Add appcatalog and metrics user roles to ace-user-roles (#194)

tamalsaha · web-flow · commit b2247c453e37 · 2025-01-31T12:08:26.000+06:00
Signed-off-by: Tamal Saha &lt;tamal@appscode.com&gt;
diff --git a/charts/ace-user-roles/README.md b/charts/ace-user-roles/README.md
@@ -45,10 +45,20 @@ The command removes all the Kubernetes components associated with the chart and
 
 The following table lists the configurable parameters of the `ace-user-roles` chart and their default values.
 
-|    Parameter     |         Description         |     Default     |
-|------------------|-----------------------------|-----------------|
-| nameOverride     | Overrides name template     | <code>""</code> |
-| fullnameOverride | Overrides fullname template | <code>""</code> |
+|               Parameter                |         Description         |      Default      |
+|----------------------------------------|-----------------------------|-------------------|
+| nameOverride                           | Overrides name template     | <code>""</code>   |
+| fullnameOverride                       | Overrides fullname template | <code>""</code>   |
+| enableClusterRoles.ace                 |                             | <code>true</code> |
+| enableClusterRoles.appcatalog          |                             | <code>true</code> |
+| enableClusterRoles.catalog             |                             | <code>true</code> |
+| enableClusterRoles.cert-manager        |                             | <code>true</code> |
+| enableClusterRoles.kubedb-ui           |                             | <code>true</code> |
+| enableClusterRoles.kubestash           |                             | <code>true</code> |
+| enableClusterRoles.license-proxyserver |                             | <code>true</code> |
+| enableClusterRoles.metrics             |                             | <code>true</code> |
+| enableClusterRoles.prometheus          |                             | <code>true</code> |
+| enableClusterRoles.stash               |                             | <code>true</code> |
 
