Install flag for helm and additional kustomize file for raw yaml for pure Namespace scoping (#149)

ryansteakley · web-flow · commit ac31817f8bd6 · 2021-08-16T12:07:58.000-07:00
Issue #, if available: aws-controllers-k8s/community#770 Description of changes: - Adds `namespacedInstallation` flag for helm` values.yaml` to specify that `Role `and` RoleBinding` should be used instead of `ClusterRole `and `ClusterRoleBinding` - Specifies that `watchNamespace` in helm`values.yaml` must be set if using `namespacedInstallation` flag. - Contains a sed to replace the original output of the `role-controller.yaml` file with the template code that allows for the programmatic setting of `namespacedInstallation` in the helm` values.yaml` - Adds a `overlays/namespaced` directory for the raw yamls in config. This folder contains the json patch files, `role.yaml` and `role-binding.yaml` that will modify the `ClusterRole` and `ClusterRoleBinding` files to be `Role `and `RoleBinding`. This allows the user to apply these changes using raw yaml and not helm if these wish. - Chose to reuse the names of `cluster-role-binding.yaml` and `cluster-role-controller.yaml` so that every service repo doesn't need to rm these files since they already exist in their repo and any other naming of the yaml files will cause multiple roles/bindings to install causing installation failures. Tested locally By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/pkg/generate/ack/controller.go b/pkg/generate/ack/controller.go
@@ -36,6 +36,7 @@ var (
 		"config/rbac/role-writer.yaml.tpl",
 		"config/rbac/kustomization.yaml.tpl",
 		"config/crd/kustomization.yaml.tpl",
+		"config/overlays/namespaced/kustomization.yaml.tpl",
 	}
 	controllerIncludePaths = []string{
 		"config/controller/kustomization_def.yaml.tpl",
diff --git a/pkg/generate/ack/release.go b/pkg/generate/ack/release.go
@@ -28,6 +28,7 @@ var (
 		"helm/values.yaml.tpl",
 		"helm/templates/role-reader.yaml.tpl",
 		"helm/templates/role-writer.yaml.tpl",
+		"helm/templates/_controller-role-kind-patch.yaml.tpl",
 	}
 	releaseIncludePaths = []string{}
 	releaseCopyPaths    = []string{
diff --git a/scripts/build-controller-release.sh b/scripts/build-controller-release.sh
@@ -199,10 +199,17 @@ pushd $SERVICE_CONTROLLER_SOURCE_PATH/pkg/resource 1>/dev/null
 echo "Generating RBAC manifests for $SERVICE"
 controller-gen rbac:roleName=$K8S_RBAC_ROLE_NAME paths=./... output:rbac:artifacts:config=$helm_output_dir/templates
 # controller-gen rbac outputs a ClusterRole definition in a
-# $config_output_dir/rbac/role.yaml file. We have some other standard Role
-# files for a reader and writer role, so here we rename the `role.yaml` file to
-# `cluster-role-controller.yaml` to better reflect what is in that file.
-mv $helm_output_dir/templates/role.yaml $helm_output_dir/templates/cluster-role-controller.yaml
+# $config_output_dir/rbac/role.yaml file. We additionally add the ability by 
+# for the user to specify if they want the role to be ClusterRole or Role by specifying installation scope
+# in the helm values.yaml. We do this by having a custom helm template named _controller-role-kind-patch.yaml 
+# which utilizes the template langauge and adding the auto generated rules to that template. 
+tail -n +8  $helm_output_dir/templates/role.yaml >> $helm_output_dir/templates/_controller-role-kind-patch.yaml
+
+# We have some other standard Role files for a reader and writer role, so here we rename 
+# the `_controller-role-kind-patch.yaml ` file to `cluster-role-controller.yaml` 
+# to better reflect what is in that file. 
+mv $helm_output_dir/templates/_controller-role-kind-patch.yaml  $helm_output_dir/templates/cluster-role-controller.yaml
+rm $helm_output_dir/templates/role.yaml
 
 popd 1>/dev/null
 
diff --git a/scripts/build-controller.sh b/scripts/build-controller.sh
@@ -209,6 +209,11 @@ controller-gen rbac:roleName=$K8S_RBAC_ROLE_NAME paths=./... output:rbac:artifac
 # files for a reader and writer role, so here we rename the `role.yaml` file to
 # `cluster-role-controller.yaml` to better reflect what is in that file.
 mv $config_output_dir/rbac/role.yaml $config_output_dir/rbac/cluster-role-controller.yaml
+# Copy definitions for json patches which allow the user to patch the controller
+# with Role/Rolebinding and be purely namespaced scoped instead of using Cluster/ClusterRoleBinding
+# using kustomize
+mkdir -p $config_output_dir/overlays/namespaced
+cp -r $ROOT_DIR/templates/config/overlays/namespaced/*.json $config_output_dir/overlays/namespaced
 
