Skip to content

Commit

Permalink
feat: Tiltfile install Roles with rules defined in the controller.
Browse files Browse the repository at this point in the history
Updates the Tiltfile to change the Roles and ClusterRoles defined in the
Helm charts to use the rules defined in the RBAC defined in the local
directory. Therefore, when permissions are added,changed or removed,
there is no need to copy the content to the Helm chart directory.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
  • Loading branch information
jvanz committed Apr 8, 2024
1 parent 6fc4d45 commit aa6b27d
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 21 deletions.
28 changes: 27 additions & 1 deletion Tiltfile
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,23 @@ namespace_create('kubewarden')
# Install CRDs
crd = kustomize('config/crd')
k8s_yaml(crd)
roles = decode_yaml_stream(kustomize('config/rbac'))
cluster_rules = []
namespace_rules = []
roles_rules_mapping = {
"ClusterRole": {},
"Role": {},
}

for role in roles:
if role.get('kind') == 'ClusterRole':
roles_rules_mapping["ClusterRole"][role.get('metadata').get('name')] = role.get('rules')
elif role.get('kind') == 'Role':
roles_rules_mapping["Role"][role.get('metadata').get('name')] = role.get('rules')

if len(roles_rules_mapping["ClusterRole"]) == 0 or len(roles_rules_mapping["Role"]) == 0:
fail("Failed to load cluster and namespace roles")


# Install kubewarden-controller helm chart
install = helm(
Expand All @@ -38,7 +55,16 @@ for o in objects:
o['spec']['template']['spec']['securityContext']['runAsNonRoot'] = False
# Disable the leader election to speed up the startup time.
o['spec']['template']['spec']['containers'][0]['args'].remove('--leader-elect')
break

# Update the cluster and namespace roles used by the controller. This ensures
# that always we have the latest roles applied to the cluster.
if o.get('kind') == 'ClusterRole' and o.get('metadata').get('name') == 'kubewarden-controller-manager-cluster-role':
o['rules'] = roles_rules_mapping["ClusterRole"]["manager-role"]
if o.get('kind') == 'Role' and o.get('metadata').get('name') == 'kubewarden-controller-manager-namespaced-role':
o['rules'] = roles_rules_mapping["Role"]["manager-role"]
if o.get('kind') == 'Role' and o.get('metadata').get('name') == 'kubewarden-controller-leader-election-role':
o['rules'] = roles_rules_mapping["Role"]["leader-election-role"]

updated_install = encode_yaml_stream(objects)
k8s_yaml(updated_install)

Expand Down
9 changes: 0 additions & 9 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -119,15 +119,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
Expand Down
7 changes: 2 additions & 5 deletions controllers/admissionpolicy_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,8 @@ import (
//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies/finalizers,verbs=update
//
// We need access to these resources only inside of the namespace where the
// controller is deployed. Here we assume it's being deployed inside of the
// `kubewarden` namespace, this has to be parametrized in the helm chart
//+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch
//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets;deployments,verbs=get;list;watch
// Some RBAC rules needed to access some resources used here are defined in the
// policyserver_controller.go file.

// AdmissionPolicyReconciler reconciles an AdmissionPolicy object
type AdmissionPolicyReconciler struct {
Expand Down
9 changes: 3 additions & 6 deletions controllers/clusteradmissionpolicy_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,12 +45,9 @@ import (
//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies,verbs=get;list;watch;delete
//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies/finalizers,verbs=update
//
// We need access to these resources only inside of the namespace where the
// controller is deployed. Here we assume it's being deployed inside of the
// `kubewarden` namespace, this has to be parametrized in the helm chart
//+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch
//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets;deployments,verbs=get;list;watch

// Some RBAC rules needed to access some resources used here are defined in the
// policyserver_controller.go file.

// ClusterAdmissionPolicyReconciler reconciles a ClusterAdmissionPolicy object
type ClusterAdmissionPolicyReconciler struct {
Expand Down

0 comments on commit aa6b27d

Please sign in to comment.