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func clusterAdminClusterRole() *corev2.ClusterRole { | ||
// The cluster-admin ClusterRole gives access to perform any action on any | ||
// resource. When used in a ClusterRoleBinding, it gives full control over | ||
// every resource in the cluster and in all namespaces. When used in a | ||
// RoleBinding, it gives full control over every resource in the rolebinding's | ||
// namespace, including the namespace itself | ||
return &corev2.ClusterRole{ | ||
ObjectMeta: corev2.NewObjectMeta("cluster-admin", ""), | ||
Rules: []corev2.Rule{ | ||
{ | ||
Verbs: []string{corev2.VerbAll}, | ||
Resources: []string{corev2.ResourceAll}, | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func adminClusterRole() *corev2.ClusterRole { | ||
// The admin ClusterRole is intended to be used within a namespace using a | ||
// RoleBinding. It gives full access to most resources, including the ability | ||
// to create Roles and RoleBindings within the namespace but does not allow | ||
// write access to the namespace itself | ||
return &corev2.ClusterRole{ | ||
ObjectMeta: corev2.NewObjectMeta("admin", ""), | ||
Rules: []corev2.Rule{ | ||
{ | ||
Verbs: []string{corev2.VerbAll}, | ||
Resources: append(corev2.CommonCoreResources, []string{ | ||
"roles", | ||
"rolebindings", | ||
}...), | ||
}, | ||
{ | ||
Verbs: []string{"get", "list"}, | ||
Resources: []string{ | ||
"namespaces", | ||
}, | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func editClusterRole() *corev2.ClusterRole { | ||
// The edit ClusterRole is intended to be used within a namespace using a | ||
// RoleBinding. It allows read/write access to most objects in a namespace. It | ||
// does not allow viewing or modifying roles or rolebindings. | ||
return &corev2.ClusterRole{ | ||
ObjectMeta: corev2.NewObjectMeta("edit", ""), | ||
Rules: []corev2.Rule{ | ||
{ | ||
Verbs: []string{corev2.VerbAll}, | ||
Resources: corev2.CommonCoreResources, | ||
}, | ||
{ | ||
Verbs: []string{"get", "list"}, | ||
Resources: []string{ | ||
"namespaces", | ||
}, | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func viewClusterRole() *corev2.ClusterRole { | ||
// The view ClusterRole is intended to be used within a namespace using a | ||
// RoleBinding. It allows read-only access to see most objects in a namespace. | ||
// It does not allow viewing roles or rolebindings. | ||
return &corev2.ClusterRole{ | ||
ObjectMeta: corev2.NewObjectMeta("view", ""), | ||
Rules: []corev2.Rule{ | ||
{ | ||
Verbs: []string{"get", "list"}, | ||
Resources: append(corev2.CommonCoreResources, []string{ | ||
"namespaces", | ||
}...), | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func systemAgentClusterRole() *corev2.ClusterRole { | ||
// The systemAgent ClusterRole is used by Sensu agents and should not be | ||
// modified by the users. Modification to this ClusterRole can result in | ||
// non-functional Sensu agents. | ||
return &corev2.ClusterRole{ | ||
ObjectMeta: corev2.NewObjectMeta("system:agent", ""), | ||
Rules: []corev2.Rule{ | ||
{ | ||
Verbs: []string{corev2.VerbAll}, | ||
Resources: []string{"events"}, | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func systemUserClusterRole() *corev2.ClusterRole { | ||
// The systemUser ClusterRole is used by local users and should not be | ||
// modified by the users. Modification to his ClusterRole can result in | ||
// non-functional Sensu users. It allows users to view themselves and change | ||
// their own password | ||
return &corev2.ClusterRole{ | ||
ObjectMeta: corev2.NewObjectMeta("system:user", ""), | ||
Rules: []corev2.Rule{ | ||
{ | ||
Verbs: []string{"get", "update"}, | ||
Resources: []string{corev2.LocalSelfUserResource}, | ||
}, | ||
}, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
package seeds | ||
|
||
import ( | ||
"context" | ||
"errors" | ||
"fmt" | ||
|
||
corev2 "github.com/sensu/sensu-go/api/core/v2" | ||
corev3 "github.com/sensu/sensu-go/api/core/v3" | ||
"github.com/sensu/sensu-go/backend/store" | ||
storev2 "github.com/sensu/sensu-go/backend/store/v2" | ||
) | ||
|
||
func setupNamespaces(ctx context.Context, s storev2.Interface, config Config) error { | ||
namespaces := []*corev3.Namespace{ | ||
defaultNamespace(), | ||
} | ||
|
||
nsStore := s.NamespaceStore() | ||
|
||
for _, namespace := range namespaces { | ||
name := namespace.Metadata.Name | ||
|
||
if err := nsStore.CreateIfNotExists(ctx, namespace); err != nil { | ||
var alreadyExists *store.ErrAlreadyExists | ||
if !errors.As(err, &alreadyExists) { | ||
msg := fmt.Sprintf("could not initialize the %s namespace", name) | ||
logger.WithError(err).Error(msg) | ||
return fmt.Errorf("%s: %w", msg, err) | ||
} | ||
logger.Warnf("%s namespace already exists", name) | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func defaultNamespace() *corev3.Namespace { | ||
return &corev3.Namespace{ | ||
Metadata: &corev2.ObjectMeta{ | ||
Name: "default", | ||
Labels: make(map[string]string), | ||
Annotations: make(map[string]string), | ||
}, | ||
} | ||
} |
Oops, something went wrong.