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/ace-user-roles/templates/ace/user-roles.yaml b/charts/ace-user-roles/templates/ace/user-roles.yaml
@@ -1,3 +1,5 @@
+{{- if dig "ace" false .Values.enableClusterRoles }}
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -12,7 +14,7 @@ rules:
   - drivers.x-helm.dev
   resources:
   - appreleases
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
+  verbs: ["create", "update", "patch", "delete", "deletecollection"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -29,3 +31,5 @@ rules:
   resources:
   - appreleases
   verbs: ["get", "list", "watch"]
+
+{{- end }}
diff --git a/charts/ace-user-roles/templates/appcatalog/appcatalog-user-roles.yaml b/charts/ace-user-roles/templates/appcatalog/appcatalog-user-roles.yaml
@@ -0,0 +1,35 @@
+{{- if dig "appcatalog" false .Values.enableClusterRoles }}
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: appscode:appcatalog:admin
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups:
+  - appcatalog.appscode.com
+  resources:
+  - "*"
+  verbs: ["*"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: appscode:appcatalog:view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups:
+  - appcatalog.appscode.com
+  resources:
+  - "*"
+  verbs: ["get", "list", "watch"]
+
+{{- end }}
diff --git a/charts/ace-user-roles/templates/catalog/user-roles.yaml b/charts/ace-user-roles/templates/catalog/user-roles.yaml
@@ -1,3 +1,5 @@
+{{- if dig "catalog" false .Values.enableClusterRoles }}
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -45,3 +47,5 @@ rules:
   resources:
   - "*"
   verbs: ["get", "list", "watch"]
+
+{{- end }}
diff --git a/charts/ace-user-roles/templates/cert-manager/user-roles.yaml b/charts/ace-user-roles/templates/cert-manager/user-roles.yaml
@@ -1,3 +1,5 @@
+{{- if dig "cert-manager" false .Values.enableClusterRoles }}
+
 # kubectl get clusterrole cert-manager-edit
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -57,3 +59,5 @@ rules:
   - challenges
   - orders
   verbs: ["get", "list", "watch"]
+
+{{- end }}
diff --git a/charts/ace-user-roles/templates/kubedb-ui/user-roles.yaml b/charts/ace-user-roles/templates/kubedb-ui/user-roles.yaml
@@ -1,3 +1,5 @@
+{{- if dig "kubedb-ui" false .Values.enableClusterRoles }}
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -52,3 +54,5 @@ subjects:
 - kind: Group
   name: system:authenticated
   apiGroup: rbac.authorization.k8s.io
+
+{{- end }}
diff --git a/charts/ace-user-roles/templates/kubestash/user_roles.yaml b/charts/ace-user-roles/templates/kubestash/user_roles.yaml
@@ -1,3 +1,5 @@
+{{- if dig "kubestash" false .Values.enableClusterRoles }}
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -50,3 +52,5 @@ rules:
   resources:
   - "*"
   verbs: ["get", "list", "watch"]
+
+{{- end }}
diff --git a/charts/ace-user-roles/templates/license-proxyserver/license-checker-cluster-role.yaml b/charts/ace-user-roles/templates/license-proxyserver/license-checker-cluster-role.yaml
@@ -0,0 +1,48 @@
+{{- if dig "license-proxyserver" false .Values.enableClusterRoles }}
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: appscode:license-checker
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+# Get cluster id
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs: ["get"]
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames: ["ace-info"]
+  verbs: ["get"]
+# Issue license
+- apiGroups:
+  - proxyserver.licenses.appscode.com
+  resources:
+  - licenserequests
+  verbs: ["create"]
+# Detect workload/owner of operator pod
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs: ["get"]
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - replicasets
+  verbs: ["get"]
+# Write events in case of license verification failure
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs: ["get", "list", "create", "patch"]
+
+{{- end }}
diff --git a/charts/ace-user-roles/templates/license-proxyserver/license-reader-cluster-role.yaml b/charts/ace-user-roles/templates/license-proxyserver/license-reader-cluster-role.yaml
@@ -0,0 +1,21 @@
+{{- if dig "license-proxyserver" false .Values.enableClusterRoles }}
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: appscode:license-reader
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+# Detect license server endpoint for kubedb addons
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs: ["get"]
+- nonResourceURLs:
+  - /appscode/license
+  verbs: ["get"]
+
+{{- end }}
diff --git a/charts/ace-user-roles/templates/metrics/metrics-user-roles.yaml b/charts/ace-user-roles/templates/metrics/metrics-user-roles.yaml
@@ -0,0 +1,35 @@
+{{- if dig "metrics" false .Values.enableClusterRoles }}
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: appscode:metrics:admin
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups:
+  - metrics.appscode.com
+  resources:
+  - "*"
+  verbs: ["*"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: appscode:metrics:view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups:
+  - metrics.appscode.com
+  resources:
+  - "*"
+  verbs: ["get", "list", "watch"]
+
+{{- end }}
diff --git a/charts/ace-user-roles/templates/others.yaml b/charts/ace-user-roles/templates/others.yaml
diff --git a/charts/ace-user-roles/templates/prometheus/user-roles.yaml b/charts/ace-user-roles/templates/prometheus/user-roles.yaml
@@ -1,3 +1,5 @@
+{{- if dig "prometheus" false .Values.enableClusterRoles }}
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -45,3 +47,5 @@ rules:
   resources:
   - "*"
   verbs: ["get", "list", "watch"]
+
+{{- end }}
diff --git a/charts/ace-user-roles/templates/stash/user-roles.yaml b/charts/ace-user-roles/templates/stash/user-roles.yaml
@@ -1,3 +1,5 @@
+{{- if dig "stash" false .Values.enableClusterRoles }}
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -46,3 +48,5 @@ rules:
   resources:
   - "*"
   verbs: ["get", "list", "watch"]
+
+{{- end }}
diff --git a/charts/ace-user-roles/values.yaml b/charts/ace-user-roles/values.yaml
@@ -6,3 +6,15 @@
 nameOverride: ""
 # Overrides fullname template
 fullnameOverride: ""
+
+enableClusterRoles:
+  ace: true
+  appcatalog: true
+  catalog: true
+  cert-manager: true
+  kubedb-ui: true
+  kubestash: true
+  license-proxyserver: true
+  metrics: true
+  prometheus: true
+  stash: true
