Merge pull request #113 from vshn/add/services_read_permission

Add instance namespace permissions

component/main.jsonnet

@@ -50,7 +50,23 @@ local finalizerRole = kube.ClusterRole('crossplane:appcat:finalizer') {
 
 };
 
+local readServices = kube.ClusterRole('appcat:services:read') + {
+  rules+: [
+    {
+      apiGroups: [ '' ],
+      resources: [ 'pods', 'pods/log', 'pods/status', 'events', 'services' ],
+      verbs: [ 'get', 'list', 'watch' ],
+    },
+    {
+      apiGroups: [ '' ],
+      resources: [ 'pods/portforward' ],
+      verbs: [ 'get', 'list', 'create' ],
+    },
+  ],
+};
+
 {
   '10_clusterrole_view': xrdBrowseRole,
   [if isOpenshift then '10_clusterrole_finalizer']: finalizerRole,
+  '10_clusterrole_services_read': readServices,
 }

component/provider.jsonnet

@@ -130,7 +130,7 @@ local controllerConfigRef(config) =
         },
         {
           apiGroups: [ '' ],
-          resources: [ 'namespaces', 'serviceaccounts', 'secrets' ],
+          resources: [ 'namespaces', 'serviceaccounts', 'secrets', 'pods', 'pods/log', 'pods/portforward', 'pods/status' ],
           verbs: [ 'get', 'list', 'watch', 'create', 'watch', 'patch', 'update', 'delete' ],
         },
         {

component/vshn_postgres.jsonnet

@@ -857,6 +857,7 @@ local composition(restore=false) =
       resources: [
                    namespaceObserve,
                    namespaceConditions,
+                   comp.NamespacePermissions('vshn-postgresql'),
                    localca,
                    certificate,
                  ] +

component/vshn_redis.jsonnet

@@ -372,6 +372,7 @@ local composition =
             comp.FromCompositeFieldPath('metadata.labels[appuio.io/organization]', 'spec.forProvider.manifest.metadata.labels[appuio.io/organization]'),
           ],
         },
+        comp.NamespacePermissions('vshn-redis'),
         {
           base: selfSignedIssuer,
           patches: [

lib/appcat-compositions.libsonnet

@@ -168,6 +168,46 @@ local kubeObject(apiVersion, kind) = {
   },
 };
 
+local namespacePermissions(namespacePrefix) = {
+  base: {
+    apiVersion: 'kubernetes.crossplane.io/v1alpha1',
+    kind: 'Object',
+    spec: {
+      providerConfigRef: {
+        name: 'kubernetes',
+      },
+      forProvider: {
+        manifest: {
+          apiVersion: 'rbac.authorization.k8s.io/v1',
+          kind: 'RoleBinding',
+          metadata: {
+            name: 'appcat:services:read',
+          },
+          roleRef: {
+            apiGroup: 'rbac.authorization.k8s.io',
+            kind: 'ClusterRole',
+            name: 'appcat:services:read',
+          },
+          subjects: [
+            {
+              apiGroup: 'rbac.authorization.k8s.io',
+              kind: 'Group',
+              // This name will be patched on APPUiO, on kind the labels don't exist
+              // so we use some dummy value.
+              name: 'organization',
+            },
+          ],
+        },
+      },
+    },
+  },
+  patches: [
+    fromCompositeFieldPathWithTransformSuffix('metadata.labels[crossplane.io/composite]', 'metadata.name', 'service-rolebinding'),
+    fromCompositeFieldPath(from='metadata.labels[appuio.io/organization]', to='spec.forProvider.manifest.subjects[0].name'),
+    fromCompositeFieldPathWithTransformPrefix('metadata.labels[crossplane.io/composite]', 'spec.forProvider.manifest.metadata.namespace', namespacePrefix),
+  ],
+};
+
 {
   CommonResource(name):
     assert std.objectHas(commonResources, name) : "common resources set '%s' doesn't exist" % name;
@@ -190,6 +230,8 @@ local kubeObject(apiVersion, kind) = {
     compositeRef(xrd, version=version),
   KubeObject(apiVersion, kind):
     kubeObject(apiVersion, kind),
+  NamespacePermissions(namespacePrefix):
+    namespacePermissions(namespacePrefix),
   conn: {
     FromSecretKey(name, from=name):
       connFromSecretKey(name, from=name),

