Run the docdb user sync jobs with a locked down sa

ibm-mas · Apr 25, 2024 · 66583dd · 66583dd
1 parent 82d91d2
commit 66583dd
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 26 deletions.
diff --git a/applications/90-ibm-sync-resources/templates/01-02-aws-docdb-user-job_ServiceAccount.yaml b/applications/90-ibm-sync-resources/templates/01-02-aws-docdb-user-job_ServiceAccount.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: aws-docdb-user-job
+  namespace: mas-{{ .Values.instance.id}}-syncres
+  annotations:
+    argocd.argoproj.io/sync-wave: "01"
+
+
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: aws-docdb-user-job-role
+  namespace: mas-{{ .Values.instance.id}}-syncres
+  annotations:
+    argocd.argoproj.io/sync-wave: "01"
+rules: []
+# No special K8S access required at present by these Jobs
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: aws-docdb-user-job-rolebinding
+  namespace: mas-{{ .Values.instance.id }}-syncres
+  annotations:
+    argocd.argoproj.io/sync-wave: "02"
+subjects:
+  - kind: ServiceAccount
+    name: aws-docdb-user-job
+    namespace: mas-{{ .Values.instance.id }}-syncres
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: aws-docdb-user-job-role
diff --git a/applications/90-ibm-sync-resources/templates/01-sync-sa_ServiceAccount.yaml b/applications/90-ibm-sync-resources/templates/01-sync-sa_ServiceAccount.yaml
diff --git a/applications/90-ibm-sync-resources/templates/02-sync-crb_ClusterRoleBinding.yaml b/applications/90-ibm-sync-resources/templates/02-sync-crb_ClusterRoleBinding.yaml
diff --git a/applications/91-ibm-sync-jobs/templates/00-aws-docdb-add-user_Job.yaml b/applications/91-ibm-sync-jobs/templates/00-aws-docdb-add-user_Job.yaml
@@ -147,6 +147,6 @@ spec:
               sm_update_secret $SECRET_NAME_MONGO "{\"info\":\"$DOCDB_MASTER_INFO_ESCAPED\", \"username\":\"$DOCDB_INSTANCE_USERNAME\", \"password\":\"$DOCDB_INSTANCE_PASSWORD\"}"
 
       restartPolicy: Never
-      serviceAccountName: sync-sa
+      serviceAccountName: aws-docdb-user-job
   backoffLimit: 4
 {{- end }}
diff --git a/applications/91-ibm-sync-jobs/templates/PostDelete-aws-docdb-remove-user_Job.yaml b/applications/91-ibm-sync-jobs/templates/PostDelete-aws-docdb-remove-user_Job.yaml
@@ -116,6 +116,6 @@ spec:
               sm_delete_secret "${SECRET_NAME_MONGO}"
 
       restartPolicy: Never
-      serviceAccountName: sync-sa
+      serviceAccountName: aws-docdb-user-job
   backoffLimit: 4
 {{- end }}