From 706e472f661dcd6066b92c146a61463098c41e8a Mon Sep 17 00:00:00 2001 From: Floppy Disk Date: Fri, 6 Dec 2024 13:43:19 +0300 Subject: [PATCH 1/4] add cozystack-cluster-admin --- .../templates/configure-kk.yaml | 13 +++++++++++++ .../templates/rolebinding.yaml | 16 ++++++++++++++++ .../keycloak-configure/templates/roles.yaml | 15 +++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 packages/system/keycloak-configure/templates/roles.yaml diff --git a/packages/system/keycloak-configure/templates/configure-kk.yaml b/packages/system/keycloak-configure/templates/configure-kk.yaml index f9c19b27..5ec8e0ae 100644 --- a/packages/system/keycloak-configure/templates/configure-kk.yaml +++ b/packages/system/keycloak-configure/templates/configure-kk.yaml @@ -225,3 +225,16 @@ spec: realmRef: name: keycloakrealm-cozy kind: ClusterKeycloakRealm + +--- + +apiVersion: v1.edp.epam.com/v1 +kind: KeycloakRealmGroup +metadata: + name: cozystack-cluster-admin + namespace: cozy-dashboard +spec: + name: cozystack-cluster-admin + realmRef: + name: keycloakrealm-cozy + kind: ClusterKeycloakRealm diff --git a/packages/system/keycloak-configure/templates/rolebinding.yaml b/packages/system/keycloak-configure/templates/rolebinding.yaml index 83272889..53d606a7 100644 --- a/packages/system/keycloak-configure/templates/rolebinding.yaml +++ b/packages/system/keycloak-configure/templates/rolebinding.yaml @@ -11,3 +11,19 @@ subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: kubeapps-admin + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cozystack-cluster-admin-group + namespace: cozy-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cozystack-cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: cozystack-cluster-admin diff --git a/packages/system/keycloak-configure/templates/roles.yaml b/packages/system/keycloak-configure/templates/roles.yaml new file mode 100644 index 00000000..8b35215e --- /dev/null +++ b/packages/system/keycloak-configure/templates/roles.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cozystack-cluster-admin +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +- nonResourceURLs: + - '*' + verbs: + - '*' From cfdff1b5d27be53d6b83809624919f6a90f6736f Mon Sep 17 00:00:00 2001 From: Floppy Disk Date: Fri, 6 Dec 2024 15:31:14 +0300 Subject: [PATCH 2/4] kubeapps-admin role --- .../templates/rolebinding.yaml | 18 +++++++- .../keycloak-configure/templates/roles.yaml | 42 +++++++++++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) diff --git a/packages/system/keycloak-configure/templates/rolebinding.yaml b/packages/system/keycloak-configure/templates/rolebinding.yaml index 53d606a7..a5ea3d46 100644 --- a/packages/system/keycloak-configure/templates/rolebinding.yaml +++ b/packages/system/keycloak-configure/templates/rolebinding.yaml @@ -6,7 +6,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: admin + name: kubeapps-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group @@ -14,6 +14,22 @@ subjects: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubeapps-admin + namespace: cozy-public +subjects: +- kind: Group + name: kubeapps-admin + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: kubeapps-admin + apiGroup: rbac.authorization.k8s.io + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/packages/system/keycloak-configure/templates/roles.yaml b/packages/system/keycloak-configure/templates/roles.yaml index 8b35215e..ef6ae19c 100644 --- a/packages/system/keycloak-configure/templates/roles.yaml +++ b/packages/system/keycloak-configure/templates/roles.yaml @@ -1,3 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeapps-admin +rules: +- apiGroups: [""] + resources: + - "*" + verbs: + - get + - list + - watch +- apiGroups: ["apps.cozystack.io"] + resources: + - '*' + verbs: + - '*' +- apiGroups: ["helm.toolkit.fluxcd.io"] + resources: + - helmreleases + verbs: + - '*' +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kubeapps-admin + namespace: cozy-public +rules: + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: ["helmrepositories"] + verbs: + - get + - list + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: + - helmcharts + verbs: ["*"] + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: From 20d9999bf008ed7af0932abbf1656c642727f594 Mon Sep 17 00:00:00 2001 From: klinch0 <68821526+klinch0@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:49:15 +0300 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: Andrei Kvapil --- packages/system/keycloak-configure/templates/configure-kk.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/system/keycloak-configure/templates/configure-kk.yaml b/packages/system/keycloak-configure/templates/configure-kk.yaml index 5ec8e0ae..9be7c588 100644 --- a/packages/system/keycloak-configure/templates/configure-kk.yaml +++ b/packages/system/keycloak-configure/templates/configure-kk.yaml @@ -232,7 +232,7 @@ apiVersion: v1.edp.epam.com/v1 kind: KeycloakRealmGroup metadata: name: cozystack-cluster-admin - namespace: cozy-dashboard + namespace: cozy-system spec: name: cozystack-cluster-admin realmRef: From 731fb0d886fc5db281b103000af684c49228232b Mon Sep 17 00:00:00 2001 From: klinch0 <68821526+klinch0@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:50:22 +0300 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Andrei Kvapil --- packages/system/keycloak-configure/templates/rolebinding.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/system/keycloak-configure/templates/rolebinding.yaml b/packages/system/keycloak-configure/templates/rolebinding.yaml index a5ea3d46..a201cf1b 100644 --- a/packages/system/keycloak-configure/templates/rolebinding.yaml +++ b/packages/system/keycloak-configure/templates/rolebinding.yaml @@ -34,7 +34,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cozystack-cluster-admin-group - namespace: cozy-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole