Deploying clusterRoles and Rolebindings through drpolicy

Signed-off-by: Abhijeet Shakya <[email protected]>
RamenDR · Nov 5, 2024 · 92cd2bf · 92cd2bf
1 parent a620baf
commit 92cd2bf
Show file tree

Hide file tree

Showing 4 changed files with 194 additions and 17 deletions.
diff --git a/internal/controller/drclusters.go b/internal/controller/drclusters.go
@@ -13,6 +13,7 @@ import (
 	rmn "github.com/ramendr/ramen/api/v1alpha1"
 	"github.com/ramendr/ramen/internal/controller/util"
 	"github.com/ramendr/ramen/internal/controller/volsync"
+	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -88,6 +89,18 @@ func appendSubscriptionObject(
 		)), nil
 }
 
+var olmClusterRole = &rbacv1.ClusterRole{
+	TypeMeta:   metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"},
+	ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:olm-edit"},
+	Rules: []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{"operators.coreos.com"},
+			Resources: []string{"operatorgroups"},
+			Verbs:     []string{"create", "get", "list", "update", "delete"},
+		},
+	},
+}
+
 func objectsToDeploy(hubOperatorRamenConfig *rmn.RamenConfig) ([]interface{}, error) {
 	objects := []interface{}{}
 
@@ -114,7 +127,11 @@ func objectsToDeploy(hubOperatorRamenConfig *rmn.RamenConfig) ([]interface{}, er
 
 	return append(objects,
 		util.Namespace(drClusterOperatorNamespaceName),
+		olmClusterRole,
+		olmRoleBinding(drClusterOperatorNamespaceName),
 		operatorGroup(drClusterOperatorNamespaceName),
+		drClusterConfigRole,
+		drClusterConfigRoleBinding,
 		drClusterOperatorConfigMap,
 	), nil
 }
@@ -126,6 +143,28 @@ func operatorGroup(namespaceName string) *operatorsv1.OperatorGroup {
 	}
 }
 
+func olmRoleBinding(namespaceName string) *rbacv1.RoleBinding {
+	return &rbacv1.RoleBinding{
+		TypeMeta: metav1.TypeMeta{Kind: "RoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "open-cluster-management:klusterlet-work-sa:agent:olm-edit",
+			Namespace: namespaceName,
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      "klusterlet-work-sa",
+				Namespace: "open-cluster-management-agent",
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "open-cluster-management:klusterlet-work-sa:agent:olm-edit",
+		},
+	}
+}
+
 func subscription(
 	namespaceName string,
 	channelName string,

diff --git a/internal/controller/drpolicy.go b/internal/controller/drpolicy.go
@@ -10,7 +10,11 @@ import (
 	"github.com/go-logr/logr"
 	rmn "github.com/ramendr/ramen/api/v1alpha1"
 	"github.com/ramendr/ramen/internal/controller/util"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
+	cpcv1 "open-cluster-management.io/config-policy-controller/api/v1"
 )
 
 var drClustersMutex sync.Mutex
@@ -59,12 +63,15 @@ func drClusterSecretsDeploy(
 		log.Info("Received partial list", "err", err)
 	}
 
+	objectsToAppend := drClusterPolicyObjectsToDeploy()
+
 	for _, secretName := range drPolicySecrets.List() {
 		if err := secretsUtil.AddSecretToCluster(
 			secretName,
 			clusterName,
 			RamenOperatorNamespace(),
 			drClusterOperatorNamespaceNameOrDefault(rmnCfg),
+			objectsToAppend,
 			util.SecretFormatRamen,
 			"",
 		); err != nil {
@@ -77,6 +84,7 @@ func drClusterSecretsDeploy(
 				clusterName,
 				RamenOperatorNamespace(),
 				drClusterOperatorNamespaceNameOrDefault(rmnCfg),
+				objectsToAppend,
 				util.SecretFormatVelero,
 				rmnCfg.KubeObjectProtection.VeleroNamespaceName,
 			); err != nil {
@@ -89,6 +97,29 @@ func drClusterSecretsDeploy(
 	return nil
 }
 
