Update kubeconfig provider script and documentation for rbac and service account creation

Signed-off-by: Codey Jenkins <[email protected]>

Author: FourFifthsCode

examples/kubeconfig/README.md

@@ -14,7 +14,8 @@ The kubeconfig provider allows you to:
 ```
 examples/kubeconfig/
 ├── scripts/                 # Utility scripts
-│   └── create-kubeconfig-secret.sh
+│   ├── create-kubeconfig-secret.sh
+│   └── rules.yaml          # Default RBAC rules template
 └── main.go                 # Example operator implementation
 ```
 
@@ -40,35 +41,96 @@ The script will:
 - Use the specified service account from the remote cluster
 - Generate a kubeconfig using the service account's token
 - Store the kubeconfig in a secret in your local cluster
+- Automatically create RBAC resources (Role/ClusterRole and bindings) with permissions defined in `rules.yaml` 
+
+#### Command Line Options
 
-Command line options:
 - `-c, --context`: Kubeconfig context to use (required)
 - `--name`: Name for the secret (defaults to context name)
 - `-n, --namespace`: Namespace to create the secret in (default: "default")
-- `-a, --service-account`: Service account name to use from the remote cluster (default: "default")
+- `-a, --service-account`: Service account name to use from the remote cluster (default: "multicluster-kubeconfig-provider")
+- `-t, --role-type`: Create Role or ClusterRole (`role`|`clusterrole`) (default: "clusterrole")
+- `-r, --rules-file`: Path to custom rules file (default: `rules.yaml` in script directory)
+- `--skip-create-rbac`: Skip creating RBAC resources (Role/ClusterRole and bindings)
+- `-h, --help`: Show help message
+
+#### Examples
+
+```bash
+# Basic usage with default settings
+./scripts/create-kubeconfig-secret.sh -c prod-cluster
+
+# Create namespace-scoped Role instead of ClusterRole
+./scripts/create-kubeconfig-secret.sh -c prod-cluster -t role
+
+# Use custom RBAC rules file
+./scripts/create-kubeconfig-secret.sh -c prod-cluster -r ./custom-rules.yaml
+
+# Skip RBAC creation (manual RBAC setup)
+./scripts/create-kubeconfig-secret.sh -c prod-cluster --skip-create-rbac
+
+# Full example with all options
+./scripts/create-kubeconfig-secret.sh \
+  --name my-cluster \
+  -n my-namespace \
+  -c prod-cluster \
+  -a my-service-account \
+  -t clusterrole \
+  -r ./my-rules.yaml
+```
 
-### 2. Customizing RBAC Rules
+### 2. RBAC Configuration
 
-The service account in the remote cluster must have the necessary RBAC permissions for your operator to function. Edit the RBAC templates in the `rbac/` directory to define the permissions your operator needs:
+The script automatically creates RBAC resources with the necessary permissions for your operator. By default, it uses the rules defined in `scripts/rules.yaml`:
 
 ```yaml
-# rbac/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: ${SECRET_NAME}-role
 rules:
-# Add permissions for your operator <--------------------------------
-- apiGroups: [""]
-  resources: ["configmaps"]
-  verbs: ["list", "get", "watch"]  # watch is needed for controllers that observe resources
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["list", "get", "watch"]
 ```
 
-Important RBAC considerations:
-- Use `watch` verb if your controller needs to observe resource changes
-- Use `list` and `get` for reading resources
-- Use `create`, `update`, `patch`, `delete` for modifying resources
-- Consider using `Role` instead of `ClusterRole` if you only need namespace-scoped permissions
+#### Customizing RBAC Rules
+
+You can customize the RBAC permissions by:
+
+1. **Editing the default rules file** (`scripts/rules.yaml`):
+```yaml
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps", "secrets", "pods"]
+    verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["list", "get", "watch"]
+```
+
+2. **Using a custom rules file** with the `-r` option:
+```bash
+./scripts/create-kubeconfig-secret.sh -c prod-cluster -r ./my-custom-rules.yaml
+```
+
+3. **Choosing between Role and ClusterRole**:
+   - Use `-t role` for namespace-scoped permissions
+   - Use `-t clusterrole` (default) for cluster-wide permissions
+
+#### RBAC Resource Creation
+
+The script creates the following RBAC resources automatically:
+
+- **Service Account**: If it doesn't exist, creates the specified service account
+- **Role/ClusterRole**: With the permissions defined in the rules file
+- **RoleBinding/ClusterRoleBinding**: Binds the service account to the role
+
+#### Skipping RBAC Creation
+
+If you prefer to manage RBAC manually, use the `--skip-create-rbac` flag:
+
+```bash
+./scripts/create-kubeconfig-secret.sh -c prod-cluster --skip-create-rbac
+```
+
+This will only create the kubeconfig secret without setting up any RBAC resources.
 
