Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add RBAC for tink-controller and tink-server #610

Merged
merged 1 commit into from
Apr 29, 2022
Merged

Add RBAC for tink-controller and tink-server #610

merged 1 commit into from
Apr 29, 2022

Conversation

abhinavmpandey08
Copy link
Contributor

@abhinavmpandey08 abhinavmpandey08 commented Apr 27, 2022
edited
Loading

Description

This PR adds all deployment and RBAC manifests and kustomization.yamls for tink-controller and tink-server.

Why is this needed

This is needed to help users deploy the kubified tink services in their Kubernetes environment
This is what the generated manifest looks like after running kustomize build config/default https://gist.github.com/abhinavmpandey08/ed00314e4b738cacbad67ea9e345ec2a

How Has This Been Tested?

This has been tested by applying the manifests on a KinD cluster and verifying that tink-controller and tink-server both work as intended.

How are existing users impacted? What migration steps/scripts do we need?

No user impact

Checklist:

I have:

  • updated the documentation and/or roadmap (if required)
  • added unit or e2e tests
  • provided instructions on how to upgrade

micahhausler
micahhausler suggested changes Apr 27, 2022
View reviewed changes
Copy link
Contributor

@micahhausler micahhausler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for this, awesome work! Just a few minor changes

config/crd/patches/cainjection_in_hardware.yaml Outdated Show resolved Hide resolved
config/crd/patches/webhook_in_hardware.yaml Outdated Show resolved Hide resolved
config/manager/manager.yaml Outdated Show resolved Hide resolved
config/rbac/leader_election_role.yaml Outdated
Comment on lines 10 to 18
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are full config map permissions required in the namespace?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This role is auto-generated by kubebuilder. I am not sure if all these permissions are really required during leader-election or not. Will check and update here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright I just tested and looks like it needs all the permissions on cm except for delete

config/rbac/role.yaml Outdated Show resolved Hide resolved
config/rbac/role.yaml Outdated Show resolved Hide resolved
config/rbac/role.yaml Outdated Show resolved Hide resolved
config/tink-server/role.yaml Outdated Show resolved Hide resolved
@codecov
Copy link

codecov bot commented Apr 27, 2022
edited
Loading

Codecov Report

Merging #610 (dac566d) into main (713d5ff) will not change coverage.
The diff coverage is n/a.

❗ Current head dac566d differs from pull request most recent head 83240cd. Consider uploading reports for the commit 83240cd to get more accurate results

@@           Coverage Diff           @@
##             main     #610   +/-   ##
=======================================
  Coverage   44.37%   44.37%           
=======================================
  Files          61       61           
  Lines        3491     3491           
=======================================
  Hits         1549     1549           
  Misses       1858     1858           
  Partials       84       84
Impacted Files Coverage Δ
pkg/controllers/workflow/controller.go 73.68% <ø> (ø)
server/kubernetes_api.go 0.00% <ø> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 713d5ff...83240cd. Read the comment docs.

@abhinavmpandey08 abhinavmpandey08 force-pushed the add-rbac branch 5 times, most recently from c58ea83 to 56183d0 Compare April 28, 2022 16:41
micahhausler
micahhausler approved these changes Apr 28, 2022
View reviewed changes
Copy link
Contributor

@micahhausler micahhausler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jacobweinstock
Copy link
Member

@mmlb, can you check this out? approve the workflow run?

@jacobweinstock jacobweinstock requested a review from mmlb April 28, 2022 16:59
gauravgahlot
gauravgahlot approved these changes Apr 29, 2022
View reviewed changes
Copy link
Contributor

@gauravgahlot gauravgahlot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow is green and the changes LGTM. Will wait for @mmlb's review though.

micahhausler
micahhausler approved these changes Apr 29, 2022
View reviewed changes
Copy link
Contributor

@micahhausler micahhausler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@abhinavmpandey08 @jacobweinstock
Add RBAC for tink-controller and tink-server
83240cd 
Signed-off-by: Abhinav Pandey <abhinavmpandey08@gmail.com>
@mmlb mmlb added the ready-to-merge Signal to Mergify to merge the PR. label Apr 29, 2022
@mergify mergify bot merged commit 5b8f8c4 into tinkerbell:main Apr 29, 2022
@displague displague added this to the 0.7.0 milestone Aug 15, 2022
@abhinavmpandey08 abhinavmpandey08 mentioned this pull request Aug 15, 2022
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gauravgahlot gauravgahlot gauravgahlot approved these changes

@micahhausler micahhausler micahhausler approved these changes

@mmlb mmlb mmlb approved these changes

Assignees

@abhinavmpandey08 abhinavmpandey08

Labels
ready-to-merge Signal to Mergify to merge the PR.
Projects
None yet
Milestone
0.7.0
Development

Successfully merging this pull request may close these issues.
6 participants
@abhinavmpandey08 @jacobweinstock @mmlb @micahhausler @gauravgahlot @displague