ingress: Add steps to create role and rolebinding

This is to create role and role binding resources for both agent and
operator.

Signed-off-by: Tam Mach <tam.mach@cilium.io>

defaults/defaults.go

@@ -9,6 +9,7 @@ const (
 	AgentContainerName      = "cilium-agent"
 	AgentServiceAccountName = "cilium"
 	AgentClusterRoleName    = "cilium"
+	AgentSecretsRoleName    = "cilium-secrets"
 	AgentDaemonSetName      = "cilium"
 	AgentResourceQuota      = "cilium-resource-quota"
 	AgentImage              = "quay.io/cilium/cilium"
@@ -24,6 +25,7 @@ const (
 
 	OperatorServiceAccountName = "cilium-operator"
 	OperatorClusterRoleName    = "cilium-operator"
+	OperatorSecretsRoleName    = "cilium-operator-secrets"
 	OperatorDeploymentName     = "cilium-operator"
 	OperatorResourceQuota      = "cilium-operator-resource-quota"
 	OperatorImage              = "quay.io/cilium/operator-generic"

install/install.go

@@ -12,9 +12,6 @@ import (
 	"time"
 
 	"github.com/blang/semver/v4"
-	"github.com/cilium/cilium/api/v1/models"
-	ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
-	"github.com/cilium/cilium/pkg/versioncheck"
 	"github.com/spf13/pflag"
 	"helm.sh/helm/v3/pkg/cli/values"
 	appsv1 "k8s.io/api/apps/v1"
@@ -25,6 +22,10 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
+	"github.com/cilium/cilium/api/v1/models"
+	ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
+	"github.com/cilium/cilium/pkg/versioncheck"
+
 	"github.com/cilium/cilium-cli/defaults"
 	"github.com/cilium/cilium-cli/internal/certs"
 	"github.com/cilium/cilium-cli/internal/utils"
@@ -122,6 +123,10 @@ type k8sInstallerImplementation interface {
 	DeleteClusterRole(ctx context.Context, name string, opts metav1.DeleteOptions) error
 	CreateClusterRoleBinding(ctx context.Context, role *rbacv1.ClusterRoleBinding, opts metav1.CreateOptions) (*rbacv1.ClusterRoleBinding, error)
 	DeleteClusterRoleBinding(ctx context.Context, name string, opts metav1.DeleteOptions) error
+	CreateRole(ctx context.Context, namespace string, role *rbacv1.Role, opts metav1.CreateOptions) (*rbacv1.Role, error)
+	DeleteRole(ctx context.Context, namespace string, name string, opts metav1.DeleteOptions) error
+	CreateRoleBinding(ctx context.Context, namespace string, roleBinding *rbacv1.RoleBinding, opts metav1.CreateOptions) (*rbacv1.RoleBinding, error)
+	DeleteRoleBinding(ctx context.Context, namespace, name string, opts metav1.DeleteOptions) error
 	CreateDaemonSet(ctx context.Context, namespace string, ds *appsv1.DaemonSet, opts metav1.CreateOptions) (*appsv1.DaemonSet, error)
 	GetDaemonSet(ctx context.Context, namespace, name string, opts metav1.GetOptions) (*appsv1.DaemonSet, error)
 	DeleteDaemonSet(ctx context.Context, namespace, name string, opts metav1.DeleteOptions) error
@@ -696,6 +701,34 @@ func (k *K8sInstaller) Install(ctx context.Context) error {
 				k.Log("Cannot delete %s Namespace: %s", secretsNamespace, err)
 			}
 		})
+
+		for _, roleName := range []string{defaults.AgentSecretsRoleName, defaults.OperatorSecretsRoleName} {
+			r := k.NewRole(roleName)
+			if r == nil {
+				continue
+			}
+
+			_, err = k.client.CreateRole(ctx, secretsNamespace, r, metav1.CreateOptions{})
+			if err != nil {
+				return err
+			}
+
+			k.pushRollbackStep(func(ctx context.Context) {
+				if err := k.client.DeleteRole(ctx, secretsNamespace, r.GetName(), metav1.DeleteOptions{}); err != nil {
+					k.Log("Cannot delete %s Role: %s", r.GetName(), err)
+				}
+			})
+
+			rb, err := k.client.CreateRoleBinding(ctx, secretsNamespace, k.NewRoleBinding(roleName), metav1.CreateOptions{})
+			if err != nil {
+				return err
+			}
+			k.pushRollbackStep(func(ctx context.Context) {
+				if err := k.client.DeleteRoleBinding(ctx, secretsNamespace, rb.GetName(), metav1.DeleteOptions{}); err != nil {
+					k.Log("Cannot delete %s RoleBinding: %s", rb.GetName(), err)
+				}
+			})
+		}
 	}
 
