From 4e743852d231ea3e24f0354c0f81aad5214133bd Mon Sep 17 00:00:00 2001
From: Francis Nijay <francis.nijay@dell.com>
Date: Sat, 16 Mar 2024 03:52:27 +0530
Subject: [PATCH] Changed cluster role binding for secrets to role binding on
 specific namespaces (#527)

* Changed cluster role binding for secrets to role binding on specific namespaces

* Modified sample CRD

* Added Default CSM Namespace

* Added csmNamespace in crds and samples

* Added namespace - default to role

* Hardcoded CSM namespace as dell-csm

* Added namespace creation

* Added secret names

* add Namespace to GetModuleComponentObj

* Added secret names

* ClusterRole does not have namespace (k8s docs)

---------

Co-authored-by: nijayf <francis.nijay@emc.com>
Co-authored-by: Jooseppi Luna <jooseppi_luna@dell.com>
---
 .../v1.0.0/statefulset.yaml                   | 111 +++++++++++++++++-
 pkg/utils/utils.go                            |   9 ++
 2 files changed, 116 insertions(+), 4 deletions(-)

diff --git a/operatorconfig/clientconfig/apexconnectivityclient/v1.0.0/statefulset.yaml b/operatorconfig/clientconfig/apexconnectivityclient/v1.0.0/statefulset.yaml
index d453c2002..f81815406 100644
--- a/operatorconfig/clientconfig/apexconnectivityclient/v1.0.0/statefulset.yaml
+++ b/operatorconfig/clientconfig/apexconnectivityclient/v1.0.0/statefulset.yaml
@@ -1,4 +1,14 @@
 apiVersion: v1
+kind: Namespace
+metadata:
+  name: karavi
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dell-csm
+---
+apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: connectivity-client-docker-k8s
@@ -26,7 +36,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: connectivity-client-docker-k8s
-  namespace: <NAMESPACE>
 rules:
   - apiGroups: [""]
     resources: ["pods"]
@@ -58,9 +67,6 @@ rules:
   - apiGroups: ["storage.k8s.io"]
     resources: ["csidrivers"]
     verbs: ["list", "watch", "get"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["list","get", "create", "update", "delete"]
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get", "create", "delete", "update"]
@@ -91,6 +97,103 @@ roleRef:
   name: connectivity-client-docker-k8s
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: <NAMESPACE>
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list","get", "create", "update", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: <NAMESPACE>
+subjects:
+  - kind: ServiceAccount
+    name: connectivity-client-docker-k8s
+    namespace: <NAMESPACE>
+roleRef:
+  kind: Role
+  name: connectivity-client-docker-k8s
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: default
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["iv", "dls-license"]
+    verbs: ["list","get", "create", "update", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: connectivity-client-docker-k8s
+    namespace: <NAMESPACE>
+roleRef:
+  kind: Role
+  name: connectivity-client-docker-k8s
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: "karavi"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list","get", "create", "update", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: "karavi"
+subjects:
+  - kind: ServiceAccount
+    name: connectivity-client-docker-k8s
+    namespace: <NAMESPACE>
+roleRef:
+  kind: Role
+  name: connectivity-client-docker-k8s
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: "dell-csm"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list","get", "create", "update", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: connectivity-client-docker-k8s
+  namespace: "dell-csm"
+subjects:
+  - kind: ServiceAccount
+    name: connectivity-client-docker-k8s
+    namespace: <NAMESPACE>
+roleRef:
+  kind: Role
+  name: connectivity-client-docker-k8s
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go
index 66bce6d33..81ffa4cdb 100644
--- a/pkg/utils/utils.go
+++ b/pkg/utils/utils.go
@@ -619,6 +619,15 @@ func GetModuleComponentObj(CtrlBuf []byte) ([]crclient.Object, error) {
 				return ctrlObjects, err
 			}
 
+			ctrlObjects = append(ctrlObjects, &ss)
+
+		case "Namespace":
+
+			var ss corev1.Namespace
+			if err := yaml.Unmarshal(raw, &ss); err != nil {
+				return ctrlObjects, err
+			}
+
 			ctrlObjects = append(ctrlObjects, &ss)
 		}
 	}