feat(vault config): set up access for users to access KVs through OIDC.

.gitignore

@@ -1,3 +1,4 @@
 vendor
 kubeflow-controller
 .DS_Store
+/.idea/

README.md

@@ -66,7 +66,9 @@ populate the `vendor` directory.
 
 ## Purpose
 
-This is an example of how to build a kube-like controller with a single type controlling kubeflow.
+This controller updates the state of Vault to allow access to secrets from OIDC users and from inside a profile's namespace.
+
+![Example object diagram](docs/images/kubeflow-controller.svg)
 
 ## Running
 

controller.go

@@ -22,7 +22,6 @@ import (
 	"reflect"
 	"time"
 
-	vault "github.com/hashicorp/vault/api"
 	v1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -89,9 +88,7 @@ type Controller struct {
 
 	dockerConfigJSON []byte
 
-	vaultClient        *vault.Client
-	minioInstances     []string
-	kubernetesAuthPath string
+	vaultConfigurer VaultConfigurer
 
 	// workqueue is a rate limited work queue. This is used to queue work to be
 	// processed instead of performing it as soon as a change happens. This
@@ -114,7 +111,7 @@ func NewController(
 	roleBindingInformer rbacv1informers.RoleBindingInformer,
 	profileInformer informers.ProfileInformer,
 	dockerConfigJSON []byte,
-	vaultClient *vault.Client, minioInstances []string, kubernetesAuthPath string) *Controller {
+	vaultConfigurer VaultConfigurer) *Controller {
 
 	// Create event broadcaster
 	// Add kubeflow-controller types to the default Kubernetes Scheme so Events can be
@@ -140,9 +137,7 @@ func NewController(
 		profilesLister:       profileInformer.Lister(),
 		profilesSynced:       profileInformer.Informer().HasSynced,
 		dockerConfigJSON:     dockerConfigJSON,
-		vaultClient:          vaultClient,
-		minioInstances:       minioInstances,
-		kubernetesAuthPath:   kubernetesAuthPath,
+		vaultConfigurer:      vaultConfigurer,
 		workqueue:            workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "Profiles"),
 		recorder:             recorder,
 	}
@@ -517,7 +512,26 @@ func (c *Controller) syncHandler(key string) error {
 	}
 
 	// Configure vault
-	err = doVaultConfiguration(c.vaultClient, profile.Name, c.minioInstances, c.kubernetesAuthPath)
+	//Get users that have access to the namespace
+	roleBindingsList, err := c.kubeclientset.RbacV1beta1().ClusterRoleBindings().List(context.TODO(), metav1.ListOptions{
+		FieldSelector: "metadata.namespace=" + profile.Name,
+	})
+	if err != nil {
+		return err
+	}
+
+	users := make([]string, 0)
+	for _, currentRoleBinding := range roleBindingsList.Items {
+		if currentRoleBinding.RoleRef.Name == "kubeflow-edit" {
+			for _, subject := range currentRoleBinding.Subjects {
+				if subject.Kind == "User" {
+					users = append(users, subject.Name)
+				}
+			}
+		}
+	}
+
+	err = c.vaultConfigurer.ConfigVaultForProfile(profile.Name, profile.Spec.Owner.Name, users)
 
 	// If an error occurs during Update, we'll requeue the item so we can
 	// attempt processing again later. This could have been caused by a

