Deploying clusterRoles and Rolebindings through drpolicy

Signed-off-by: Abhijeet Shakya <[email protected]>
RamenDR · Aug 13, 2024 · c8a1377 · c8a1377
1 parent 0308ae6
commit c8a1377
Show file tree

Hide file tree

Showing 3 changed files with 184 additions and 27 deletions.
diff --git a/internal/controller/drpolicy.go b/internal/controller/drpolicy.go
@@ -10,6 +10,8 @@ import (
 	"github.com/go-logr/logr"
 	rmn "github.com/ramendr/ramen/api/v1alpha1"
 	"github.com/ramendr/ramen/internal/controller/util"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
@@ -59,12 +61,15 @@ func drClusterSecretsDeploy(
 		log.Info("Received partial list", "err", err)
 	}
 
+	objectsToAppend := drClusterPolicyObjectsToDeploy(rmnCfg)
+
 	for _, secretName := range drPolicySecrets.List() {
 		if err := secretsUtil.AddSecretToCluster(
 			secretName,
 			clusterName,
 			RamenOperatorNamespace(),
 			drClusterOperatorNamespaceNameOrDefault(rmnCfg),
+			objectsToAppend,
 			util.SecretFormatRamen,
 			"",
 		); err != nil {
@@ -77,6 +82,7 @@ func drClusterSecretsDeploy(
 				clusterName,
 				RamenOperatorNamespace(),
 				drClusterOperatorNamespaceNameOrDefault(rmnCfg),
+				objectsToAppend,
 				util.SecretFormatVelero,
 				rmnCfg.KubeObjectProtection.VeleroNamespaceName,
 			); err != nil {
@@ -89,6 +95,25 @@ func drClusterSecretsDeploy(
 	return nil
 }
 
+func drClusterPolicyObjectsToDeploy(hubOperatorRamenConfig *rmn.RamenConfig) []interface{} {
+	objects := []interface{}{}
+
+	drClusterOperatorRamenConfig := *hubOperatorRamenConfig
+	ramenConfig := &drClusterOperatorRamenConfig
+	drClusterOperatorNamespaceName := drClusterOperatorNamespaceNameOrDefault(ramenConfig)
+
+	return append(objects,
+		olmClusterRole,
+		olmRoleBinding(drClusterOperatorNamespaceName),
+		vrgClusterRole,
+		vrgClusterRoleBinding,
+		mModeClusterRole,
+		mModeClusterRoleBinding,
+		drClusterConfigRole,
+		drClusterConfigRoleBinding,
+	)
+}
+
 func drPolicyUndeploy(
 	drpolicy *rmn.DRPolicy,
 	drclusters *rmn.DRClusterList,
@@ -267,3 +292,126 @@ func deleteSecretFromCluster(
 
 	return nil
 }
+
+func olmRoleBinding(namespaceName string) *rbacv1.RoleBinding {
+	return &rbacv1.RoleBinding{
+		TypeMeta: metav1.TypeMeta{Kind: "RoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "open-cluster-management:klusterlet-work-sa:agent:olm-edit",
+			Namespace: namespaceName,
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      "klusterlet-work-sa",
+				Namespace: "open-cluster-management-agent",
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "open-cluster-management:klusterlet-work-sa:agent:olm-edit",
+		},
+	}
+}
+
+var (
+	olmClusterRole = &rbacv1.ClusterRole{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:olm-edit"},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{"operators.coreos.com"},
+				Resources: []string{"operatorgroups"},
+				Verbs:     []string{"create", "get", "list", "update", "delete"},
+			},
+		},
+	}
+
+	vrgClusterRole = &rbacv1.ClusterRole{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:volrepgroup-edit"},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{"ramendr.openshift.io"},
+				Resources: []string{"volumereplicationgroups"},
+				Verbs:     []string{"create", "get", "list", "update", "delete"},
+			},
+		},
+	}
+
+	vrgClusterRoleBinding = &rbacv1.ClusterRoleBinding{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:volrepgroup-edit"},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      "klusterlet-work-sa",
+				Namespace: "open-cluster-management-agent",
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "open-cluster-management:klusterlet-work-sa:agent:volrepgroup-edit",
+		},
+	}
+
+	mModeClusterRole = &rbacv1.ClusterRole{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:mmode-edit"},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{"ramendr.openshift.io"},
+				Resources: []string{"maintenancemodes"},
+				Verbs:     []string{"create", "get", "list", "update", "delete"},
+			},
+		},
+	}
+
+	mModeClusterRoleBinding = &rbacv1.ClusterRoleBinding{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:mmode-edit"},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      "klusterlet-work-sa",
+				Namespace: "open-cluster-management-agent",
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "open-cluster-management:klusterlet-work-sa:agent:mmode-edit",
+		},
+	}
+
+	drClusterConfigRole = &rbacv1.ClusterRole{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:drclusterconfig-edit"},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{"ramendr.openshift.io"},
+				Resources: []string{"drclusterconfigs"},
+				Verbs:     []string{"create", "get", "list", "update", "delete"},
+			},
+		},
+	}
+
+	drClusterConfigRoleBinding = &rbacv1.ClusterRoleBinding{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:drclusterconfig-edit"},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      "klusterlet-work-sa",
+				Namespace: "open-cluster-management-agent",
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "open-cluster-management:klusterlet-work-sa:agent:drclusterconfig-edit",
+		},
+	}
+)
diff --git a/internal/controller/util/secrets_util.go b/internal/controller/util/secrets_util.go
@@ -228,8 +228,8 @@ func newPlacementRule(name string, namespace string,
 	}
 }
 
