Helm: add support for cluster role aggregates

benashz · benashz · commit a4e784d9988b · 2024-05-15T15:22:57.000-04:00
Extends the Helm chart to create ClusterRole aggregates based of the
resource specific viewer and editor roles.
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
@@ -175,3 +175,43 @@ globalTransformationOptions configures the manager's --global-transformation-opt
 {{- $opts | join "," -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+aggregateRoleMatchLabelsViewer generates the matchLabels for the viewer cluster roles.
+*/}}
+{{- define "vso.aggregateRoleMatchLabelsViewer" -}}
+{{- $ret := list }}
+{{- with .Values.controller.rbac.clusterRoleAggregation.viewerRoles -}}
+{{- if eq "*" (. | first) -}}
+{{- $labels := dict "vso.hashicorp.com/aggregate-to-viewer" "true" -}}
+{{- $ret = append $ret (dict "matchLabels" $labels) }}
+{{- else -}}
+{{- range . -}}
+{{- $labels := dict -}}
+{{- $_ := set $labels "vso.hashicorp.com/role-instance" (printf "%s-viewer-role" (. | lower) ) -}}
+{{- $ret = append $ret (dict "matchLabels" $labels) }}
+{{- end -}}
+{{- end -}}
+{{- $ret | toYaml -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+aggregateRoleMatchLabelsEditor generates the matchLabels for the editor cluster roles.
+*/}}
+{{- define "vso.aggregateRoleMatchLabelsEditor" -}}
+{{- $ret := list }}
+{{- with .Values.controller.rbac.clusterRoleAggregation.editorRoles -}}
+{{- if eq "*" (. | first) -}}
+{{- $labels := dict "vso.hashicorp.com/aggregate-to-editor" "true" -}}
+{{- $ret = append $ret (dict "matchLabels" $labels) }}
+{{- else -}}
+{{- range . -}}
+{{- $labels := dict -}}
+{{- $_ := set $labels "vso.hashicorp.com/role-instance" (printf "%s-editor-role" (. | lower) ) -}}
+{{- $ret = append $ret (dict "matchLabels" $labels) }}
+{{- end -}}
+{{- end -}}
+{{- $ret | toYaml -}}
+{{- end -}}
+{{- end -}}
diff --git a/chart/templates/clusterrole-aggregated-editor.yaml b/chart/templates/clusterrole-aggregated-editor.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.controller.rbac.clusterRoleAggregation.editorRoles -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ printf "%s-%s" (include "vso.chart.fullname" .) "aggregate-role-editor" }}
+  labels:
+    app.kubernetes.io/component: rbac
+    vso.hashicorp.com/role-instance: aggregate-role-editor
+{{- include "vso.chart.labels" . | nindent 4 }}
+aggregationRule:
+  clusterRoleSelectors:
+{{- include "vso.aggregateRoleMatchLabelsEditor" . | nindent 7 -}}
+{{- end -}}
diff --git a/chart/templates/clusterrole-aggregated-viewer.yaml b/chart/templates/clusterrole-aggregated-viewer.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.controller.rbac.clusterRoleAggregation.viewerRoles -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ printf "%s-%s" (include "vso.chart.fullname" .) "aggregate-role-viewer" }}
+  labels:
+    app.kubernetes.io/component: rbac
+    vso.hashicorp.com/role-instance: aggregate-role-viewer
+    vso.hashicorp.com/aggregate-to-editor: "true"
+{{- include "vso.chart.labels" . | nindent 4 }}
+aggregationRule:
+  clusterRoleSelectors:
+{{- include "vso.aggregateRoleMatchLabelsViewer" . | nindent 7 -}}
+{{- end -}}
diff --git a/chart/templates/hcpauth_editor_role.yaml b/chart/templates/hcpauth_editor_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: hcpauth-editor-role
+    vso.hashicorp.com/aggregate-to-editor: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/hcpauth_viewer_role.yaml b/chart/templates/hcpauth_viewer_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: hcpauth-viewer-role
+    vso.hashicorp.com/aggregate-to-viewer: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/hcpvaultsecretsapp_editor_role.yaml b/chart/templates/hcpvaultsecretsapp_editor_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: hcpsecretsapp-editor-role
+    vso.hashicorp.com/aggregate-to-editor: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/hcpvaultsecretsapp_viewer_role.yaml b/chart/templates/hcpvaultsecretsapp_viewer_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: hcpsecretsapp-viewer-role
+    vso.hashicorp.com/aggregate-to-viewer: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/role.yaml b/chart/templates/role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: manager-role
+    
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/secrettransformation_editor_role.yaml b/chart/templates/secrettransformation_editor_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: secrettransformation-editor-role
+    vso.hashicorp.com/aggregate-to-editor: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/secrettransformation_viewer_role.yaml b/chart/templates/secrettransformation_viewer_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: secrettransformation-viewer-role
+    vso.hashicorp.com/aggregate-to-viewer: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/vaultauth_editor_role.yaml b/chart/templates/vaultauth_editor_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: vaultauth-editor-role
+    vso.hashicorp.com/aggregate-to-editor: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/vaultauth_viewer_role.yaml b/chart/templates/vaultauth_viewer_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: vaultauth-viewer-role
+    vso.hashicorp.com/aggregate-to-viewer: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/vaultconnection_editor_role.yaml b/chart/templates/vaultconnection_editor_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: vaultconnection-editor-role
+    vso.hashicorp.com/aggregate-to-editor: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/vaultconnection_viewer_role.yaml b/chart/templates/vaultconnection_viewer_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: vaultconnection-viewer-role
+    vso.hashicorp.com/aggregate-to-viewer: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/vaultdynamicsecret_editor_role.yaml b/chart/templates/vaultdynamicsecret_editor_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: vaultdynamicsecret-editor-role
+    vso.hashicorp.com/aggregate-to-editor: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/vaultdynamicsecret_viewer_role.yaml b/chart/templates/vaultdynamicsecret_viewer_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: vaultdynamicsecret-viewer-role
+    vso.hashicorp.com/aggregate-to-viewer: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/vaultpkisecret_editor_role.yaml b/chart/templates/vaultpkisecret_editor_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: vaultpki-editor-role
+    vso.hashicorp.com/aggregate-to-editor: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/vaultpkisecret_viewer_role.yaml b/chart/templates/vaultpkisecret_viewer_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: vaultpki-viewer-role
+    vso.hashicorp.com/aggregate-to-viewer: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/vaultstaticsecret_editor_role.yaml b/chart/templates/vaultstaticsecret_editor_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: vaultstaticsecret-editor-role
+    vso.hashicorp.com/aggregate-to-editor: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/templates/vaultstaticsecret_viewer_role.yaml b/chart/templates/vaultstaticsecret_viewer_role.yaml
@@ -13,6 +13,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: vaultstaticsecret-viewer-role
+    vso.hashicorp.com/aggregate-to-viewer: "true"
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -55,6 +55,39 @@ controller:
   #           - antarctica-west1
   affinity: {}
 
+  rbac:
+    # clusterRoleAggregation defines the roles included in the aggregated ClusterRole.
+    clusterRoleAggregation:
+      # viewerRoles is a list of roles that will be aggregated into the viewer ClusterRole.
+      # The role name must be that of any VSO resource type. E.g. "VaultAuth", "HCPAuth".
+      # All values are case-insensitive.
+      # Specifying '*' as the first element will include all roles in the aggregation.
+      #
+      # The ClusterRole name takes the form of <chart-fullname>-aggregate-role-viewer.
+      #
+      # Example usages:
+      # all roles:
+      # - '*'
+      # individually specified roles:
+      # - "VaultAuth"
+      # - "HCPAuth"
+      viewerRoles: []
+
+      # editorRoles is a list of roles that will be aggregated into the editor ClusterRole.
+      # The role name must be that of any VSO resource type. E.g. "VaultAuth", "HCPAuth".
+      # All values are case-insensitive.
+      # Specifying '*' as the first element will include all roles in the aggregation.
+      #
+      # The ClusterRole name takes the form of <chart-fullname>-aggregate-role-editor.
+      #
+      # Example usages:
+      # all roles:
+      # - '*'
+      # individually specified roles:
+      # - "VaultAuth"
+      # - "HCPAuth"
+      editorRoles: []
+
   # Settings related to the kubeRbacProxy container. This container is an HTTP proxy for the
   # controller manager which performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
   kubeRbacProxy:
diff --git a/scripts/sync-rbac.sh b/scripts/sync-rbac.sh
@@ -8,7 +8,7 @@
 # role etc, requires manual syncing
 # requires yq (Go), not python-yq
 
-set -e -o pipefail
+set -e -o pipefail extglob
 
 REPO_ROOT="$(git rev-parse --show-toplevel || echo .)"
 # yq should be in the PATH after running 'make yq'
@@ -41,6 +41,22 @@ function mungeIt {
   local kind="$(echo "${output}" | yq .kind)"
   local metadataName="$(echo "${output}" | yq .metadata.name)"
   local rules="$(echo "${output}"| yq .rules)"
+
+  local aggregate=
+  local aggregateLabel=
+  case "${metadataName}" in
+    *-editor-role)
+      aggregate='editor'
+      ;;
+    *-viewer-role)
+      aggregate='viewer'
+      ;;
+  esac
+
+  if [ -n "${aggregate}" ]; then
+    aggregateLabel="vso.hashicorp.com/aggregate-to-${aggregate}: \"true\""
+  fi
+
   cat <<HERE > ${outfile}
 {{- /*
 # Copyright (c) HashiCorp, Inc.
@@ -57,6 +73,7 @@ metadata:
     app.kubernetes.io/component: rbac
     # allow for selecting on the canonical name
     vso.hashicorp.com/role-instance: ${metadataName}
+    ${aggregateLabel}
   {{- include "vso.chart.labels" . | nindent 4 }}
 rules:
 ${rules}
diff --git a/test/unit/clusterrole-aggregates.bats b/test/unit/clusterrole-aggregates.bats
@@ -0,0 +1,105 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+#--------------------------------------------------------------------
+# viewer roles
+
+@test "clusterRoleAggregatedViewer: default" {
+    cd `chart_dir`
+    local actual=$(helm template \
+        -s templates/clusterrole-aggregated-viewer.yaml \
+        . | tee /dev/stderr |
+    yq 'length > 0' | tee /dev/stderr)
+    [ "${actual}" = "false" ]
+}
+
+@test "clusterRoleAggregatedViewer: all" {
+    cd `chart_dir`
+    local object=$(helm template \
+        -s templates/clusterrole-aggregated-viewer.yaml \
+        --debug \
+        --set 'controller.rbac.clusterRoleAggregation.viewerRoles={*}' \
+        . | tee /dev/stderr |
+    yq '.aggregationRule.clusterRoleSelectors' | tee /dev/stderr)
+   local actual=$(echo "$object" | yq '. | length' | tee /dev/stderr)
+   [ "${actual}" = "1" ]
+   local actual=$(echo "$object" | yq '.[0].matchLabels | length' | tee /dev/stderr)
+   [ "${actual}" = "1" ]
+   local actual=$(echo "$object" | \
+     yq '.[0].matchLabels["vso.hashicorp.com/aggregate-to-viewer"]' | tee /dev/stderr)
+   [ "${actual}" = "true" ]
+}
+
+@test "clusterRoleAggregatedViewer: subset" {
