feat/fix(rbac): use generated RBAC in kustomize and helm, grant acces…

…s to leases (#1540)
grafana · May 20, 2024 · 3c6066b · 3c6066b
1 parent 5f32bb6
commit 3c6066b
Show file tree

Hide file tree

Showing 14 changed files with 121 additions and 604 deletions.
diff --git a/.github/workflows/pr-validation.yaml b/.github/workflows/pr-validation.yaml
@@ -179,6 +179,12 @@ jobs:
             exit 1
           fi
 
+      - name: Check if overlays can be successfully built
+        run: |
+          for d in deploy/kustomize/overlays/*/ ; do
+            kustomize build "$d" --load-restrictor LoadRestrictionsNone > /dev/null
+          done
+
   trivy:
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -70,7 +70,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           for d in deploy/kustomize/overlays/*/ ; do
-               kustomize build "$d" > kustomize-$(basename "$d").yaml
+            kustomize build "$d" --load-restrictor LoadRestrictionsNone > kustomize-$(basename "$d").yaml
           done
           gh release upload "${{ github.ref_name }}" kustomize-*.yaml deploy/kustomize/base/crds.yaml
 

diff --git a/Makefile b/Makefile
@@ -99,6 +99,10 @@ manifests: yq controller-gen ## Generate WebhookConfiguration, ClusterRole and C
 	$(CONTROLLER_GEN) rbac:roleName=manager-role webhook paths="./..." crd:maxDescLen=0,generateEmbeddedObjectMeta=false output:crd:artifacts:config=deploy/helm/grafana-operator/crds
 	$(CONTROLLER_GEN) rbac:roleName=manager-role webhook paths="./..." crd output:crd:artifacts:config=config/
 	yq -i '(select(.kind == "Deployment") | .spec.template.spec.containers[0].env[] | select (.name == "RELATED_IMAGE_GRAFANA")).value="$(GRAFANA_IMAGE):$(GRAFANA_VERSION)"' config/manager/manager.yaml
+	# Sync role definitions to helm chart
+	mkdir -p deploy/helm/grafana-operator/files
+	cat config/rbac/role.yaml | yq -r 'del(.rules[] | select (.apiGroups | contains(["route.openshift.io"])))' > deploy/helm/grafana-operator/files/rbac.yaml
+	cat config/rbac/role.yaml | yq -r 'del(.rules[] | select (.apiGroups | contains(["route.openshift.io"]) | not))'  > deploy/helm/grafana-operator/files/rbac-openshift.yaml
 
 .PHONY: kustomize-crd
 kustomize-crd: kustomize manifests

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -42,6 +42,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - grafana.integreatly.org
   resources:

diff --git a/controllers/controller_shared.go b/controllers/controller_shared.go
@@ -25,6 +25,8 @@ const (
 	conditionNoMatchingFolder   = "NoMatchingFolder"
 )
 
+//+kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch;delete
+
 func GetMatchingInstances(ctx context.Context, k8sClient client.Client, labelSelector *v1.LabelSelector) (v1beta1.GrafanaList, error) {
 	if labelSelector == nil {
 		return v1beta1.GrafanaList{}, nil

diff --git a/deploy/helm/grafana-operator/files/rbac-openshift.yaml b/deploy/helm/grafana-operator/files/rbac-openshift.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+      - routes/custom-host
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - update
+      - watch
diff --git a/...stomize/overlays/cluster_scoped/rbac.yaml → deploy/helm/grafana-operator/files/rbac.yaml b/...stomize/overlays/cluster_scoped/rbac.yaml → deploy/helm/grafana-operator/files/rbac.yaml
@@ -2,47 +2,38 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: grafana-operator-permissions
+  name: manager-role
 rules:
   - apiGroups:
       - ""
     resources:
       - configmaps
+      - persistentvolumeclaims
+      - secrets
+      - serviceaccounts
+      - services
     verbs:
-      - get
-      - list
-      - watch
       - create
-      - update
-      - patch
       - delete
-  - apiGroups:
-      - coordination.k8s.io
-    resources:
-      - leases
-    verbs:
       - get
       - list
-      - watch
-      - create
-      - update
       - patch
-      - delete
+      - update
+      - watch
   - apiGroups:
       - ""
     resources:
       - events
     verbs:
       - create
+      - get
+      - list
       - patch
+      - watch
   - apiGroups:
-      - ""
+      - apps
     resources:
-      - configmaps
-      - persistentvolumeclaims
-      - secrets
-      - serviceaccounts
-      - services
+      - deployments
     verbs:
       - create
       - delete
@@ -52,19 +43,21 @@ rules:
       - update
       - watch
   - apiGroups:
-      - ""
+      - coordination.k8s.io
     resources:
-      - events
+      - leases
     verbs:
       - create
+      - delete
       - get
       - list
       - patch
+      - update
       - watch
   - apiGroups:
-      - apps
+      - grafana.integreatly.org
     resources:
-      - deployments
+      - grafanaalertrulegroups
     verbs:
       - create
       - delete
@@ -76,7 +69,21 @@ rules:
   - apiGroups:
       - grafana.integreatly.org
     resources:
-      - grafanaalertrulegroups
+      - grafanaalertrulegroups/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - grafana.integreatly.org
+    resources:
+      - grafanaalertrulegroups/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - grafana.integreatly.org
+    resources:
+      - grafanacontactpoints
     verbs:
       - create
       - delete
@@ -88,13 +95,13 @@ rules:
   - apiGroups:
       - grafana.integreatly.org
     resources:
-      - grafanaalertrulegroups/finalizers
+      - grafanacontactpoints/finalizers
     verbs:
       - update
   - apiGroups:
       - grafana.integreatly.org
     resources:
-      - grafanaalertrulegroups/status
+      - grafanacontactpoints/status
     verbs:
       - get
       - patch
@@ -215,54 +222,3 @@ rules:
       - patch
       - update
       - watch
-  - apiGroups:
-      - route.openshift.io
-    resources:
-      - routes
-      - routes/custom-host
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - update
-      - watch
-  - apiGroups:
-      - grafana.integreatly.org
-    resources:
-      - grafanacontactpoints
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-  - apiGroups:
-      - grafana.integreatly.org
-    resources:
-      - grafanacontactpoints/finalizers
-    verbs:
-      - update
-  - apiGroups:
-      - grafana.integreatly.org
-    resources:
-      - grafanacontactpoints/status
-    verbs:
-      - get
-      - patch
-      - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: grafana-operator-permissions
-subjects:
-  - kind: ServiceAccount
-    name: grafana-operator-controller-manager
-    namespace: default
-roleRef:
-  kind: ClusterRole
-  name: grafana-operator-permissions
-  apiGroup: rbac.authorization.k8s.io