+func drClusterPolicyObjectsToDeploy() []*cpcv1.ObjectTemplate {
+	objects := []*cpcv1.ObjectTemplate{
+		{
+			ComplianceType:   cpcv1.MustHave,
+			ObjectDefinition: runtime.RawExtension{Object: vrgClusterRole},
+		},
+		{
+			ComplianceType:   cpcv1.MustHave,
+			ObjectDefinition: runtime.RawExtension{Object: vrgClusterRoleBinding},
+		},
+		{
+			ComplianceType:   cpcv1.MustHave,
+			ObjectDefinition: runtime.RawExtension{Object: mModeClusterRole},
+		},
+		{
+			ComplianceType:   cpcv1.MustHave,
+			ObjectDefinition: runtime.RawExtension{Object: mModeClusterRoleBinding},
+		},
+	}
+
+	return objects
+}
+
 func drPolicyUndeploy(
 	drpolicy *rmn.DRPolicy,
 	drclusters *rmn.DRClusterList,
@@ -267,3 +298,92 @@ func deleteSecretFromCluster(
 
 	return nil
 }
+
+var (
+	vrgClusterRole = &rbacv1.ClusterRole{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:volrepgroup-edit"},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{"ramendr.openshift.io"},
+				Resources: []string{"volumereplicationgroups"},
+				Verbs:     []string{"create", "get", "list", "update", "delete"},
+			},
+		},
+	}
+
+	vrgClusterRoleBinding = &rbacv1.ClusterRoleBinding{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:volrepgroup-edit"},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      "klusterlet-work-sa",
+				Namespace: "open-cluster-management-agent",
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "open-cluster-management:klusterlet-work-sa:agent:volrepgroup-edit",
+		},
+	}
+
+	mModeClusterRole = &rbacv1.ClusterRole{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:mmode-edit"},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{"ramendr.openshift.io"},
+				Resources: []string{"maintenancemodes"},
+				Verbs:     []string{"create", "get", "list", "update", "delete"},
+			},
+		},
+	}
+
+	mModeClusterRoleBinding = &rbacv1.ClusterRoleBinding{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:mmode-edit"},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      "klusterlet-work-sa",
+				Namespace: "open-cluster-management-agent",
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "open-cluster-management:klusterlet-work-sa:agent:mmode-edit",
+		},
+	}
+
+	drClusterConfigRole = &rbacv1.ClusterRole{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:drclusterconfig-edit"},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{"ramendr.openshift.io"},
+				Resources: []string{"drclusterconfigs"},
+				Verbs:     []string{"create", "get", "list", "update", "delete"},
+			},
+		},
+	}
+
+	drClusterConfigRoleBinding = &rbacv1.ClusterRoleBinding{
+		TypeMeta:   metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:drclusterconfig-edit"},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      "klusterlet-work-sa",
+				Namespace: "open-cluster-management-agent",
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "open-cluster-management:klusterlet-work-sa:agent:drclusterconfig-edit",
+		},
+	}
+)
diff --git a/internal/controller/util/secrets_util.go b/internal/controller/util/secrets_util.go
@@ -271,7 +271,7 @@ func newVeleroSecret(s3SecretRef corev1.SecretReference, fromNS, veleroNS, keyNa
 	}
 }
 