 ### 3. Implementing Your Operator
 
@@ -99,12 +161,18 @@ Your controllers can then use the manager to access any cluster and view the res
    - Creates a new controller-runtime cluster
    - Makes the cluster available to your controllers
 3. Your controllers can access any cluster through the manager
-4. RBAC rules ensure your operator has the necessary permissions in each cluster
+4. RBAC Rules on the remote clusters ensure the SA operator on the cluster of the controller has the necessary permissions in the remote clusters
 
 ## Labels and Configuration
 
 The provider uses the following labels and keys by default:
 - Label: `sigs.k8s.io/multicluster-runtime-kubeconfig: "true"`
 - Secret data key: `kubeconfig`
 
-You can customize these in the provider options when creating it. 
+You can customize these in the provider options when creating it.
+
+## Prerequisites
+
+- `kubectl` configured with access to both the local and remote clusters
+- `yq` command-line tool installed (required for RBAC rule processing)
+- Service account with appropriate permissions in the remote cluster (if not using automatic RBAC creation script) 

examples/kubeconfig/scripts/create-kubeconfig-secret.sh

@@ -6,9 +6,18 @@ set -e
 
 # Default values
 NAMESPACE="default"
-SERVICE_ACCOUNT="default"
+SERVICE_ACCOUNT="multicluster-kubeconfig-provider"
 KUBECONFIG_CONTEXT=""
 SECRET_NAME=""
+ROLE_TYPE="clusterrole"
+RULES_FILE=""
+CREATE_RBAC="true"
+
+# Check for yq
+if ! command -v yq &>/dev/null; then
+  echo "ERROR: 'yq' is required but not installed. Please install yq (https://mikefarah.gitbook.io/yq/) and try again."
+  exit 1
+fi
 
 # Function to display usage information
 function show_help {
@@ -17,9 +26,130 @@ function show_help {
   echo "  --name NAME              Name for the secret (defaults to context name)"
   echo "  -n, --namespace NS       Namespace to create the secret in (default: ${NAMESPACE})"
   echo "  -a, --service-account SA Service account name to use (default: ${SERVICE_ACCOUNT})"
+  echo "  -t, --role-type TYPE     Create Role or ClusterRole (role|clusterrole) (default: clusterrole)"
+  echo "  -r, --rules-file FILE    Path to rules file (default: rules.yaml in script directory)"
+  echo "  --skip-create-rbac       Skip creating RBAC resources (Role/ClusterRole and bindings)"
   echo "  -h, --help               Show this help message"
   echo ""
-  echo "Example: $0 -c prod-cluster"
+  echo "Examples:"
+  echo "  $0 -c prod-cluster"
+  echo "  $0 -c prod-cluster -t role -r ./custom-rules.yaml"
+  echo "  $0 -c prod-cluster -t clusterrole"
+  echo "  $0 -c prod-cluster --skip-create-rbac"
+}
+
+# Function to create Role or ClusterRole
+function create_rbac {
+  local role_type="$1"
+  local rules_file="$2"
+  local role_name="$3"
+  local namespace="$4"
+  
+  if [ ! -f "$rules_file" ]; then
+    echo "ERROR: Rules file not found: $rules_file"
+    exit 1
+  fi
+  
+  echo "Creating ${role_type} '${role_name}'..."
+  
+  if [ "$role_type" = "role" ]; then
+    # Create Role
+    ROLE_YAML=$(cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ${role_name}
+  namespace: ${namespace}
+rules:
+$(yq '.rules' "$rules_file")
+EOF
+)
+    
+    echo "$ROLE_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+    
+    # Create RoleBinding
+    ROLEBINDING_YAML=$(cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ${role_name}-binding
+  namespace: ${namespace}
+subjects:
+- kind: ServiceAccount
+  name: ${SERVICE_ACCOUNT}
+  namespace: ${namespace}
+roleRef:
+  kind: Role
+  name: ${role_name}
+  apiGroup: rbac.authorization.k8s.io
+EOF
+)
+    
+    echo "$ROLEBINDING_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+    
+  else
+    # Create ClusterRole
+    CLUSTERROLE_YAML=$(cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ${role_name}
+rules:
+$(yq '.rules' "$rules_file")
+EOF
+)
+    
+    echo "$CLUSTERROLE_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+    
+    # Create ClusterRoleBinding
+    CLUSTERROLEBINDING_YAML=$(cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ${role_name}-binding
+subjects:
+- kind: ServiceAccount
+  name: ${SERVICE_ACCOUNT}
+  namespace: ${namespace}
+roleRef:
+  kind: ClusterRole
+  name: ${role_name}
+  apiGroup: rbac.authorization.k8s.io
+EOF
+)
+    
+    echo "$CLUSTERROLEBINDING_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+  fi
+  
+  echo "$(tr '[:lower:]' '[:upper:]' <<< ${role_type:0:1})${role_type:1} '${role_name}' created successfully!"
+}
+
+# Function to create service account if it doesn't exist
+function ensure_service_account {
+  local namespace="$1"
+  local service_account="$2"
+  
+  echo "Checking if service account '${service_account}' exists in namespace '${namespace}'..."
+  
+  # Check if service account exists
+  if ! kubectl --context=${KUBECONFIG_CONTEXT} get serviceaccount ${service_account} -n ${namespace} &>/dev/null; then
+    echo "Service account '${service_account}' not found in namespace '${namespace}'. Creating..."
+    
+    # Create the service account
+    SERVICE_ACCOUNT_YAML=$(cat <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ${service_account}
+  namespace: ${namespace}
+EOF
+)
+    
+    echo "$SERVICE_ACCOUNT_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+    echo "Service account '${service_account}' created successfully in namespace '${namespace}'"
+  else
+    echo "Service account '${service_account}' already exists in namespace '${namespace}'"
+  fi
 }
 
