From f4d72287e65f26a1d029a3a6b4a16e2adcc039c0 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Fri, 12 Jan 2024 02:39:06 -0800
Subject: [PATCH] Configure rbac for ui-server ocm-mc mode (#140)

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 .../common/cluster-role-binding.yaml          |  14 ++
 .../kube-ui-server/common/cluster-role.yaml   |  52 ++++++++
 charts/kube-ui-server/common/user-roles.yaml  | 116 +++++++++++++++++
 .../templates/k8s/cluster-role-binding.yaml   |  16 +--
 .../templates/k8s/cluster-role.yaml           |  54 +-------
 .../templates/k8s/user-roles.yaml             | 122 +-----------------
 .../templates/ocm-mc/apiregistration.yaml     |   2 +-
 .../kube-ui-server/templates/ocm-mc/rbac.yaml |  50 +++++++
 .../kube-ui-server/templates/ocm-mc/svc.yaml  |   2 +-
 9 files changed, 240 insertions(+), 188 deletions(-)
 create mode 100644 charts/kube-ui-server/common/cluster-role-binding.yaml
 create mode 100644 charts/kube-ui-server/common/cluster-role.yaml
 create mode 100644 charts/kube-ui-server/common/user-roles.yaml
 create mode 100644 charts/kube-ui-server/templates/ocm-mc/rbac.yaml

diff --git a/charts/kube-ui-server/common/cluster-role-binding.yaml b/charts/kube-ui-server/common/cluster-role-binding.yaml
new file mode 100644
index 00000000..7b66e0ad
--- /dev/null
+++ b/charts/kube-ui-server/common/cluster-role-binding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kube-ui-server.fullname" . }}
+  labels:
+    {{- include "kube-ui-server.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kube-ui-server.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kube-ui-server.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
diff --git a/charts/kube-ui-server/common/cluster-role.yaml b/charts/kube-ui-server/common/cluster-role.yaml
new file mode 100644
index 00000000..a5db6802
--- /dev/null
+++ b/charts/kube-ui-server/common/cluster-role.yaml
@@ -0,0 +1,52 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kube-ui-server.fullname" . }}
+  labels:
+    {{- include "kube-ui-server.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - core.k8s.appscode.com
+  - cost.k8s.appscode.com
+  - identity.k8s.appscode.com
+  - management.k8s.appscode.com
+  - meta.k8s.appscode.com
+  - policy.k8s.appscode.com
+  - ui.k8s.appscode.com
+  resources:
+  - "*"
+  verbs: ["*"]
+- apiGroups:
+  - source.toolkit.fluxcd.io
+  resources:
+  - helmrepositories
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs: ["*"]
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs: ["create"]
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  # create used for raw REST query
+  - create
+  - get
+  - list
+  - watch
+- nonResourceURLs:
+  - '*'
+  verbs:
+  - get
diff --git a/charts/kube-ui-server/common/user-roles.yaml b/charts/kube-ui-server/common/user-roles.yaml
new file mode 100644
index 00000000..65afe7d7
--- /dev/null
+++ b/charts/kube-ui-server/common/user-roles.yaml
@@ -0,0 +1,116 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeops:ui:editor
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups:
+  - core.k8s.appscode.com
+  - cost.k8s.appscode.com
+  - identity.k8s.appscode.com
+  - management.k8s.appscode.com
+  - meta.k8s.appscode.com
+  - policy.k8s.appscode.com
+  - ui.k8s.appscode.com
+  resources:
+  - "*"
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeops:ui:viewer
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups:
+  - auditor.appscode.com
+  resources:
+  - siteinfos
+  verbs: ["create"]
+- apiGroups:
+  - identity.k8s.appscode.com
+  resources:
+  - whoamis
+  verbs: ["create"]
+- apiGroups:
+  - core.k8s.appscode.com
+  resources:
+  - genericresources
+  - genericresourceservices
+  - podviews
+  - projects
+  - resourcesummaries
+  verbs: ["get", "list"]
+- apiGroups:
+  - management.k8s.appscode.com
+  resources:
+  - projectquotas
+  verbs: ["get", "list"]
+- apiGroups:
+  - ui.k8s.appscode.com
+  resources:
+  - features
+  - featuresets
+  - resourcedashboards
+  - resourceeditors
+  verbs: ["get", "list"]
+- apiGroups:
+  - meta.k8s.appscode.com
+  resources:
+  - chartpresetqueries
+  - clusterstatuses
+  - renderdashboards
+  - rendermenus
+  - renderrawgraphs
+  - renders
+  - resourcecalculators
+  - resourcegraphs
+  verbs: ["create"]
+- apiGroups:
+  - meta.k8s.appscode.com
+  resources:
+  - menus
+  - resourceblockdefinitions
+  - resourcedescriptors
+  - resourcelayouts
+  - resourceoutlines
+  - resourcetabledefinitions
+  - usermenus
+  verbs: ["get", "list"]
+- apiGroups:
+  - meta.k8s.appscode.com
+  resources:
+  - menus/available
+  - usermenus/available
+  verbs: ["get"]
+- apiGroups:
+  - meta.k8s.appscode.com
+  resources:
+  - usermenus
+  verbs: ["*"]
+---
+# required for standard user in Rancher
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubeops:ui:viewer
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubeops:ui:viewer
+subjects:
+- kind: Group
+  name: system:authenticated
+  apiGroup: rbac.authorization.k8s.io
diff --git a/charts/kube-ui-server/templates/k8s/cluster-role-binding.yaml b/charts/kube-ui-server/templates/k8s/cluster-role-binding.yaml
index 759ad97a..d1e2b7e4 100644
--- a/charts/kube-ui-server/templates/k8s/cluster-role-binding.yaml
+++ b/charts/kube-ui-server/templates/k8s/cluster-role-binding.yaml
@@ -1,18 +1,6 @@
 {{- if not .Values.kubeconfigSecretName }}
 
