refactor: rbac & extraRules

loft-sh · Feb 7, 2024 · 116c531 · 116c531
1 parent 434bb5c
commit 116c531
Show file tree

Hide file tree

Showing 34 changed files with 714 additions and 297 deletions.
diff --git a/charts/eks/templates/_helpers.tpl b/charts/eks/templates/_helpers.tpl
@@ -39,17 +39,12 @@ Whether to create a cluster role or not
 */}}
 {{- define "vcluster.createClusterRole" -}}
 {{- if or
-    (not
-        (empty (include "vcluster.serviceMapping.fromHost" . )))
-    (not
-        (empty (include "vcluster.plugin.clusterRoleExtraRules" . )))
-    (not
-        (empty (include "vcluster.generic.clusterRoleExtraRules" . )))
+    (not (empty (include "vcluster.serviceMapping.fromHost" . )))
+    (not (empty (include "vcluster.plugin.clusterRoleExtraRules" . )))
+    (not (empty (include "vcluster.generic.clusterRoleExtraRules" . )))
     .Values.rbac.clusterRole.create
     .Values.sync.hoststorageclasses.enabled
-    (index
-        ((index .Values.sync "legacy-storageclasses") | default (dict "enabled" false))
-    "enabled")
+    (index ((index .Values.sync "legacy-storageclasses") | default (dict "enabled" false)) "enabled")
     (include "vcluster.syncIngressclassesEnabled" . )
 	.Values.pro
     .Values.sync.nodes.enabled
@@ -60,7 +55,7 @@ Whether to create a cluster role or not
     .Values.proxy.metricsServer.nodes.enabled
     .Values.multiNamespaceMode.enabled
     .Values.coredns.plugin.enabled -}}
-    {{- true -}}
+{{- true -}}
 {{- end -}}
 {{- end -}}
 
@@ -129,6 +124,29 @@ Prints only the flags that modify the defaults:
 {{- end }}
 {{- end -}}
 
+{{/*
+  Cluster role rules defined on global level
+*/}}
+{{- define "vcluster.rbac.clusterRoleExtraRules" -}}
+{{- if .Values.rbac.clusterRole.extraRules }}
+{{- range $ruleIndex, $rule := .Values.rbac.clusterRole.extraRules }}
+- {{ toJson $rule }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+
+{{/*
+  Role rules defined on global level
+*/}}
+{{- define "vcluster.rbac.roleExtraRules" -}}
+{{- if .Values.rbac.role.extraRules }}
+{{- range $ruleIndex, $rule := .Values.rbac.role.extraRules }}
+- {{ toJson $rule }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
 {{/*
   Role rules defined by plugins
 */}}
@@ -176,68 +194,3 @@ Prints only the flags that modify the defaults:
 - '--map-host-service={{ $value.from }}={{ $value.to }}'
 {{- end }}
 {{- end -}}
-
-
-{{/*
-  deployment kind
-*/}}
-{{- define "vcluster.kind" -}}
-{{ if and .Values.embeddedEtcd.enabled .Values.pro }}StatefulSet{{ else }}Deployment{{ end }}
-{{- end -}}
-
-{{/*
-  service name for statefulset
-*/}}
-{{- define "vcluster.statefulset.serviceName" }}
-{{- if .Values.embeddedEtcd.enabled }}
-serviceName: {{ .Release.Name }}-headless
-{{- end }}
-{{- end -}}
-
-{{/*
-  volumeClaimTemplate
-*/}}
-{{- define "vcluster.statefulset.volumeClaimTemplate" }}
-{{- if .Values.embeddedEtcd.enabled }}
-{{- if .Values.autoDeletePersistentVolumeClaims }}
-{{- if ge (int .Capabilities.KubeVersion.Minor) 27 }}
-persistentVolumeClaimRetentionPolicy:
-  whenDeleted: Delete
-{{- end }}
-{{- end }}
-{{- if (hasKey .Values "volumeClaimTemplates") }}
-volumeClaimTemplates:
-{{ toYaml .Values.volumeClaimTemplates | indent 4 }}
-{{- else if .Values.syncer.storage.persistence }}
-volumeClaimTemplates:
-  - metadata:
-      name: data
-    spec:
-      accessModes: [ "ReadWriteOnce" ]
-      {{- if .Values.syncer.storage.className }}
-      storageClassName: {{ .Values.syncer.storage.className }}
-      {{- end }}
-      resources:
-        requests:
-          storage: {{ .Values.syncer.storage.size }}
-{{- end }}
-{{- end }}
-{{- end -}}
-
-
-{{/*
-  deployment strategy
-*/}}
-{{- define "vcluster.deployment.strategy" }}
-{{- if not .Values.embeddedEtcd.enabled }}
-strategy:
-  rollingUpdate:
-    maxSurge: 1
-    {{- if (eq (int .Values.syncer.replicas) 1) }}
-    maxUnavailable: 0
-    {{- else }}
-    maxUnavailable: 1
-    {{- end }}
-  type: RollingUpdate
-{{- end }}
-{{- end -}}
diff --git a/charts/eks/templates/_kind.tpl b/charts/eks/templates/_kind.tpl
@@ -0,0 +1,64 @@
+
+{{/*
+  deployment kind
+*/}}
+{{- define "vcluster.kind" -}}
+{{ if and .Values.embeddedEtcd.enabled .Values.pro }}StatefulSet{{ else }}Deployment{{ end }}
+{{- end -}}
+
+{{/*
+  service name for statefulset
+*/}}
+{{- define "vcluster.statefulset.serviceName" }}
+{{- if .Values.embeddedEtcd.enabled }}
+serviceName: {{ .Release.Name }}-headless
+{{- end }}
+{{- end -}}
+
+{{/*
+  volumeClaimTemplate
+*/}}
+{{- define "vcluster.statefulset.volumeClaimTemplate" }}
+{{- if .Values.embeddedEtcd.enabled }}
+{{- if .Values.autoDeletePersistentVolumeClaims }}
+{{- if ge (int .Capabilities.KubeVersion.Minor) 27 }}
+persistentVolumeClaimRetentionPolicy:
+  whenDeleted: Delete
+{{- end }}
+{{- end }}
+{{- if (hasKey .Values "volumeClaimTemplates") }}
+volumeClaimTemplates:
+{{ toYaml .Values.volumeClaimTemplates | indent 4 }}
+{{- else if .Values.syncer.storage.persistence }}
+volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      {{- if .Values.syncer.storage.className }}
+      storageClassName: {{ .Values.syncer.storage.className }}
+      {{- end }}
+      resources:
+        requests:
+          storage: {{ .Values.syncer.storage.size }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+
+{{/*
+  deployment strategy
+*/}}
+{{- define "vcluster.deployment.strategy" }}
+{{- if not .Values.embeddedEtcd.enabled }}
+strategy:
+  rollingUpdate:
+    maxSurge: 1
+    {{- if (eq (int .Values.syncer.replicas) 1) }}
+    maxUnavailable: 0
+    {{- else }}
+    maxUnavailable: 1
+    {{- end }}
+  type: RollingUpdate
+{{- end }}
+{{- end -}}
diff --git a/charts/eks/templates/rbac/clusterrole.yaml b/charts/eks/templates/rbac/clusterrole.yaml
@@ -18,7 +18,7 @@ rules:
     resources: ["features", "virtualclusters"]
     verbs: ["get", "list", "watch"]
 {{- end }}
-  {{- if or .Values.pro .Values.sync.nodes.enabled .Values.rbac.clusterRole.create }}
+  {{- if or .Values.pro .Values.sync.nodes.enabled }}
   - apiGroups: [""]
     resources: ["nodes", "nodes/status"]
     verbs: ["get", "watch", "list"]
@@ -31,17 +31,17 @@ rules:
     resources: [ "pods"]
     verbs: ["get", "watch", "list"]
   {{- end }}
-  {{- if and (or .Values.sync.nodes.enabled .Values.rbac.clusterRole.create) (or (not .Values.isolation.enabled) (and .Values.isolation.nodeProxyPermission.enabled .Values.isolation.enabled)) }}
+  {{- if and .Values.sync.nodes.enabled (or (not .Values.isolation.enabled) (and .Values.isolation.nodeProxyPermission.enabled .Values.isolation.enabled)) }}
   - apiGroups: [""]
     resources: ["nodes/proxy"]
     verbs: ["get", "watch", "list"]
   {{- end }}
-  {{- if or (and .Values.sync.nodes.enabled .Values.sync.nodes.syncNodeChanges) .Values.rbac.clusterRole.create }}
+  {{- if and .Values.sync.nodes.enabled .Values.sync.nodes.syncNodeChanges }}
   - apiGroups: [""]
     resources: ["nodes", "nodes/status"]
     verbs: ["update", "patch"]
   {{- end }}
-  {{- if or .Values.sync.persistentvolumes.enabled .Values.rbac.clusterRole.create }}
+  {{- if .Values.sync.persistentvolumes.enabled }}
   - apiGroups: [""]
     resources: ["persistentvolumes"]
     verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
@@ -56,7 +56,7 @@ rules:
     resources: ["ingressclasses"]
     verbs: ["get", "watch", "list"]
   {{- end }}
-  {{- if or .Values.sync.storageclasses.enabled .Values.rbac.clusterRole.create }}
+  {{- if .Values.sync.storageclasses.enabled }}
   - apiGroups: ["storage.k8s.io"]
     resources: ["storageclasses"]
     verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
@@ -66,21 +66,19 @@ rules:
     resources: ["storageclasses"]
     verbs: ["get", "watch", "list"]
   {{- end }}
-  {{- if or .Values.sync.priorityclasses.enabled .Values.rbac.clusterRole.create }}
+  {{- if .Values.sync.priorityclasses.enabled }}
   - apiGroups: ["scheduling.k8s.io"]
     resources: ["priorityclasses"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
   {{- end }}
-  {{- if or .Values.sync.volumesnapshots.enabled .Values.rbac.clusterRole.create }}
+  {{- if .Values.sync.volumesnapshots.enabled }}
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotclasses"]
     verbs: ["get", "list", "watch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotcontents"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
   {{- end }}
-  {{- include "vcluster.plugin.clusterRoleExtraRules" . | indent 2 }}
-  {{- include "vcluster.generic.clusterRoleExtraRules" . | indent 2 }}
   {{- if (not (empty (include "vcluster.serviceMapping.fromHost" . ))) }}
   - apiGroups: [""]
     resources: ["services", "endpoints"]
@@ -99,4 +97,7 @@ rules:
     resources: ["nodes"]
     verbs: ["get", "list"]
   {{- end }}
+  {{- include "vcluster.plugin.clusterRoleExtraRules" . | indent 2 }}
+  {{- include "vcluster.generic.clusterRoleExtraRules" . | indent 2 }}
+  {{- include "vcluster.rbac.clusterRoleExtraRules" . | indent 2 }}
 {{- end }}
diff --git a/charts/eks/templates/rbac/role.yaml b/charts/eks/templates/rbac/role.yaml
@@ -35,53 +35,53 @@ rules:
     resources: ["configmaps", "secrets", "services", "pods", "pods/attach", "pods/portforward", "pods/exec", "persistentvolumeclaims"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
   {{- end }}
-  {{- if or .Values.sync.pods.status .Values.rbac.role.extended }}
+  {{- if .Values.sync.pods.status }}
   - apiGroups: [""]
     resources: ["pods/status"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
   {{- end }}
-  {{- if or .Values.sync.pods.ephemeralContainers .Values.rbac.role.extended }}
+  {{- if .Values.sync.pods.ephemeralContainers }}
   - apiGroups: [""]
     resources: ["pods/ephemeralcontainers"]
     verbs: ["patch", "update"]
   {{- end }}
-  {{- if or .Values.sync.endpoints.enabled .Values.rbac.role.extended .Values.headless }}
+  {{- if or .Values.sync.endpoints.enabled .Values.headless }}
   - apiGroups: [""]
     resources: ["endpoints"]
     verbs: ["create", "delete", "patch", "update"]
   {{- end }}
-  {{- if or (gt (int .Values.syncer.replicas) 1) .Values.rbac.role.extended }}
+  {{- if gt (int .Values.syncer.replicas) 1 }}
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
   {{- end }}
   - apiGroups: [""]
     resources: ["endpoints", "events", "pods/log"]
     verbs: ["get", "list", "watch"]
-  {{- if or .Values.sync.ingresses.enabled}}
+  {{- if .Values.sync.ingresses.enabled}}
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
   {{- end }}
   - apiGroups: ["apps"]
     resources: ["statefulsets", "replicasets", "deployments"]
     verbs: ["get", "list", "watch"]
-  {{- if or .Values.sync.networkpolicies.enabled .Values.rbac.role.extended }}
+  {{- if .Values.sync.networkpolicies.enabled }}
   - apiGroups: ["networking.k8s.io"]
     resources: ["networkpolicies"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
   {{- end }}
-  {{- if or .Values.sync.volumesnapshots.enabled .Values.rbac.role.extended }}
+  {{- if .Values.sync.volumesnapshots.enabled }}
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshots"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
   {{- end }}
-  {{- if or .Values.sync.serviceaccounts.enabled .Values.rbac.role.extended }}
+  {{- if .Values.sync.serviceaccounts.enabled }}
   - apiGroups: [""]
     resources: ["serviceaccounts"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
   {{- end }}
-  {{- if or .Values.sync.poddisruptionbudgets.enabled .Values.rbac.role.extended }}
+  {{- if .Values.sync.poddisruptionbudgets.enabled }}
   - apiGroups: ["policy"]
     resources: ["poddisruptionbudgets"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
@@ -100,4 +100,5 @@ rules:
   {{- end }}
   {{- include "vcluster.plugin.roleExtraRules" . | indent 2 }}
   {{- include "vcluster.generic.roleExtraRules" . | indent 2 }}
+  {{- include "vcluster.rbac.roleExtraRules" . | indent 2 }}
 {{- end }}
diff --git a/charts/eks/tests/README.md b/charts/eks/tests/README.md
@@ -0,0 +1,9 @@
+Add [unittest plugin](https://github.com/helm-unittest/helm-unittest) via:
+```
+helm plugin install https://github.com/helm-unittest/helm-unittest.git
+```
+
+Run tests via:
+```
+helm unittest charts/eks -d
+```
diff --git a/charts/eks/tests/clusterrole_test.yaml b/charts/eks/tests/clusterrole_test.yaml
@@ -0,0 +1,41 @@
+suite: ClusterRole
+templates:
+  - rbac/clusterrole.yaml
+
+tests:
+  - it: should create clusterrole
+    set:
+      rbac:
+        clusterRole:
+          create: true
+    asserts:
+      - hasDocuments:
+          count: 1
+  - it: should not create clusterrole
+    set:
+      rbac:
+        clusterRole:
+          create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: should contain extra rule
+    set:
+      rbac:
+        clusterRole:
+          create: true
+          extraRules:
+            - apiGroups: ["test"]
+              resources: ["tests"]
+              verbs: ["test"]
+    asserts:
+      - hasDocuments:
+          count: 1
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["test"]
+            resources: ["tests"]
+            verbs: ["test"]
+          count: 1
+