 # Parse command line options
@@ -42,6 +172,18 @@ while [[ $# -gt 0 ]]; do
       SERVICE_ACCOUNT="$2"
       shift 2
       ;;
+    -t|--role-type)
+      ROLE_TYPE="$2"
+      shift 2
+      ;;
+    -r|--rules-file)
+      RULES_FILE="$2"
+      shift 2
+      ;;
+    --skip-create-rbac)
+      CREATE_RBAC="false"
+      shift
+      ;;
     -h|--help)
       show_help
       exit 0
@@ -61,11 +203,28 @@ if [ -z "$KUBECONFIG_CONTEXT" ]; then
   exit 1
 fi
 
+# Validate role type if specified
+if [ -n "$ROLE_TYPE" ] && [ "$ROLE_TYPE" != "role" ] && [ "$ROLE_TYPE" != "clusterrole" ]; then
+  echo "ERROR: Invalid role type '$ROLE_TYPE'. Must be 'role' or 'clusterrole'"
+  show_help
+  exit 1
+fi
+
+# Set default rules file if not specified
+if [ -z "$RULES_FILE" ]; then
+  RULES_FILE="$(dirname "$0")/rules.yaml"
+fi
+
 # Set secret name to context if not specified
 if [ -z "$SECRET_NAME" ]; then
   SECRET_NAME="$KUBECONFIG_CONTEXT"
 fi
 
+# Create RBAC resources by default (unless --no-create-role is specified)
+if [ "$CREATE_RBAC" = "true" ]; then
+  create_rbac "$ROLE_TYPE" "$RULES_FILE" "$SECRET_NAME" "$NAMESPACE"
+fi
+
 # Get the cluster CA certificate from the remote cluster
 CLUSTER_CA=$(kubectl --context=${KUBECONFIG_CONTEXT} config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}')
 if [ -z "$CLUSTER_CA" ]; then
@@ -80,6 +239,9 @@ if [ -z "$CLUSTER_SERVER" ]; then
   exit 1
 fi
 
+# Ensure service account exists
+ensure_service_account "$NAMESPACE" "$SERVICE_ACCOUNT"
+
 # Get the service account token from the remote cluster
 SA_TOKEN=$(kubectl --context=${KUBECONFIG_CONTEXT} -n ${NAMESPACE} create token ${SERVICE_ACCOUNT} --duration=8760h)
 if [ -z "$SA_TOKEN" ]; then
@@ -115,10 +277,10 @@ echo "$NEW_KUBECONFIG" > "$TEMP_KUBECONFIG"
 
 # Verify the kubeconfig works
 echo "Verifying kubeconfig..."
-if ! kubectl --kubeconfig="$TEMP_KUBECONFIG" get pods -A &>/dev/null; then
+if ! kubectl --kubeconfig="$TEMP_KUBECONFIG" version &>/dev/null; then
   rm "$TEMP_KUBECONFIG"
-  echo "ERROR: Failed to verify kubeconfig - unable to list pods."
-  echo "- Ensure that the service account '${NAMESPACE}/${SERVICE_ACCOUNT}' on cluster '${KUBECONFIG_CONTEXT}' has the necessary permissions to list pods."
+  echo "ERROR: Failed to verify kubeconfig - unable to connect to cluster."
+  echo "- Ensure that the service account '${NAMESPACE}/${SERVICE_ACCOUNT}' on cluster '${KUBECONFIG_CONTEXT}' exists and is properly configured."
   echo "- You may specify a namespace using the -n flag."
   echo "- You may specify a service account using the -a flag."
   exit 1

examples/kubeconfig/scripts/rules.yaml

@@ -0,0 +1,9 @@
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - list
+      - get
+      - watch