WIP: Add support for updating clusterRoles/Roles

Signed-off-by: Todd Short <[email protected]>

Author: tmshort

hack/tools/patch-base-for-helm.sh

@@ -1,13 +1,20 @@
 #!/bin/bash
 
+# This script patches the kubebuilder generated files to make them ready for helm
+# The patching is done via a combination of `yq` to add valid YAML to the appropriate location
+# and then `sed` is used to replace some text with Helm templating.
+# This can't be done in one step because `yq` (or `kustomize` for that matter) can't manipulate
+# YAML once helm templating has been added.
+
 # Patch catalogd rbac
 catalogd_rbac_filelist=(
     helm/olmv1/base/catalogd/rbac/experimental/*.yaml
     helm/olmv1/base/catalogd/rbac/standard/*.yaml
 )
 for f in "${catalogd_rbac_filelist[@]}"; do
     yq -i '.metadata.labels["app.kubernetes.io/name"] = "catalogd"' "${f}"
-    rm -f "${f}.bak"
+    yq -i 'with(.; select(.kind == "Role") | .rules += { "replaceMe": "catalogd-role-rules"})' "${f}"
+    yq -i 'with(.; select(.kind == "ClusterRole") | .rules += { "replaceMe": "catalogd-cluster-role-rules"})' "${f}"
 done
 
 # Patch operator-controller rbac
@@ -17,7 +24,8 @@ operator_controller_rbac_filelist=(
 )
 for f in "${operator_controller_rbac_filelist[@]}"; do
     yq -i '.metadata.labels["app.kubernetes.io/name"] = "operator-controller"' "${f}"
-    rm -f "${f}.bak"
+    yq -i 'with(.; select(.kind == "Role") | .rules += { "replaceMe": "operator-controller-role-rules"})' "${f}"
+    yq -i 'with(.; select(.kind == "ClusterRole") | .rules += { "replaceMe": "operator-controller-cluster-role-rules"})' "${f}"
 done
 
 # Patch catalogd webhook
@@ -35,10 +43,9 @@ for f in "${catalogd_webhook_filelist[@]}"; do
     yq -i '.webhooks[0].clientConfig.service.port = 9443' "${f}"
     yq -i '.webhooks[0].matchConditions[0].name = "MissingOrIncorrectMetadataNameLabel"' "${f}"
     yq -i '.webhooks[0].matchConditions[0].expression = "\"name\" in object.metadata && (!has(object.metadata.labels) || !(\"olm.operatorframework.io/metadata.name\" in object.metadata.labels) || object.metadata.labels[\"olm.operatorframework.io/metadata.name\"] != object.metadata.name)"' "${f}"
-    rm -f "${f}.bak"
 done
 
-# Patch everything genericly
+# Patch everything generically
 filelist=(
     helm/olmv1/base/catalogd/rbac/experimental/*.yaml
     helm/olmv1/base/catalogd/rbac/standard/*.yaml
@@ -56,10 +63,14 @@ for f in "${filelist[@]}"; do
     # Patch in the temporary items
     yq -i '.metadata.annotations.replaceMe = "annotations"' "${f}"
     yq -i '.metadata.labels.replaceMe = "labels"' "${f}"
-    # Replace with helm template - must be done last or yq will complain about the file formXat
+    # Replace with helm template - must be done last or yq will complain about the file format
     sed -i.bak 's/replaceMe: annotations/{{- include "olmv1.annotations" . | nindent 4 }}/g' "${f}"
     sed -i.bak 's/replaceMe: labels/{{- include "olmv1.labels" . | nindent 4 }}/g' "${f}"
     sed -i.bak 's/olmv1-system/{{ .Values.namespaces.olmv1.name }}/g' "${f}"
+    sed -i.bak 's/- replaceMe: catalogd-role-rules/{{- include "olmv1.catalogd.role.rules" . | nindent 2 }}/g' "${f}"
+    sed -i.bak 's/- replaceMe: catalogd-cluster-role-rules/{{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }}/g' "${f}"
+    sed -i.bak 's/- replaceMe: operator-controller-role-rules/{{- include "olmv1.operatorController.role.rules" . | nindent 2 }}/g' "${f}"
+    sed -i.bak 's/- replaceMe: operator-controller-cluster-role-rules/{{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }}/g' "${f}"
     # Delete sed's backup file
     rm -f "${f}.bak"
 done

helm/olmv1/base/catalogd/rbac/experimental/role.yaml

@@ -35,6 +35,7 @@ rules:
       - get
       - patch
       - update
+  {{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -56,3 +57,4 @@ rules:
       - get
       - list
       - watch
+  {{- include "olmv1.catalogd.role.rules" . | nindent 2 }}

helm/olmv1/base/catalogd/rbac/standard/role.yaml

@@ -35,6 +35,7 @@ rules:
       - get
       - patch
       - update
+  {{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -56,3 +57,4 @@ rules:
       - get
       - list
       - watch
+  {{- include "olmv1.catalogd.role.rules" . | nindent 2 }}

helm/olmv1/base/operator-controller/rbac/experimental/role.yaml

@@ -62,6 +62,7 @@ rules:
     verbs:
       - list
       - watch
+  {{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -95,3 +96,4 @@ rules:
       - get
       - list
       - watch
+  {{- include "olmv1.operatorController.role.rules" . | nindent 2 }}

helm/olmv1/base/operator-controller/rbac/standard/role.yaml

@@ -62,6 +62,7 @@ rules:
     verbs:
       - list
       - watch
+  {{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -95,3 +96,4 @@ rules:
       - get
       - list
       - watch
+  {{- include "olmv1.operatorController.role.rules" . | nindent 2 }}

helm/olmv1/templates/_helpers.tpl

@@ -31,3 +31,30 @@ Common annoations
 {{- define "olmv1.annotations" -}}
 olm.operatorframework.io/feature-set: {{ .Values.featureSet -}}{{- if .Values.components.e2e.enabled -}}-e2e{{- end -}}
 {{- end }}
+
+{{/*
+Insertion of additional rules for RBAC
+*/}}
+{{- define "olmv1.catalogd.role.rules" -}}
+{{- with .Values.components.catalogd.rules }}
+{{- toYamlPretty . }}
+{{- end }}
+{{- end }}
+
+{{- define "olmv1.catalogd.clusterRole.rules" -}}
+{{- with .Values.components.catalogd.clusterRole.rules }}
+{{- toYamlPretty . }}
+{{- end }}
+{{- end }}
+
+{{- define "olmv1.operatorController.role.rules" -}}
+{{- with .Values.components.operatorController.role.rules }}
+{{- toYamlPretty . }}
+{{- end }}
+{{- end }}
+
+{{- define "olmv1.operatorController.clusterRole.rules" -}}
+{{- with .Values.components.operatorController.clusterRole.rules }}
+{{- toYamlPretty . }}
+{{- end }}
+{{- end }}

helm/olmv1/values.yaml

@@ -18,6 +18,10 @@ components:
     podArguments: {}
     service:
       annotations: {}
+    clusterRole:
+      rules: {}
+    role:
+      rules: {}
   catalogd:
     enabled: true
     image:
@@ -32,6 +36,10 @@ components:
     podArguments: {}
     service:
       annotations: {}
+    clusterRole:
+      rules: {}
+    role:
+      rules: {}
   certManager:
     enabled: true
   e2e: