Make cluster role optional (#38)

aday-cyral · web-flow · commit 0a6219aaa3f7 · 2021-06-18T18:22:57.000+02:00
diff --git a/README.md b/README.md
@@ -24,6 +24,12 @@ Multiple namespaces are supported and can be set as a comma-separated list: `ns1
 
   If `watchNamespace` is set to the empty string value `""`, all namespaces will be watched.
 
+- `rbac.create` controls if rbac resources are deployed.
+
+- `rbac.clusterRole` controls if secrets generator has permission to watch secrets in namespaces other than where it has been deployed.
+
+  `rbac.clusterRole=false & watchNamespace=""` will result in `watchNamespace` being set to the current namespace as this is all the permissions will allow access to.
+
 Afterwards, deploy the operator using:
 
 1. Add the [Mittwald Charts Repo](https://github.com/mittwald/helm-charts/blob/master/README.md#usage):
diff --git a/deploy/helm-chart/kubernetes-secret-generator/templates/_helpers.tpl b/deploy/helm-chart/kubernetes-secret-generator/templates/_helpers.tpl
@@ -61,3 +61,14 @@ Create the name of the service account to use
     {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Define the namespace to watch
+*/}}
+{{- define "kubernetes-secret-generator.watchNamespace" -}}
+{{- if and .Values.serviceAccount.create .Values.rbac.create (not .Values.rbac.clusterRole) -}}
+    {{ default .Values.watchNamespace .Release.Namespace }}
+{{- else -}}
+    {{ .Values.watchNamespace }}
+{{- end -}}
+{{- end -}}
diff --git a/deploy/helm-chart/kubernetes-secret-generator/templates/clusterrole.yaml b/deploy/helm-chart/kubernetes-secret-generator/templates/clusterrole.yaml
@@ -0,0 +1,19 @@
+{{- if and .Values.rbac.create .Values.rbac.clusterRole -}}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "mittwald:{{ include "kubernetes-secret-generator.serviceAccountName" . }}"
+  labels:
+  {{ include "kubernetes-secret-generator.labels" . | nindent 4 }}
+rules:
+  # actual operator functionality
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+{{- end -}}
diff --git a/deploy/helm-chart/kubernetes-secret-generator/templates/clusterrolebinding.yaml b/deploy/helm-chart/kubernetes-secret-generator/templates/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.rbac.create .Values.rbac.clusterRole -}}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "mittwald:{{ include "kubernetes-secret-generator.serviceAccountName" . }}"
+  labels:
+  {{ include "kubernetes-secret-generator.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  name: "mittwald:{{ include "kubernetes-secret-generator.serviceAccountName" . }}"
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace | quote }}
+    name: {{ include "kubernetes-secret-generator.serviceAccountName" . }}
+{{- end -}}
diff --git a/deploy/helm-chart/kubernetes-secret-generator/templates/deployment.yaml b/deploy/helm-chart/kubernetes-secret-generator/templates/deployment.yaml
@@ -45,7 +45,7 @@ spec:
             periodSeconds: 3
           env:
             - name: WATCH_NAMESPACE
-              value: {{ .Values.watchNamespace }}
+              value: {{ template "kubernetes-secret-generator.watchNamespace" . }}
             - name: POD_NAME
               valueFrom:
                 fieldRef:
diff --git a/deploy/helm-chart/kubernetes-secret-generator/templates/rbac.yaml b/deploy/helm-chart/kubernetes-secret-generator/templates/rbac.yaml
diff --git a/deploy/helm-chart/kubernetes-secret-generator/templates/role.yaml b/deploy/helm-chart/kubernetes-secret-generator/templates/role.yaml
@@ -0,0 +1,44 @@
+{{- if .Values.rbac.create -}}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "mittwald:{{ include "kubernetes-secret-generator.serviceAccountName" . }}"
+  labels:
+  {{ include "kubernetes-secret-generator.labels" . | nindent 4 }}
+rules:
+  # leader election
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - delete
+      - get
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - "get"
+      - "create"
+  {{- if and .Values.rbac.create (not .Values.rbac.clusterRole) }}
+  # Permissions to access secrets in this namespace if no cluster role is created.
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+  {{- end -}}
+{{- end -}}
diff --git a/deploy/helm-chart/kubernetes-secret-generator/templates/rolebinding.yaml b/deploy/helm-chart/kubernetes-secret-generator/templates/rolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create -}}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "mittwald:{{ include "kubernetes-secret-generator.serviceAccountName" . }}"
+  labels:
+  {{ include "kubernetes-secret-generator.labels" . | nindent 4 }}
+roleRef:
+  kind: Role
+  name: "mittwald:{{ include "kubernetes-secret-generator.serviceAccountName" . }}"
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace | quote }}
+    name: {{ include "kubernetes-secret-generator.serviceAccountName" . }}
+{{- end -}}
diff --git a/deploy/helm-chart/kubernetes-secret-generator/templates/serviceaccount.yaml b/deploy/helm-chart/kubernetes-secret-generator/templates/serviceaccount.yaml
@@ -0,0 +1,8 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kubernetes-secret-generator.serviceAccountName" . }}
+  labels:
+  {{ include "kubernetes-secret-generator.labels" . | nindent 4 }}
+{{- end -}}
diff --git a/deploy/helm-chart/kubernetes-secret-generator/values.yaml b/deploy/helm-chart/kubernetes-secret-generator/values.yaml
@@ -52,4 +52,15 @@ secretLength: 40
 # Namespace that are watched for secret generation
 # Accepts a comma-separated list of namespaces: ns1,ns2
 # If set to "", all namespaces will be watched
+# Accessing secrets in namespaces other than the deployed one requires permissions via a cluster role (on by default)
 watchNamespace: ""
+
+# RBAC parameteres
+# https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+rbac:
+  # Disables creation of rbac resources
+  create: true
+  # The cluster role allows access to all namespaces in the cluster.
+  # Set to false to restrict access to the deployed namespace only.
+  # ClusterRole is deployed by Default
+  clusterRole: true
