salt, storage-operator: Limit allowed Salt states

Reduce to only state formulas in `metalk8s.volumes`.

Fixes: #1528

salt/metalk8s/salt/master/files/master-99-metalk8s.conf.j2

@@ -45,7 +45,9 @@ external_auth:
     storage-operator:
       - '*':
         - 'disk.dump'
-        - 'state.sls'
+        - 'state.sls':
+            kwargs:
+              mods: 'metalk8s\.volumes.*'
       - '@jobs'
 
 # `kubeconfig` file and `context` used by salt to interact with apiserver

tests/post/features/salt_api.feature

@@ -12,9 +12,10 @@ Feature: SaltAPI
     Scenario: Login to SaltAPI using a ServiceAccount
         Given the Kubernetes API is available
         When we login to SaltAPI with the ServiceAccount 'storage-operator'
-        Then we can invoke '["disk.dump", "state.sls"]' on '*'
+        Then we can invoke '["disk.dump", {"state.sls": {"kwargs": {"mods": r"metalk8s\.volumes.*"}}]' on '*'
         And we have '@jobs' perms
         And we can not ping all minions
+        And we can not run state 'test.nop' on '*'
 
     Scenario: Login to SaltAPI using an incorrect password
         Given the Kubernetes API is available

tests/post/steps/test_salt_api.py

@@ -97,6 +97,21 @@ def ping_all_minions(host, context, negated):
         assert result_data['return'][0] != []
 
 
+@then(parsers.parse(
+    "we can{negated:Negation} run state '{module}' on '{targets}'",
+    extra_types={'Negation': _negation}
+))
+def run_state_on_targets(host, context, negated, module, targets):
+    result = _salt_call(context, 'state.sls', tgt=targets,
+                        kwarg={'mods': module})
+
+    if negated:
+        assert result.status_code == 401
+        assert 'No permission' in result.text
+    else:
+        assert result.status_code == 200
+
+
 @then('authentication fails')
 def authentication_fails(host, context):
     assert context['salt-api']['login-status-code'] == 401