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "kube-ui-server.fullname" . }}
-  labels:
-    {{- include "kube-ui-server.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "kube-ui-server.fullname" . }}
-subjects:
-- kind: ServiceAccount
-  name: {{ include "kube-ui-server.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+{{- $restpl := $.Files.Get "common/cluster-role-binding.yaml" -}}
+{{ tpl $restpl $ }}
 
 {{- end }}
diff --git a/charts/kube-ui-server/templates/k8s/cluster-role.yaml b/charts/kube-ui-server/templates/k8s/cluster-role.yaml
index cc852076..c94c10c2 100644
--- a/charts/kube-ui-server/templates/k8s/cluster-role.yaml
+++ b/charts/kube-ui-server/templates/k8s/cluster-role.yaml
@@ -1,56 +1,6 @@
 {{- if not .Values.kubeconfigSecretName }}
 
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "kube-ui-server.fullname" . }}
-  labels:
-    {{- include "kube-ui-server.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - core.k8s.appscode.com
-  - cost.k8s.appscode.com
-  - identity.k8s.appscode.com
-  - management.k8s.appscode.com
-  - meta.k8s.appscode.com
-  - policy.k8s.appscode.com
-  - ui.k8s.appscode.com
-  resources:
-  - "*"
-  verbs: ["*"]
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - helmrepositories
-  verbs: ["get", "list", "watch"]
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs: ["get", "list", "watch"]
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs: ["*"]
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs: ["create"]
-- apiGroups:
-  - '*'
-  resources:
-  - '*'
-  verbs:
-  # create used for raw REST query
-  - create
-  - get
-  - list
-  - watch
-- nonResourceURLs:
-  - '*'
-  verbs:
-  - get
+{{- $restpl := $.Files.Get "common/cluster-role.yaml" -}}
+{{ tpl $restpl $ }}
 
 {{- end }}
diff --git a/charts/kube-ui-server/templates/k8s/user-roles.yaml b/charts/kube-ui-server/templates/k8s/user-roles.yaml
index f0aa4184..370ee5ce 100644
--- a/charts/kube-ui-server/templates/k8s/user-roles.yaml
+++ b/charts/kube-ui-server/templates/k8s/user-roles.yaml
@@ -1,124 +1,6 @@
 {{- if not .Values.kubeconfigSecretName }}
 