docs/images/kubeflow-controller.drawio

@@ -0,0 +1 @@
+<mxfile host="app.diagrams.net" modified="2020-05-21T14:06:48.491Z" agent="5.0 (Windows)" etag="mBREqsnoY0GnJDBDHRGY" version="13.1.1" type="device"><diagram name="Page-1" id="5f0bae14-7c28-e335-631c-24af17079c00">7V1Zc6O4Fv41fpmqUFpYH7N0uufe2zNdk+pZnqZom9hMMOQC7sT960fYCKMFIxbZOJU8dAchCTjnO6uOlBm+Xb9+TP3n1edkEUQzBBavM3w3QwiayCT/FS3bfYtjgn3DMg0XZadDw0P4IygbabdNuAgypmOeJFEePrON8ySOg3nOtPlpmryw3R6TiH3qs78MhIaHuR+JrX+Ei3xVtkIADjc+BeFyVT7atcob3/z50zJNNnH5vBnCj7uf/e21T+cq+2crf5G81Jrwhxm+TZMk3/+2fr0NooK2lGz7cfcNd6v3ToM4Vxng++byP/bms588ZfjT3XbxZ/Lpqpzlux9tAvoZu5fNt5RAu08MiknADN+8rMI8eHj258XdFwIJ0rbK1xG5guTXLE+Tp4qQmLSIr0mfGaR58FprKl/7Y5Csgzzdki7lXWSXGCshRin6cuAXNu1926rGKuSWHf0SI8tq6gOdyC8lqTqQDQlke3Kzq3m0yfIgFShIPjOXkek2iZKUtMRJTHrePIZRxDX5UbiMyeWcEI9MjG8KooUEvNfljXW4WBSPkfKF5dxjEucP5UtJwNOdKw7LFSxyBTpAwhVdTLG6YBl2xTIaCcsuSzVbpBryJFiGWBfZbIFsX9KEYJEo5WkCeQwueLZhsXzwBD6Y1gnB60rAa0cFtRfh9+KBJZ1I6/83hcm4iYLH/HBFfluW/+9GfaMNv/jrgDaSN6vaZ/iaTPs1C1JYjUkbZ/n1JS4UW9M0m900JshXYbw0wkRhxuLJWeOMTcNJxx092NZuJCpeFpGX3SBj7qs/aogqoa+2eyFNCHZFBFdOTB3CHtQEYShaRYZBvQGKFLjfD7e9gPaGUFR575PBEG7EEAOYbEekNrU2xJPVYOurmKdOXiQhr6PLykCZj9SPvAMDhTHACydHXq+LCzqVcApbIt1sT0Y3S1s8BboQrrPvXrQs/GxVjR6Dig5vgLEriUsBNiRuJLS1UVKM6JnQFPibfEW+mvjeeZjEApWn4eKPHatiTlVgTxJ2yVSFNn+fAvy4s/S7v4lyRVfibXIOeRznJAGzeVLGmccZ1z9S+y2JjthcvTHR8z7kv9rU48ExJtb72s3Oy9VNGC9awssx3qAlgJ62+49c3oaZyJL4UI7UhgFLl4h1cqO6U05PYo9Lh1oSRYWBLLOnzR3FMq9qYECuGB131ScDlEXDV1zP50HWlmBqnfbp+9/cp9z/pDx4HcZFKuxeSozL0xV84loSbWGJJYZQG75FX/dLEoXzcLKpa91rMJYjMsWRam9t/hHWkAXsoXR65AynqnTQYKXTSIxpqRgTT07F0GXlGpGCxTKgMpyk+SpZJrEffTi0cjJ/6PO/JHkuifdPkOfbshiCROQJS9rgNcz/LIYTyd1f/VW7c/dazry72NKLmHxvbVBx+Vf93mHY7oqOa+RblmzSeXBM0stcbe6nyyBXUAkF5Y7iIA0iPw+/B8x7yHi6G3qdpv621uE5CeM8q838pWiowcvzWGWJAYeP/YwHtFSvNkAdNie030i4qKJp38PFWriI1D9y2vp5EsEifad3Dd2cq2rX0GASGhqbZ9DQtMxj+gDqDwS67tcOBDwJIJieywCBVvLpBcK7JmkGkKqvR1XOuTUJXao8JYBsWTUtX5Dy8x2ZHFxv8pUh9TdGsflVrmL8VU9WMD3JmidEsiynthDNkS3INBJRYdH9aLZ4pDV4h4WnLUkWV2vEdTJibQvHjlgacv1jkwYFWOc7QUXgLkyDeZ6UT3v76TWX45IkuybNR+irEhWLmk5pomoG6mCu2kwUY6AO9mp0E+XYiiYKTsPHsVlw0X0z92rdaXWyVoNGSVrTCWKl76j2agSh9Ti6qlaFadOsLr4UoR0gfI6q8FmTED7MgsT1jgsf1x3j491NfmvMKeJYygJOWGs1yhOXVFfmBJ1WUhW2EAXx4rrYdljQIvKzLJxzcneIzRwmOIN9Ld94Bq1GWEtCV9rWTfREYWlAfzXFXpuUo46JEZQHcdVEe8oIE40lUR5qh0OvyKISIk1bzDgLKKvvlfFfn9/qKcRoxV7aZylN6m49UCdQtWfY/0afAY4TjncdJP6+ZcuCW20ayRt7U2OPUqjjHG2HZUlNiR+GZPtDbcugBWDjk1N0aD8WsLvQepGhnKF3bcP1LKuoYHeB5TmMEHiGCaFjmw6wXBdhCwpcxNhwPAhM03FsCOnjGflwjWIo8uhUWBd/RR+obZ2uZJNaRexpVuyO+Fgjcdw1Km4B5LlsDSi5yzDLMgWWQ+ARjoIDaiRKETvGATVkNtpnfKZ33zurwnT01pgOsWVA24SVsF421ydQJDyaZcSGhdWso2UbpqOJpNVWzxpNP8R5mF9sQeUp1CUEFmciJ2Ihn9z17c1/b3743qcfCxN8ffz19u7qvLkoZo2zSj91WuNUC6O5ULgDKtqXQkGpaFrj8r03MiC1NVCaZeGrdB+77OiGC7Vx0KBV4VQ8kWkQL7b2I7FrpgE8USgLk2hq484lSuLQjNZQyVOtZ6JxwHhZ5oHM7r5psMlFlZ47caHCahIBs/YmFTimjUXBrZtE0SF1sWFj8q9FvVK5DMvcWg08nlAdmU7TehZ5dicmz2Ie6edFsas+L17iIU+KuolLdJh77M9GjNQ6lmhfXVcil9rO4ADOeeXQOYtlVV2o9VQXaqdSEuxCDl8mBxENS6kQuJeIIctGdRABwyN68ziQdldfgjQkJCtUy1B0uaroQpNAlwXYZHdbEU5Lf01olB6K1ejiTWYd0uaWb6Xn48jW97G2c4YgFB1xcYu3Zu+5OyG58hNTtpTmnrJQAh45SKwWiHwmlMszxSDlbfpHNmSjGpkQnPT8GghF31XccDx1EbAlpw2fWAQkJ2312xNId2w/BduseKej2w2/Rcn8qZggaL+jvoTZd1bUc9aGm2OgbrztjoLa9cTMvhRzUJ/wojNnDXs5pqxT2lYBzmr9GcIA3N+DgVvVgaJfWjkIEwt7LKvFMeVKl7r2N0/iyKIR6iub4VGLhJBrs6AzrXEjIWF9qR1Z5y3KbAJI56JMm9u6ZJncRJqLMqvdZedRgbCu/zTtgdGiAZGyBrTH1oADTZ6spms0paEq4eeTW7ZMx+YXMFTl1uGicevExdS2GHaM6vBpSWHwWtORHeonPZHI0+UC2qI47Gp0tlck2vWzS63U6e6dA441ss2Z0vMWTY0VVLRy+Vz+ORp+iEDb2oNElxY/g6yTrZo3ropaJmKd7Jba015/80K1JEfhPLoNEYXG5+zPIrjMs4j45LLruIak8u60+8eqzeDT3+o5Ken3lKV/9Oh8mPTLapCHSn+vI9A61Aa9a42a1jj75nBIyxUvKJytdETvcHawylDeb05F9Mz5vGqNR3HDOd8fAuf4ABcNHOCeJANI0xDvaO+EdtWjTezR6+T6oZ07fautrILvT7z84wOcoQO8ssKnJ9rJ5eEP9+67H/46Mv7wLw==</diagram></mxfile>