Skip to content

Helm: add support for cluster role aggregates #752

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 22, 2024
Merged

Helm: add support for cluster role aggregates #752

merged 4 commits into from
May 22, 2024

Conversation

benashz
Copy link
Collaborator

@benashz benashz commented May 15, 2024
edited
Loading

Extends the Helm chart to create ClusterRole aggregates based of the resource specific viewer and editor roles. See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles for more details.

By default no aggregate ClusterRoles will be installed. See below for examples on how to enable the new feature.

$ helm install [...] \
  --set 'controller.rbac.clusterRoleAggregation.viewerRoles={*}' \
  --set 'controller.rbac.clusterRoleAggregation.editorRoles={*}'

Selective viewer roles output:

helm template -s templates/clusterrole-aggregated-viewer.yaml \
  --set 'controller.rbac.clusterRoleAggregation.viewerRoles={vaultauth,hcpauth}' .

---
# Source: vault-secrets-operator/templates/clusterrole-aggregated-viewer.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-vault-secrets-operator-aggregate-role-viewer
  labels:
    app.kubernetes.io/component: rbac
    vso.hashicorp.com/role-instance: aggregate-role-viewer
    vso.hashicorp.com/aggregate-to-editor: "true"
    helm.sh/chart: vault-secrets-operator-0.6.0
    app.kubernetes.io/name: vault-secrets-operator
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/version: "0.6.0"
    app.kubernetes.io/managed-by: Helm
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      vso.hashicorp.com/role-instance: vaultauth-viewer-role
  - matchLabels:
      vso.hashicorp.com/role-instance: hcpauth-viewer-role

Aggregate all viewer roles output:

helm template -s templates/clusterrole-aggregated-viewer.yaml --set 'controller.rbac.clusterRoleAggregation.viewerRoles={*}' .                

---
# Source: vault-secrets-operator/templates/clusterrole-aggregated-viewer.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-vault-secrets-operator-aggregate-role-viewer
  labels:
    app.kubernetes.io/component: rbac
    vso.hashicorp.com/role-instance: aggregate-role-viewer
    vso.hashicorp.com/aggregate-to-editor: "true"
    helm.sh/chart: vault-secrets-operator-0.6.0
    app.kubernetes.io/name: vault-secrets-operator
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/version: "0.6.0"
    app.kubernetes.io/managed-by: Helm
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      vso.hashicorp.com/aggregate-to-viewer: "true"

All editor roles output:

helm template -s templates/clusterrole-aggregated-editor.yaml --set 'controller.rbac.clusterRoleAggregation.editorRoles={*}' .

---
# Source: vault-secrets-operator/templates/clusterrole-aggregated-editor.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-vault-secrets-operator-aggregate-role-editor
  labels:
    app.kubernetes.io/component: rbac
    vso.hashicorp.com/role-instance: aggregate-role-editor
    helm.sh/chart: vault-secrets-operator-0.6.0
    app.kubernetes.io/name: vault-secrets-operator
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/version: "0.6.0"
    app.kubernetes.io/managed-by: Helm
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      vso.hashicorp.com/aggregate-to-editor: "true"

@benashz benashz requested a review from a team as a code owner May 15, 2024 19:16
@benashz benashz force-pushed the VAULT-23440/helm-add-aggregated-cluster-roles branch 3 times, most recently from 0bbf475 to a4e784d Compare May 15, 2024 19:23
@benashz benashz linked an issue May 15, 2024 that may be closed by this pull request
Add aggregated cluster roles for default user-facing roles #448
Closed
@benashz benashz force-pushed the VAULT-23440/helm-add-aggregated-cluster-roles branch 2 times, most recently from bb7177a to 7229039 Compare May 15, 2024 19:51
@benashz benashz added this to the v0.7.0 milestone May 15, 2024
@benashz
Helm: add support for cluster role aggregates
17c18c5 
Extends the Helm chart to create ClusterRole aggregates based of the
resource specific viewer and editor roles.
@benashz benashz force-pushed the VAULT-23440/helm-add-aggregated-cluster-roles branch from 7229039 to 17c18c5 Compare May 15, 2024 20:02
@benashz benashz requested review from tvoran and thyton May 15, 2024 20:12
@benashz benashz added the helm label May 16, 2024
thyton
thyton reviewed May 21, 2024
View reviewed changes
thyton
thyton approved these changes May 21, 2024
View reviewed changes
Copy link
Collaborator

@thyton thyton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice feature and tests!

@benashz benashz merged commit 7aa0030 into main May 22, 2024
@benashz benashz deleted the VAULT-23440/helm-add-aggregated-cluster-roles branch May 22, 2024 12:44
This was referenced Jun 13, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thyton thyton thyton approved these changes

@tvoran tvoran Awaiting requested review from tvoran

Assignees
No one assigned
Labels
helm
Projects
None yet
Milestone
v0.7.0
Development

Successfully merging this pull request may close these issues.

Add aggregated cluster roles for default user-facing roles
2 participants
@benashz @thyton