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kubeops:ui:editor
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation
-rules:
-- apiGroups:
-  - core.k8s.appscode.com
-  - cost.k8s.appscode.com
-  - identity.k8s.appscode.com
-  - management.k8s.appscode.com
-  - meta.k8s.appscode.com
-  - policy.k8s.appscode.com
-  - ui.k8s.appscode.com
-  resources:
-  - "*"
-  verbs: ["*"]
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kubeops:ui:viewer
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation
-rules:
-- apiGroups:
-  - auditor.appscode.com
-  resources:
-  - siteinfos
-  verbs: ["create"]
-- apiGroups:
-  - identity.k8s.appscode.com
-  resources:
-  - whoamis
-  verbs: ["create"]
-- apiGroups:
-  - core.k8s.appscode.com
-  resources:
-  - genericresources
-  - genericresourceservices
-  - podviews
-  - projects
-  - resourcesummaries
-  verbs: ["get", "list"]
-- apiGroups:
-  - management.k8s.appscode.com
-  resources:
-  - projectquotas
-  verbs: ["get", "list"]
-- apiGroups:
-  - ui.k8s.appscode.com
-  resources:
-  - features
-  - featuresets
-  - resourcedashboards
-  - resourceeditors
-  verbs: ["get", "list"]
-- apiGroups:
-  - meta.k8s.appscode.com
-  resources:
-  - chartpresetqueries
-  - clusterstatuses
-  - renderdashboards
-  - rendermenus
-  - renderrawgraphs
-  - renders
-  - resourcecalculators
-  - resourcegraphs
-  verbs: ["create"]
-- apiGroups:
-  - meta.k8s.appscode.com
-  resources:
-  - menus
-  - resourceblockdefinitions
-  - resourcedescriptors
-  - resourcelayouts
-  - resourceoutlines
-  - resourcetabledefinitions
-  - usermenus
-  verbs: ["get", "list"]
-- apiGroups:
-  - meta.k8s.appscode.com
-  resources:
-  - menus/available
-  - usermenus/available
-  verbs: ["get"]
-- apiGroups:
-  - meta.k8s.appscode.com
-  resources:
-  - usermenus
-  verbs: ["*"]
-
----
-
-# required for standard user in Rancher
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kubeops:ui:viewer
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kubeops:ui:viewer
-subjects:
-- kind: Group
-  name: system:authenticated
-  apiGroup: rbac.authorization.k8s.io
+{{- $restpl := $.Files.Get "common/user-roles.yaml" -}}
+{{ tpl $restpl $ }}
 
 {{- end }}
diff --git a/charts/kube-ui-server/templates/ocm-mc/apiregistration.yaml b/charts/kube-ui-server/templates/ocm-mc/apiregistration.yaml
index c16f40d5..613e5f08 100644
--- a/charts/kube-ui-server/templates/ocm-mc/apiregistration.yaml
+++ b/charts/kube-ui-server/templates/ocm-mc/apiregistration.yaml
@@ -38,7 +38,7 @@ metadata:
     {{- include "kube-ui-server.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade,post-rollback
-    # "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
 spec:
   ttlSecondsAfterFinished: 0
   backoffLimit: 3
diff --git a/charts/kube-ui-server/templates/ocm-mc/rbac.yaml b/charts/kube-ui-server/templates/ocm-mc/rbac.yaml
new file mode 100644
index 00000000..1acf718c
--- /dev/null
+++ b/charts/kube-ui-server/templates/ocm-mc/rbac.yaml
@@ -0,0 +1,50 @@
+{{- if .Values.kubeconfigSecretName }}
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "kube-ui-server.fullname" . }}-configure-rbac
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kube-ui-server.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade,post-rollback
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+spec:
+  ttlSecondsAfterFinished: 0
+  backoffLimit: 3
+  template:
+    spec:
+      {{- include "appscode.imagePullSecrets" . | nindent 6 }}
+      automountServiceAccountToken: false
+      containers:
+      - name: kubectl
+        image: {{ include "image.registry" $ }}/kubectl:1.23
+        workingDir: /var/run/secrets/ocm
+        command:
+          - sh
+          - -c
+          - |
+              sleep 2; \
+              kubectl --kubeconfig=auth/kubeconfig apply -f - <<EOF
+              {{- $restpl := $.Files.Get "common/cluster-role.yaml" -}}
+              {{- tpl $restpl $ | nindent 14 -}}
+              ---
+              {{- $restpl := $.Files.Get "common/cluster-role-binding.yaml" -}}
+              {{- tpl $restpl $ | nindent 14 -}}
+              ---
+              {{- $restpl := $.Files.Get "common/user-roles.yaml" -}}
+              {{- tpl $restpl $ | nindent 14 -}}
+              EOF
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/ocm/auth
+          name: ocm-auth
+      volumes:
+      - name: ocm-auth
+        secret:
+          defaultMode: 420
+          secretName: {{ .Values.kubeconfigSecretName }}
+      restartPolicy: Never
+
+{{- end }}
diff --git a/charts/kube-ui-server/templates/ocm-mc/svc.yaml b/charts/kube-ui-server/templates/ocm-mc/svc.yaml
index a930f045..03a1fcfb 100644
--- a/charts/kube-ui-server/templates/ocm-mc/svc.yaml
+++ b/charts/kube-ui-server/templates/ocm-mc/svc.yaml
@@ -9,7 +9,7 @@ metadata:
     {{- include "kube-ui-server.labels" $ | nindent 4 }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade,post-rollback
-    # "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
 spec:
   ttlSecondsAfterFinished: 0
   backoffLimit: 3