fix(chart): add rbac for default SA + server in each tenant (#513)

Author: corrieriluca

deploy/charts/burrito/templates/config.yaml

@@ -15,12 +15,14 @@ Tenant Namespaces
 Datastore Authorized Service Accounts
 */}}
 {{- $datastoreAuthorizedServiceAccounts := list }}
-{{- range $tenant := .Values.tenants }}
-{{- range $sa := $tenant.serviceAccounts }}
-{{- $serviceAccount := printf "%s/%s" $tenant.namespace.name $sa.name }}
-{{- $datastoreAuthorizedServiceAccounts = append $datastoreAuthorizedServiceAccounts $serviceAccount }}
-{{- end }}
-{{- end }}
+  {{- range $tenant := .Values.tenants }}
+    {{- range $sa := $tenant.serviceAccounts }}
+      {{- $serviceAccount := printf "%s/%s" $tenant.namespace.name $sa.name }}
+      {{- $datastoreAuthorizedServiceAccounts = append $datastoreAuthorizedServiceAccounts $serviceAccount }}
+    {{- end }}
+    # adding also default `burrito-runner` serviceaccount created in each tenant
+    {{- $datastoreAuthorizedServiceAccounts = append $datastoreAuthorizedServiceAccounts (printf "%s/burrito-runner" $tenant.namespace.name) }}
+  {{- end }}
 {{- $controller := printf "%s/%s" .Release.Namespace "burrito-controllers" }}
 # check if the service account is already in the list, to prevent adding it multiple times if the config rerenders
 {{- if not (has $controller $config.datastore.serviceAccounts) }}
@@ -30,7 +32,7 @@ Datastore Authorized Service Accounts
 {{- if not (has $server $config.datastore.serviceAccounts) }}
   {{- $datastoreAuthorizedServiceAccounts = append $datastoreAuthorizedServiceAccounts $server }}
 {{- end }}
-{{- $_ := set $config.datastore "serviceAccounts" (concat $datastoreAuthorizedServiceAccounts $config.datastore.serviceAccounts) }}
+{{- $_ := set $config.datastore "serviceAccounts" ((concat $datastoreAuthorizedServiceAccounts $config.datastore.serviceAccounts) | uniq) }}
 
 {{/*
 TLS certificates

deploy/charts/burrito/templates/tenant.yaml

@@ -40,39 +40,30 @@ metadata:
   name: burrito-runner
   namespace: {{ $tenant.namespace.name }}
 ---
-{{- range $serviceAccount := .serviceAccounts }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ $serviceAccount.name }}
-  labels:
-    {{- toYaml $serviceAccount.labels | nindent 4 }}
-  annotations:
-    {{- toYaml $serviceAccount.annotations | nindent 4 }}
-  namespace: {{ $tenant.namespace.name }}
----
+# Role binding for the default service account
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ $serviceAccount.name }}-burrito-runner
-  labels:
-    {{- toYaml $serviceAccount.labels | nindent 4 }}
+  name: burrito-runner
   namespace: {{ $tenant.namespace.name }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: burrito-runner
 subjects:
 - kind: ServiceAccount
-  name: {{ $serviceAccount.name }}
+  name: burrito-runner
   namespace: {{ $tenant.namespace.name }}
 ---
+# Role and RoleBinding for burrito-server to access this tenant's secrets (webhook secret)
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: secret-access
   labels:
-    app: burrito
+    {{- toYaml $metadataControllers.labels | nindent 4 }}
+  annotations:
+    {{- toYaml $metadataControllers.annotations | nindent 4 }}
   namespace: {{ $tenant.namespace.name }}
 rules:
 - apiGroups: [""]
@@ -84,7 +75,9 @@ kind: RoleBinding
 metadata:
   name: burrito-server-secret-access
   labels:
-    app: burrito
+    {{- toYaml $metadataControllers.labels | nindent 4 }}
+  annotations:
+    {{- toYaml $metadataControllers.annotations | nindent 4 }}
   namespace: {{ $tenant.namespace.name }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -95,6 +88,33 @@ subjects:
   name: burrito-server
   namespace: {{ $.Release.Namespace }}
 ---
+{{- range $serviceAccount := .serviceAccounts }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $serviceAccount.name }}
+  labels:
+    {{- toYaml $serviceAccount.labels | nindent 4 }}
+  annotations:
+    {{- toYaml $serviceAccount.annotations | nindent 4 }}
+  namespace: {{ $tenant.namespace.name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccount.name }}-burrito-runner
+  labels:
+    {{- toYaml $serviceAccount.labels | nindent 4 }}
+  namespace: {{ $tenant.namespace.name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: burrito-runner
+subjects:
+- kind: ServiceAccount
+  name: {{ $serviceAccount.name }}
+  namespace: {{ $tenant.namespace.name }}
+---
 {{- range $additionalRoleBinding := $serviceAccount.additionalRoleBindings }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

deploy/charts/burrito/values-dev.yaml

@@ -18,5 +18,3 @@ tenants:
   - namespace:
       create: true
       name: "burrito-project"
-    serviceAccounts:
-      - name: burrito-runner

deploy/charts/burrito/values.yaml

@@ -421,7 +421,7 @@ datastore:
             kind: Issuer
 
 # -- List of tenants to create to manage Terraform resources
-tenants:
+tenants: []
 # - namespace:
 #     create: true
 #     name: "burrito-project-1"