 popd 1>/dev/null
 
diff --git a/templates/config/overlays/namespaced/kustomization.yaml.tpl b/templates/config/overlays/namespaced/kustomization.yaml.tpl
@@ -0,0 +1,15 @@
+resources:
+- ../../default
+patches:
+- path: role.json
+  target:
+    group: rbac.authorization.k8s.io
+    version: v1
+    kind: ClusterRole
+    name: ack-{{ .ServiceIDClean }}-controller
+- path: role-binding.json
+  target:
+    group: rbac.authorization.k8s.io
+    version: v1
+    kind: ClusterRoleBinding
+    name: ack-{{ .ServiceIDClean }}-controller-rolebinding
diff --git a/templates/config/overlays/namespaced/role-binding.json b/templates/config/overlays/namespaced/role-binding.json
@@ -0,0 +1,3 @@
+[{"op": "replace", "path": "/kind", "value": "RoleBinding"},
+{"op": "add", "path": "/metadata/namespace", "value":  "ack-system"},
+{"op": "replace", "path": "/roleRef/kind", "value": "Role"}]
diff --git a/templates/config/overlays/namespaced/role.json b/templates/config/overlays/namespaced/role.json
@@ -0,0 +1,2 @@
+[{"op": "replace", "path": "/kind", "value": "Role"},
+{"op": "add", "path": "/metadata/namespace", "value": "ack-system"}]
diff --git a/templates/helm/templates/_controller-role-kind-patch.yaml.tpl b/templates/helm/templates/_controller-role-kind-patch.yaml.tpl
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+{{ "{{ if eq .Values.installScope \"cluster\" }}" }}
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: ack-{{ .ServiceIDClean }}-controller
+{{ "{{ else }}" }}
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: ack-{{ .ServiceIDClean }}-controller
+  namespace: {{ "{{ .Release.Namespace }}" }}
+{{ "{{ end }}" }}
diff --git a/templates/helm/templates/_helpers.tpl b/templates/helm/templates/_helpers.tpl
@@ -30,3 +30,9 @@ If release name contains chart name it will be used as a full name.
 {{- define "service-account.name" -}}
     {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
+
+{{- define "watch-namespace" -}}
+{{- if eq .Values.installScope "namespace" -}}
+{{- .Release.Namespace -}}
+{{- end -}}
+{{- end -}}
diff --git a/templates/helm/templates/cluster-role-binding.yaml.tpl b/templates/helm/templates/cluster-role-binding.yaml.tpl
@@ -1,10 +1,19 @@
 apiVersion: rbac.authorization.k8s.io/v1
+{{ "{{ if eq .Values.installScope \"cluster\" }}" }}
 kind: ClusterRoleBinding
 metadata:
   name: {{ "{{ include \"app.fullname\" . }}" }}
 roleRef:
-  apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
+{{ "{{ else }}" }}
+kind: RoleBinding
+metadata:
+  name: {{ "{{ include \"app.fullname\" . }}" }}
+  namespace: {{ "{{ .Release.Namespace }}" }}
+roleRef:
+  kind: Role
+{{ "{{ end }}" }}
+  apiGroup: rbac.authorization.k8s.io
   name: ack-{{ .ServiceIDClean }}-controller
 subjects:
 - kind: ServiceAccount
diff --git a/templates/helm/templates/deployment.yaml b/templates/helm/templates/deployment.yaml
@@ -67,9 +67,9 @@ spec:
         - name: AWS_REGION
           value: {{ .Values.aws.region }}
         - name: AWS_ENDPOINT_URL
-          value: {{ .Values.aws.endpoint_url | quote}}
+          value: {{ .Values.aws.endpoint_url | quote }}
         - name: ACK_WATCH_NAMESPACE
-          value: {{ .Values.watchNamespace }}
+          value: {{ include "watch-namespace" . }}   
         - name: ACK_ENABLE_DEVELOPMENT_LOGGING
           value: {{ .Values.log.enable_development_logging | quote }}
         - name: ACK_LOG_LEVEL
diff --git a/templates/helm/values.yaml.tpl b/templates/helm/values.yaml.tpl
@@ -44,8 +44,9 @@ log:
   enable_development_logging: false
   level: info
 
-# If specified, the service controller will watch for object creation only in the provided namespace
-watchNamespace: ""
+# Set to "namespace" to install the controller in a namespaced scope, will only watch for object creation 
+# in the namespace. By default installScope is cluster wide.
+installScope: cluster
 
 resourceTags:
   # Configures the ACK service controller to always set key/value pairs tags on resources that it manages.

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ var (`
`36`	`36`	`"config/rbac/role-writer.yaml.tpl",`
`37`	`37`	`"config/rbac/kustomization.yaml.tpl",`
`38`	`38`	`"config/crd/kustomization.yaml.tpl",`
	`39`	`+ "config/overlays/namespaced/kustomization.yaml.tpl",`
`39`	`40`	`}`
`40`	`41`	`controllerIncludePaths = []string{`
`41`	`42`	`"config/controller/kustomization_def.yaml.tpl",`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ var (`
`28`	`28`	`"helm/values.yaml.tpl",`
`29`	`29`	`"helm/templates/role-reader.yaml.tpl",`
`30`	`30`	`"helm/templates/role-writer.yaml.tpl",`
	`31`	`+ "helm/templates/_controller-role-kind-patch.yaml.tpl",`
`31`	`32`	`}`
`32`	`33`	`releaseIncludePaths = []string{}`
`33`	`34`	`releaseCopyPaths = []string{`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+[{"op": "replace", "path": "/kind", "value": "RoleBinding"},`
	`2`	`+{"op": "add", "path": "/metadata/namespace", "value": "ack-system"},`
	`3`	`+{"op": "replace", "path": "/roleRef/kind", "value": "Role"}]`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+[{"op": "replace", "path": "/kind", "value": "Role"},`
	`2`	`+{"op": "add", "path": "/metadata/namespace", "value": "ack-system"}]`