-func newS3ConfigurationSecret(s3SecretRef corev1.SecretReference, targetns string) []byte {
-	secretObjDefinition := map[string]interface{}{
+func newS3ConfigurationSecret(s3SecretRef corev1.SecretReference, targetns string) map[string]interface{} {
+	return map[string]interface{}{
 		"apiVersion": "v1",
 		"kind":       "Secret",
 		"metadata": map[string]interface{}{
@@ -248,17 +248,10 @@ func newS3ConfigurationSecret(s3SecretRef corev1.SecretReference, targetns strin
 				"\"AWS_SECRET_ACCESS_KEY\" hub}}",
 		},
 	}
-
-	secretObjDefinitionRaw, err := json.Marshal(secretObjDefinition)
-	if err != nil {
-		return nil
-	}
-
-	return secretObjDefinitionRaw
 }
 
-func newVeleroSecret(s3SecretRef corev1.SecretReference, fromNS, veleroNS, keyName string) []byte {
-	secretObjDefinition := map[string]interface{}{
+func newVeleroSecret(s3SecretRef corev1.SecretReference, fromNS, veleroNS, keyName string) map[string]interface{} {
+	return map[string]interface{}{
 		"apiVersion": "v1",
 		"kind":       "Secret",
 		"metadata": map[string]interface{}{
@@ -275,13 +268,6 @@ func newVeleroSecret(s3SecretRef corev1.SecretReference, fromNS, veleroNS, keyNa
 				") | base64enc }}",
 		},
 	}
-
-	secretObjDefinitionRaw, err := json.Marshal(secretObjDefinition)
-	if err != nil {
-		return nil
-	}
-
-	return secretObjDefinitionRaw
 }
 
 func newConfigurationPolicy(name string, object *runtime.RawExtension) *cpcv1.ConfigurationPolicy {
@@ -332,7 +318,7 @@ func newPolicy(name, namespace, triggerValue string, object runtime.RawExtension
 }
 
 func (sutil *SecretsUtil) createPolicyResources(
-	secret *corev1.Secret,
+	secret *corev1.Secret, objectsToAppend []interface{},
 	cluster, namespace, targetNS string,
 	format TargetSecretFormat,
 	veleroNS string,
@@ -369,7 +355,7 @@ func (sutil *SecretsUtil) createPolicyResources(
 
 	// Create a Policy object for the secret
 	configObject := newConfigurationPolicy(configPolicyName,
-		sutil.policyObject(secret.Name, namespace, targetNS, format, veleroNS))
+		sutil.policyObject(secret.Name, namespace, targetNS, objectsToAppend, format, veleroNS))
 
 	sutil.Log.Info("Initializing secret policy trigger", "secret", secret.Name, "trigger", secret.ResourceVersion)
 
@@ -396,24 +382,31 @@ func (sutil *SecretsUtil) createPolicyResources(
 
 func (sutil *SecretsUtil) policyObject(
 	secretName, secretNS, targetNS string,
+	objectsToAppend []interface{},
 	format TargetSecretFormat,
 	veleroNS string,
 ) *runtime.RawExtension {
 	s3SecretRef := corev1.SecretReference{Name: secretName, Namespace: secretNS}
-	object := &runtime.RawExtension{}
+
+	var object []interface{}
 
 	switch format {
 	case SecretFormatRamen:
-		object = &runtime.RawExtension{Raw: newS3ConfigurationSecret(s3SecretRef, targetNS)}
+		object = append(object, newS3ConfigurationSecret(s3SecretRef, targetNS))
 	case SecretFormatVelero:
-		object = &runtime.RawExtension{
-			Raw: newVeleroSecret(s3SecretRef, targetNS, veleroNS, VeleroSecretKeyNameDefault),
-		}
+		object = append(object, newVeleroSecret(s3SecretRef, targetNS, veleroNS, VeleroSecretKeyNameDefault))
 	default:
 		panic(unknownFormat)
 	}
 
-	return object
+	object = append(object, objectsToAppend...)
+
+	object2, err := json.Marshal(object)
+	if err != nil {
+		return nil
+	}
+
+	return &runtime.RawExtension{Raw: object2}
 }
 
 func (sutil *SecretsUtil) deletePolicyResources(
@@ -640,6 +633,7 @@ func (sutil *SecretsUtil) ensureS3SecretResources(
 // the targetNS)
 func (sutil *SecretsUtil) AddSecretToCluster(
 	secretName, clusterName, namespace, targetNS string,
+	objectsToAppend []interface{},
 	format TargetSecretFormat,
 	veleroNS string,
 ) error {
@@ -676,7 +670,7 @@ func (sutil *SecretsUtil) AddSecretToCluster(
 			return errorswrapper.Wrap(err, "failed to get placementRule object")
 		}
 
-		return sutil.createPolicyResources(secret, clusterName, namespace, targetNS, format, veleroNS)
+		return sutil.createPolicyResources(secret, objectsToAppend, clusterName, namespace, targetNS, format, veleroNS)
 	}
 
 	return sutil.updatePolicyResources(plRule, secret, clusterName, namespace, format, true)