tests/golden/apiserver/appcat/appcat/10_clusterrole_services_read.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: appcat-services-read
+  name: appcat:services:read
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - pods/log
+      - pods/status
+      - events
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - pods/portforward
+    verbs:
+      - get
+      - list
+      - create

tests/golden/cloudscale/appcat/appcat/10_clusterrole_services_read.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: appcat-services-read
+  name: appcat:services:read
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - pods/log
+      - pods/status
+      - events
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - pods/portforward
+    verbs:
+      - get
+      - list
+      - create

tests/golden/cloudscale/appcat/appcat/10_provider_kubernetes.yaml

@@ -82,6 +82,10 @@ rules:
       - namespaces
       - serviceaccounts
       - secrets
+      - pods
+      - pods/log
+      - pods/portforward
+      - pods/status
     verbs:
       - get
       - list

tests/golden/defaults/appcat/appcat/10_clusterrole_services_read.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: appcat-services-read
+  name: appcat:services:read
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - pods/log
+      - pods/status
+      - events
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - pods/portforward
+    verbs:
+      - get
+      - list
+      - create

tests/golden/exoscale/appcat/appcat/10_clusterrole_services_read.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: appcat-services-read
+  name: appcat:services:read
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - pods/log
+      - pods/status
+      - events
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - pods/portforward
+    verbs:
+      - get
+      - list
+      - create

tests/golden/exoscale/appcat/appcat/10_provider_kubernetes.yaml

@@ -82,6 +82,10 @@ rules:
       - namespaces
       - serviceaccounts
       - secrets
+      - pods
+      - pods/log
+      - pods/portforward
+      - pods/status
     verbs:
       - get
       - list

tests/golden/openshift/appcat/appcat/10_clusterrole_services_read.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: appcat-services-read
+  name: appcat:services:read
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - pods/log
+      - pods/status
+      - events
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - pods/portforward
+    verbs:
+      - get
+      - list
+      - create

tests/golden/openshift/appcat/appcat/10_provider_kubernetes.yaml

@@ -84,6 +84,10 @@ rules:
       - namespaces
       - serviceaccounts
       - secrets
+      - pods
+      - pods/log
+      - pods/portforward
+      - pods/status
     verbs:
       - get
       - list

tests/golden/vshn/appcat/appcat/10_clusterrole_services_read.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: appcat-services-read
+  name: appcat:services:read
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - pods/log
+      - pods/status
+      - events
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - pods/portforward
+    verbs:
+      - get
+      - list
+      - create

tests/golden/vshn/appcat/appcat/10_provider_kubernetes.yaml

@@ -82,6 +82,10 @@ rules:
       - namespaces
       - serviceaccounts
       - secrets
+      - pods
+      - pods/log
+      - pods/portforward
+      - pods/status
     verbs:
       - get
       - list

tests/golden/vshn/appcat/appcat/21_composition_vshn_postgres.yaml

@@ -89,6 +89,46 @@ spec:
         - fromFieldPath: metadata.labels[appuio.io/organization]
           toFieldPath: spec.forProvider.manifest.metadata.labels[appuio.io/organization]
           type: FromCompositeFieldPath
+    - base:
+        apiVersion: kubernetes.crossplane.io/v1alpha1
+        kind: Object
+        spec:
+          forProvider:
+            manifest:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: RoleBinding
+              metadata:
+                name: appcat:services:read
+              roleRef:
+                apiGroup: rbac.authorization.k8s.io
+                kind: ClusterRole
+                name: appcat:services:read
+              subjects:
+                - apiGroup: rbac.authorization.k8s.io
+                  kind: Group
+                  name: organization
+          providerConfigRef:
+            name: kubernetes
+      patches:
+        - fromFieldPath: metadata.labels[crossplane.io/composite]
+          toFieldPath: metadata.name
+          transforms:
+            - string:
+                fmt: '%s-service-rolebinding'
+                type: Format
+              type: string
+          type: FromCompositeFieldPath
+        - fromFieldPath: metadata.labels[appuio.io/organization]
+          toFieldPath: spec.forProvider.manifest.subjects[0].name
+          type: FromCompositeFieldPath
+        - fromFieldPath: metadata.labels[crossplane.io/composite]
+          toFieldPath: spec.forProvider.manifest.metadata.namespace
+          transforms:
+            - string:
+                fmt: vshn-postgresql-%s
+                type: Format
+              type: string
+          type: FromCompositeFieldPath
     - base:
         apiVersion: kubernetes.crossplane.io/v1alpha1
         kind: Object