 	configMap, err := k.generateConfigMap()

install/rbac.go

@@ -4,10 +4,11 @@
 package install
 
 import (
-	"github.com/cilium/cilium/pkg/versioncheck"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 
+	"github.com/cilium/cilium/pkg/versioncheck"
+
 	"github.com/cilium/cilium-cli/defaults"
 	"github.com/cilium/cilium-cli/internal/utils"
 )
@@ -101,3 +102,54 @@ func (k *K8sInstaller) NewClusterRoleBinding(crbName string) *rbacv1.ClusterRole
 	utils.MustUnmarshalYAML([]byte(crbFile), &crb)
 	return &crb
 }
+
+func (k *K8sInstaller) NewRole(name string) *rbacv1.Role {
+	var (
+		roleFileName string
+	)
+
+	ciliumVer := k.getCiliumVersion()
+	switch {
+	case versioncheck.MustCompile(">1.11.99")(ciliumVer):
+		switch name {
+		case defaults.AgentSecretsRoleName:
+			roleFileName = "templates/cilium-agent/role.yaml"
+		case defaults.OperatorSecretsRoleName:
+			roleFileName = "templates/cilium-operator/role.yaml"
+		}
+	}
+
+	rFile, exists := k.manifests[roleFileName]
+	if !exists {
+		return nil
+	}
+
+	var cr rbacv1.Role
+	utils.MustUnmarshalYAML([]byte(rFile), &cr)
+	return &cr
+}
+
+func (k *K8sInstaller) NewRoleBinding(crbName string) *rbacv1.RoleBinding {
+	var (
+		rbFileName string
+	)
+
+	ciliumVer := k.getCiliumVersion()
+	switch {
+	case versioncheck.MustCompile(">1.11.99")(ciliumVer):
+		switch crbName {
+		case defaults.AgentSecretsRoleName:
+			rbFileName = "templates/cilium-agent/rolebinding.yaml"
+		case defaults.OperatorSecretsRoleName:
+			rbFileName = "templates/cilium-operator/rolebinding.yaml"
+		}
+	}
+
+	rbFile, exists := k.manifests[rbFileName]
+	if !exists {
+		return nil
+	}
+	var crb rbacv1.RoleBinding
+	utils.MustUnmarshalYAML([]byte(rbFile), &crb)
+	return &crb
+}

k8s/client.go

@@ -16,11 +16,6 @@ import (
 	"time"
 
 	"github.com/blang/semver/v4"
-	"github.com/cilium/cilium/api/v1/models"
-	ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
-	ciliumv2alpha1 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1"
-	ciliumClientset "github.com/cilium/cilium/pkg/k8s/client/clientset/versioned"
-	"github.com/cilium/cilium/pkg/versioncheck"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
@@ -38,6 +33,12 @@ import (
 	"k8s.io/client-go/rest"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 
+	"github.com/cilium/cilium/api/v1/models"
+	ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
+	ciliumv2alpha1 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1"
+	ciliumClientset "github.com/cilium/cilium/pkg/k8s/client/clientset/versioned"
+	"github.com/cilium/cilium/pkg/versioncheck"
+
 	"github.com/cilium/cilium-cli/defaults"
 )
 
@@ -159,6 +160,22 @@ func (c *Client) DeleteClusterRoleBinding(ctx context.Context, name string, opts
 	return c.Clientset.RbacV1().ClusterRoleBindings().Delete(ctx, name, opts)
 }
 
+func (c *Client) CreateRole(ctx context.Context, namespace string, role *rbacv1.Role, opts metav1.CreateOptions) (*rbacv1.Role, error) {
+	return c.Clientset.RbacV1().Roles(namespace).Create(ctx, role, opts)
+}
+
+func (c *Client) DeleteRole(ctx context.Context, namespace string, name string, opts metav1.DeleteOptions) error {
+	return c.Clientset.RbacV1().Roles(namespace).Delete(ctx, name, opts)
+}
+
+func (c *Client) CreateRoleBinding(ctx context.Context, namespace string, roleBinding *rbacv1.RoleBinding, opts metav1.CreateOptions) (*rbacv1.RoleBinding, error) {
+	return c.Clientset.RbacV1().RoleBindings(namespace).Create(ctx, roleBinding, opts)
+}
+
+func (c *Client) DeleteRoleBinding(ctx context.Context, namespace, name string, opts metav1.DeleteOptions) error {
+	return c.Clientset.RbacV1().RoleBindings(namespace).Delete(ctx, name, opts)
+}
+
 func (c *Client) GetConfigMap(ctx context.Context, namespace, name string, opts metav1.GetOptions) (*corev1.ConfigMap, error) {
 	return c.Clientset.CoreV1().ConfigMaps(namespace).Get(ctx, name, opts)
 }