PR feedback

DataDog · Sep 20, 2024 · 4ee78fe · 4ee78fe
1 parent 9367dc5
commit 4ee78fe
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 32 deletions.
diff --git a/charts/private-action-runner/README.md b/charts/private-action-runner/README.md
@@ -54,7 +54,7 @@ helm repo update
 | runners[0].config.port | int | `9016` | Port for HTTP server liveness checks and App Builder mode |
 | runners[0].config.privateKey | string | `"CHANGE_ME_PRIVATE_KEY_FROM_CONFIG"` | The runner's privateKey from the enrollment page |
 | runners[0].config.urn | string | `"CHANGE_ME_URN_FROM_CONFIG"` | The runner's URN from the enrollment page |
-| runners[0].kubernetesActions | object | `{"configMaps":[],"controllerRevisions":[],"cronJobs":[],"customObjects":[],"customResourceDefinitions":[],"daemonSets":[],"deployments":[],"endpoints":[],"events":[],"jobs":[],"limitRanges":[],"namespaces":[],"nodes":[],"persistentVolumeClaims":[],"persistentVolumes":[],"podTemplates":[],"pods":["get","list"],"replicaSets":[],"replicationControllers":[],"resourceQuotas":[],"serviceAccounts":[],"services":[],"statefulSets":[]}` | List of kubernetes actions to enable and for which to provide permissions (use either this or kubernetesPermissions and config.actionsAllowlist) |
+| runners[0].kubernetesActions | object | `{"configMaps":[],"controllerRevisions":[],"cronJobs":[],"customObjects":[],"customResourceDefinitions":[],"daemonSets":[],"deployments":[],"endpoints":[],"events":[],"jobs":[],"limitRanges":[],"namespaces":[],"nodes":[],"persistentVolumeClaims":[],"persistentVolumes":[],"podTemplates":[],"pods":["get","list"],"replicaSets":[],"replicationControllers":[],"resourceQuotas":[],"serviceAccounts":[],"services":[],"statefulSets":[]}` | Add Kubernetes actions to the `config.actionsAllowlist` and corresponding permissions for the service account |
 | runners[0].kubernetesActions.configMaps | list | `[]` | Actions related to configMaps (options: "get", "list", "create", "update", "patch", "delete", "deleteMultiple") |
 | runners[0].kubernetesActions.controllerRevisions | list | `[]` | Actions related to controllerRevisions (options: "get", "list", "create", "update", "patch", "delete", "deleteMultiple") |
 | runners[0].kubernetesActions.cronJobs | list | `[]` | Actions related to cronJobs (options: "get", "list", "create", "update", "patch", "delete", "deleteMultiple") |
@@ -78,6 +78,6 @@ helm repo update
 | runners[0].kubernetesActions.serviceAccounts | list | `[]` | Actions related to serviceAccounts (options: "get", "list", "create", "update", "patch", "delete", "deleteMultiple") |
 | runners[0].kubernetesActions.services | list | `[]` | Actions related to services (options: "get", "list", "create", "update", "patch", "delete", "deleteMultiple") |
 | runners[0].kubernetesActions.statefulSets | list | `[]` | Actions related to statefulSets (options: "get", "list", "create", "update", "patch", "delete", "deleteMultiple") |
-| runners[0].kubernetesPermissions | list | `[]` | List of Kubernetes permissions for the Datadog Private Action Runner (use either this or kubernetesActions except for customObjects) |
+| runners[0].kubernetesPermissions | list | `[]` | Kubernetes permissions to provide in addition to the one that will be inferred from `kubernetesActions` (useful for customObjects) |
 | runners[0].name | string | `"default"` | Name of the Datadog Private Action Runner |
 | runners[0].replicas | int | `1` | Number of pod instances for the Datadog Private Action Runner |
diff --git a/charts/private-action-runner/examples/values.yaml b/charts/private-action-runner/examples/values.yaml
@@ -11,32 +11,32 @@ runners:
       port: 9016
       actionsAllowlist:
         - com.datadoghq.http.request
-    # -- List of kubernetes actions to enable and for which to provide permissions (use either this or kubernetesPermissions and config.actionsAllowlist except for customObjects)
+    # -- Add Kubernetes actions to the `config.actionsAllowlist` and corresponding permissions for the service account
     kubernetesActions:
-#      controllerRevisions: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      daemonSets: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      deployments: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple", "restart" ]
-#      replicaSets: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      statefulSets: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      cronJobs: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      configMaps: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      endpoints: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      events: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      limitRanges: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      namespaces: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      nodes: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      persistentVolumes: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      persistentVolumeClaims: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-      pods: [ "get", "list" ] # "create", "update", "patch", "delete", "deleteMultiple" ]
-#      podTemplates: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      replicationControllers: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      resourceQuotas: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      services: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      serviceAccounts: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      customResourceDefinitions: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      jobs: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-#      customObjects: [ "get", "list", "create", "update", "patch", "delete", "deleteMultiple" ]
-    # -- Use either this or kubernetesActions except for customObjects
+      controllerRevisions: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      daemonSets: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      deployments: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple", "restart"]
+      replicaSets: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      statefulSets: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      cronJobs: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      configMaps: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      endpoints: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      events: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      limitRanges: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      namespaces: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      nodes: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      persistentVolumes: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      persistentVolumeClaims: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      pods: ["get", "list" ] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      podTemplates: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      replicationControllers: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      resourceQuotas: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      services: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      serviceAccounts: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      customResourceDefinitions: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      jobs: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+      customObjects: [] # select your actions among ["get", "list", "create", "update", "patch", "delete", "deleteMultiple"]
+    # -- Kubernetes permissions to provide in addition to the one that will be inferred from `kubernetesActions` (useful for customObjects)
     kubernetesPermissions:
     # CRD example
 #      - apiGroups:

diff --git a/charts/private-action-runner/templates/_helpers.tpl b/charts/private-action-runner/templates/_helpers.tpl
@@ -122,7 +122,7 @@ Defines an RBAC rule for provided apiGroup, resource type and allowed verbs
 {{- end }}
 
 {{/*
-Helpers for kubernetes
+Map from plural(resourceName) to actionBundle
 */}}
 {{- define "chart.k8sResourceMap" -}}
 {{- $resourceMap := dict
@@ -152,6 +152,9 @@ Helpers for kubernetes
 {{- toYaml $resourceMap -}}
 {{- end -}}
 
+{{/*
+Turns a plural(resourceName) into a singular(resourceName)
+*/}}
 {{- define "chart.k8sResourceSingular" -}}
 {{- $resource := . -}}
 {{- if eq $resource "endpoints" -}}
@@ -161,6 +164,9 @@ Helpers for kubernetes
 {{- end -}}
 {{- end -}}
 
+{{/*
+Returns the kubernetes apiGroup for the plural(resourceName)
+*/}}
 {{- define "chart.k8sApiGroup" -}}
 {{- $bundle := . -}}
 {{- if eq $bundle "apiextensions" -}}
@@ -172,6 +178,9 @@ apiextensions.k8s.io
 {{- end -}}
 {{- end -}}
 
+{{/*
+Transform a list of actions into the list of k8s verbs that are required to perform those actions
+*/}}
 {{- define "chart.k8sVerbs" -}}
 {{- $actions := . -}}
 {{- $allVerbs := list -}}
@@ -185,4 +194,4 @@ apiextensions.k8s.io
   {{- end -}}
 {{- end -}}
 {{- $allVerbs | toJson -}}
-{{- end -}}
+{{- end -}}
diff --git a/charts/private-action-runner/values.yaml b/charts/private-action-runner/values.yaml
@@ -29,7 +29,7 @@ runners:
       port: 9016
       # -- List of actions that the Datadog Private Action Runner is allowed to execute
       actionsAllowlist: []
-    # -- List of kubernetes actions to enable and for which to provide permissions (use either this or kubernetesPermissions and config.actionsAllowlist)
+    # -- Add Kubernetes actions to the `config.actionsAllowlist` and corresponding permissions for the service account
     kubernetesActions:
       # -- Actions related to controllerRevisions (options: "get", "list", "create", "update", "patch", "delete", "deleteMultiple")
       controllerRevisions: []
@@ -77,7 +77,7 @@ runners:
       jobs: []
       # -- Actions related to customObjects (options: "get", "list", "create", "update", "patch", "delete", "deleteMultiple"). You also need to add appropriate `kubernetesPermissions`.
       customObjects: []
-    # -- List of Kubernetes permissions for the Datadog Private Action Runner (use either this or kubernetesActions except for customObjects)
+    # -- Kubernetes permissions to provide in addition to the one that will be inferred from `kubernetesActions` (useful for customObjects)
     kubernetesPermissions: []
 
 # see examples/values.yaml for credential keys

diff --git a/test/private-action-runner/baseline_test.go b/test/private-action-runner/baseline_test.go
@@ -35,8 +35,9 @@ func Test_baseline_manifests(t *testing.T) {
 				Values:      []string{"../../charts/private-action-runner/values.yaml"},
 				Overrides: map[string]string{
 					"runners[0].kubernetesActions.controllerRevisions": "{get,list,create,update,patch,delete,deleteMultiple}",
-					"runners[0].kubernetesActions.deployments":         "{restart}",
 					"runners[0].kubernetesActions.customObjects":       "{deleteMultiple}",
+					"runners[0].kubernetesActions.deployments":         "{restart}",
+					"runners[0].kubernetesActions.endpoints":           "{patch}",
 					"runners[0].kubernetesPermissions[0].apiGroups":    "{example.com}",
 					"runners[0].kubernetesPermissions[0].resources":    "{tests}",
 					"runners[0].kubernetesPermissions[0].verbs":        "{list,get,create,patch,update,delete}",