Changed cluster role binding for secrets to role binding on specific …

…namespaces (#527) * Changed cluster role binding for secrets to role binding on specific namespaces * Modified sample CRD * Added Default CSM Namespace * Added csmNamespace in crds and samples * Added namespace - default to role * Hardcoded CSM namespace as dell-csm * Added namespace creation * Added secret names * add Namespace to GetModuleComponentObj * Added secret names * ClusterRole does not have namespace (k8s docs) --------- Co-authored-by: nijayf <francis.nijay@emc.com> Co-authored-by: Jooseppi Luna <jooseppi_luna@dell.com>
dell · Mar 15, 2024 · 4e74385 · 4e74385
1 parent 0763aac
commit 4e74385
Show file tree

Hide file tree

Showing 2 changed files with 116 additions and 4 deletions.
diff --git a/operatorconfig/clientconfig/apexconnectivityclient/v1.0.0/statefulset.yaml b/operatorconfig/clientconfig/apexconnectivityclient/v1.0.0/statefulset.yaml
@@ -1,4 +1,14 @@
 apiVersion: v1
+kind: Namespace
+metadata:
+  name: karavi
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dell-csm
+---
+apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: connectivity-client-docker-k8s
@@ -26,7 +36,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: connectivity-client-docker-k8s
-  namespace: <NAMESPACE>
 rules:
   - apiGroups: [""]
     resources: ["pods"]
@@ -58,9 +67,6 @@ rules:
   - apiGroups: ["storage.k8s.io"]
     resources: ["csidrivers"]
     verbs: ["list", "watch", "get"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["list","get", "create", "update", "delete"]
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get", "create", "delete", "update"]
@@ -91,6 +97,103 @@ roleRef:
   name: connectivity-client-docker-k8s
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: <NAMESPACE>
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list","get", "create", "update", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: <NAMESPACE>
+subjects:
+  - kind: ServiceAccount
+    name: connectivity-client-docker-k8s
+    namespace: <NAMESPACE>
+roleRef:
+  kind: Role
+  name: connectivity-client-docker-k8s
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: default
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["iv", "dls-license"]
+    verbs: ["list","get", "create", "update", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: connectivity-client-docker-k8s
+    namespace: <NAMESPACE>
+roleRef:
+  kind: Role
+  name: connectivity-client-docker-k8s
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: "karavi"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list","get", "create", "update", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: "karavi"
+subjects:
+  - kind: ServiceAccount
+    name: connectivity-client-docker-k8s
+    namespace: <NAMESPACE>
+roleRef:
+  kind: Role
+  name: connectivity-client-docker-k8s
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: "dell-csm"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list","get", "create", "update", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: "dell-csm"
+subjects:
+  - kind: ServiceAccount
+    name: connectivity-client-docker-k8s
+    namespace: <NAMESPACE>
+roleRef:
+  kind: Role
+  name: connectivity-client-docker-k8s
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:

diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go
@@ -619,6 +619,15 @@ func GetModuleComponentObj(CtrlBuf []byte) ([]crclient.Object, error) {
 				return ctrlObjects, err
 			}
 
+			ctrlObjects = append(ctrlObjects, &ss)
+
+		case "Namespace":
+
+			var ss corev1.Namespace
+			if err := yaml.Unmarshal(raw, &ss); err != nil {
+				return ctrlObjects, err
+			}
+
 			ctrlObjects = append(ctrlObjects, &ss)
 		}
 	}