+    cd `chart_dir`
+    local object=$(helm template \
+        -s templates/clusterrole-aggregated-viewer.yaml \
+        --debug \
+        --set 'controller.rbac.clusterRoleAggregation.viewerRoles={HCPAuth,vaultAuth}' \
+        . | tee /dev/stderr |
+    yq '.aggregationRule.clusterRoleSelectors' | tee /dev/stderr)
+   local actual=$(echo "$object" | yq '. | length' | tee /dev/stderr)
+   [ "${actual}" = "2" ]
+   local actual=$(echo "$object" | yq '.[0].matchLabels | length' | tee /dev/stderr)
+   [ "${actual}" = "1" ]
+   local actual=$(echo "$object" | \
+     yq '.[0].matchLabels["vso.hashicorp.com/role-instance"]' | tee /dev/stderr)
+   [ "${actual}" = "hcpauth-viewer-role" ]
+   local actual=$(echo "$object" | yq '.[1].matchLabels | length' | tee /dev/stderr)
+   [ "${actual}" = "1" ]
+   local actual=$(echo "$object" | \
+     yq '.[1].matchLabels["vso.hashicorp.com/role-instance"]' | tee /dev/stderr)
+   [ "${actual}" = "vaultauth-viewer-role" ]
+}
+
+#--------------------------------------------------------------------
+# editor roles
+
+@test "clusterRoleAggregatedEditor: default" {
+    cd `chart_dir`
+    local actual=$(helm template \
+        -s templates/clusterrole-aggregated-editor.yaml \
+        . | tee /dev/stderr |
+    yq 'length > 0' | tee /dev/stderr)
+    [ "${actual}" = "false" ]
+}
+
+@test "clusterRoleAggregatedEditor: all" {
+    cd `chart_dir`
+    local object=$(helm template \
+        -s templates/clusterrole-aggregated-editor.yaml \
+        --debug \
+        --set 'controller.rbac.clusterRoleAggregation.editorRoles={*}' \
+        . | tee /dev/stderr |
+    yq '.aggregationRule.clusterRoleSelectors' | tee /dev/stderr)
+   local actual=$(echo "$object" | yq '. | length' | tee /dev/stderr)
+   [ "${actual}" = "1" ]
+   local actual=$(echo "$object" | yq '.[0].matchLabels | length' | tee /dev/stderr)
+   [ "${actual}" = "1" ]
+   local actual=$(echo "$object" | \
+     yq '.[0].matchLabels["vso.hashicorp.com/aggregate-to-editor"]' | tee /dev/stderr)
+   [ "${actual}" = "true" ]
+}
+
+@test "clusterRoleAggregatedEditor: subset" {
+    cd `chart_dir`
+    local object=$(helm template \
+        -s templates/clusterrole-aggregated-editor.yaml \
+        --debug \
+        --set 'controller.rbac.clusterRoleAggregation.editorRoles={HCPAuth,vaultAuth}' \
+        . | tee /dev/stderr |
+    yq '.aggregationRule.clusterRoleSelectors' | tee /dev/stderr)
+   local actual=$(echo "$object" | yq '. | length' | tee /dev/stderr)
+   [ "${actual}" = "2" ]
+   local actual=$(echo "$object" | yq '.[0].matchLabels | length' | tee /dev/stderr)
+   [ "${actual}" = "1" ]
+   local actual=$(echo "$object" | \
+     yq '.[0].matchLabels["vso.hashicorp.com/role-instance"]' | tee /dev/stderr)
+   [ "${actual}" = "hcpauth-editor-role" ]
+   local actual=$(echo "$object" | yq '.[1].matchLabels | length' | tee /dev/stderr)
+   [ "${actual}" = "1" ]
+   local actual=$(echo "$object" | \
+     yq '.[1].matchLabels["vso.hashicorp.com/role-instance"]' | tee /dev/stderr)
+   [ "${actual}" = "vaultauth-editor-role" ]
+}
diff --git a/test/unit/helpers.bats b/test/unit/helpers.bats
