feat: Tiltfile install Roles with rules defined in the controller.

Updates the Tiltfile to change the Roles and ClusterRoles defined in the Helm charts to use the rules defined in the RBAC defined in the local directory. Therefore, when permissions are added,changed or removed, there is no need to copy the content to the Helm chart directory. Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
kubewarden · Apr 8, 2024 · aa6b27d · aa6b27d
1 parent 6fc4d45
commit aa6b27d
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 21 deletions.
diff --git a/Tiltfile b/Tiltfile
@@ -21,6 +21,23 @@ namespace_create('kubewarden')
 # Install CRDs
 crd = kustomize('config/crd')
 k8s_yaml(crd)
+roles = decode_yaml_stream(kustomize('config/rbac'))
+cluster_rules = []
+namespace_rules = []
+roles_rules_mapping = {
+ "ClusterRole": {},
+ "Role": {},
+}
+
+for role in roles:
+ if role.get('kind') == 'ClusterRole':
+ roles_rules_mapping["ClusterRole"][role.get('metadata').get('name')] = role.get('rules')
+ elif role.get('kind') == 'Role':
+ roles_rules_mapping["Role"][role.get('metadata').get('name')] = role.get('rules')
+
+if len(roles_rules_mapping["ClusterRole"]) == 0 or len(roles_rules_mapping["Role"]) == 0:
+ fail("Failed to load cluster and namespace roles")
+
 
 # Install kubewarden-controller helm chart
 install = helm(
@@ -38,7 +55,16 @@ for o in objects:
  o['spec']['template']['spec']['securityContext']['runAsNonRoot'] = False
  # Disable the leader election to speed up the startup time.
  o['spec']['template']['spec']['containers'][0]['args'].remove('--leader-elect')
- break
+
+ # Update the cluster and namespace roles used by the controller. This ensures
+ # that always we have the latest roles applied to the cluster.
+ if o.get('kind') == 'ClusterRole' and o.get('metadata').get('name') == 'kubewarden-controller-manager-cluster-role':
+ o['rules'] = roles_rules_mapping["ClusterRole"]["manager-role"]
+ if o.get('kind') == 'Role' and o.get('metadata').get('name') == 'kubewarden-controller-manager-namespaced-role':
+ o['rules'] = roles_rules_mapping["Role"]["manager-role"]
+ if o.get('kind') == 'Role' and o.get('metadata').get('name') == 'kubewarden-controller-leader-election-role':
+ o['rules'] = roles_rules_mapping["Role"]["leader-election-role"]
+
 updated_install = encode_yaml_stream(objects)
 k8s_yaml(updated_install)
 

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -119,15 +119,6 @@ rules:
  - patch
  - update
  - watch
-- apiGroups:
- - apps
- resources:
- - deployments
- - replicasets
- verbs:
- - get
- - list
- - watch
 - apiGroups:
  - apps
  resources:

diff --git a/controllers/admissionpolicy_controller.go b/controllers/admissionpolicy_controller.go
@@ -46,11 +46,8 @@ import (
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies/finalizers,verbs=update
 //
-// We need access to these resources only inside of the namespace where the
-// controller is deployed. Here we assume it's being deployed inside of the
-// `kubewarden` namespace, this has to be parametrized in the helm chart
-//+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch
-//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets;deployments,verbs=get;list;watch
+// Some RBAC rules needed to access some resources used here are defined in the
+// policyserver_controller.go file.
 
 // AdmissionPolicyReconciler reconciles an AdmissionPolicy object
 type AdmissionPolicyReconciler struct {

diff --git a/controllers/clusteradmissionpolicy_controller.go b/controllers/clusteradmissionpolicy_controller.go
@@ -45,12 +45,9 @@ import (
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies,verbs=get;list;watch;delete
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies/finalizers,verbs=update
-//
-// We need access to these resources only inside of the namespace where the
-// controller is deployed. Here we assume it's being deployed inside of the
-// `kubewarden` namespace, this has to be parametrized in the helm chart
-//+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch
-//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets;deployments,verbs=get;list;watch
+
+// Some RBAC rules needed to access some resources used here are defined in the
+// policyserver_controller.go file.
 
 // ClusterAdmissionPolicyReconciler reconciles a ClusterAdmissionPolicy object
 type ClusterAdmissionPolicyReconciler struct {