-func newConfigurationPolicy(name string, object *runtime.RawExtension) *cpcv1.ConfigurationPolicy {
+func newConfigurationPolicy(name string, object []*cpcv1.ObjectTemplate) *cpcv1.ConfigurationPolicy {
 	return &cpcv1.ConfigurationPolicy{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "ConfigurationPolicy",
@@ -283,12 +283,7 @@ func newConfigurationPolicy(name string, object *runtime.RawExtension) *cpcv1.Co
 		Spec: &cpcv1.ConfigurationPolicySpec{
 			RemediationAction: cpcv1.Enforce,
 			Severity:          "high",
-			ObjectTemplates: []*cpcv1.ObjectTemplate{
-				{
-					ComplianceType:   cpcv1.MustHave,
-					ObjectDefinition: *object,
-				},
-			},
+			ObjectTemplates:   object,
 		},
 	}
 }
@@ -319,7 +314,7 @@ func newPolicy(name, namespace, triggerValue string, object runtime.RawExtension
 }
 
 func (sutil *SecretsUtil) createPolicyResources(
-	secret *corev1.Secret,
+	secret *corev1.Secret, objectsToAppend []*cpcv1.ObjectTemplate,
 	cluster, namespace, targetNS string,
 	format TargetSecretFormat,
 	veleroNS string,
@@ -356,7 +351,7 @@ func (sutil *SecretsUtil) createPolicyResources(
 
 	// Create a Policy object for the secret
 	configObject := newConfigurationPolicy(configPolicyName,
-		sutil.policyObject(secret.Name, namespace, targetNS, format, veleroNS))
+		sutil.policyObject(secret.Name, namespace, targetNS, objectsToAppend, format, veleroNS))
 
 	sutil.Log.Info("Initializing secret policy trigger", "secret", secret.Name, "trigger", secret.ResourceVersion)
 
@@ -383,24 +378,31 @@ func (sutil *SecretsUtil) createPolicyResources(
 
 func (sutil *SecretsUtil) policyObject(
 	secretName, secretNS, targetNS string,
+	objectsToAppend []*cpcv1.ObjectTemplate,
 	format TargetSecretFormat,
 	veleroNS string,
-) *runtime.RawExtension {
+) []*cpcv1.ObjectTemplate {
 	s3SecretRef := corev1.SecretReference{Name: secretName, Namespace: secretNS}
-	object := &runtime.RawExtension{}
+
+	var secretObject *corev1.Secret
 
 	switch format {
 	case SecretFormatRamen:
-		object = &runtime.RawExtension{Object: newS3ConfigurationSecret(s3SecretRef, targetNS)}
+		secretObject = newS3ConfigurationSecret(s3SecretRef, targetNS)
 	case SecretFormatVelero:
-		object = &runtime.RawExtension{
-			Object: newVeleroSecret(s3SecretRef, targetNS, veleroNS, VeleroSecretKeyNameDefault),
-		}
+		secretObject = newVeleroSecret(s3SecretRef, targetNS, veleroNS, VeleroSecretKeyNameDefault)
 	default:
 		panic(unknownFormat)
 	}
 
-	return object
+	object := &cpcv1.ObjectTemplate{
+		ComplianceType:   cpcv1.MustHave,
+		ObjectDefinition: runtime.RawExtension{Object: secretObject},
+	}
+
+	objectsToAppend = append(objectsToAppend, object)
+
+	return objectsToAppend
 }
 
 func (sutil *SecretsUtil) deletePolicyResources(
@@ -627,6 +629,7 @@ func (sutil *SecretsUtil) ensureS3SecretResources(
 // the targetNS)
 func (sutil *SecretsUtil) AddSecretToCluster(
 	secretName, clusterName, namespace, targetNS string,
+	objectsToAppend []*cpcv1.ObjectTemplate,
 	format TargetSecretFormat,
 	veleroNS string,
 ) error {
@@ -663,7 +666,7 @@ func (sutil *SecretsUtil) AddSecretToCluster(
 			return errorswrapper.Wrap(err, "failed to get placementRule object")
 		}
 
-		return sutil.createPolicyResources(secret, clusterName, namespace, targetNS, format, veleroNS)
+		return sutil.createPolicyResources(secret, objectsToAppend, clusterName, namespace, targetNS, format, veleroNS)
 	}
 
 	return sutil.updatePolicyResources(plRule, secret, clusterName, namespace, format, true)