From dbaea1256cca69666031aab6e3c22d23d997b1da Mon Sep 17 00:00:00 2001 From: "J. Harte" Date: Wed, 6 Nov 2024 15:13:01 +0000 Subject: [PATCH 01/24] wip: app and rbac --- cluster-applications/TODO-rbac/Chart.yaml | 11 + cluster-applications/TODO-rbac/README.md | 3 + .../templates/TODO-roles-and-bindings.yaml | 206 ++++++++++++++++++ cluster-applications/TODO-rbac/values.yaml | 1 + .../templates/TODO-rbac-app.yaml | 69 ++++++ 5 files changed, 290 insertions(+) create mode 100644 cluster-applications/TODO-rbac/Chart.yaml create mode 100644 cluster-applications/TODO-rbac/README.md create mode 100644 cluster-applications/TODO-rbac/templates/TODO-roles-and-bindings.yaml create mode 100644 cluster-applications/TODO-rbac/values.yaml create mode 100644 root-applications/ibm-mas-cluster-root/templates/TODO-rbac-app.yaml diff --git a/cluster-applications/TODO-rbac/Chart.yaml b/cluster-applications/TODO-rbac/Chart.yaml new file mode 100644 index 000000000..509e6e35f --- /dev/null +++ b/cluster-applications/TODO-rbac/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: rbac +description: RBAC +type: application +version: 1.0.0 + +dependencies: +- name: junitreporter + version: 1.0.0 + repository: "file://../../sub-charts/junitreporter/" + condition: junitreporter.devops_mongo_uri != "" \ No newline at end of file diff --git a/cluster-applications/TODO-rbac/README.md b/cluster-applications/TODO-rbac/README.md new file mode 100644 index 000000000..6663cf455 --- /dev/null +++ b/cluster-applications/TODO-rbac/README.md @@ -0,0 +1,3 @@ +Resource-Based Access Control (RBAC) +=============================================================================== +Installs the RBAC groups, together with the necessary roles and role bindings. diff --git a/cluster-applications/TODO-rbac/templates/TODO-roles-and-bindings.yaml b/cluster-applications/TODO-rbac/templates/TODO-roles-and-bindings.yaml new file mode 100644 index 000000000..0d5642306 --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/TODO-roles-and-bindings.yaml @@ -0,0 +1,206 @@ +# ibm-provisioning group binding +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ibm-provisioning-rb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: ibm-provisioning +--- +# cluster admin binding +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ibm-cluster-admins +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: ibm-cluster-admins +--- +# sre role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ibm-sre-editor +rules: + - verbs: ["*"] + apiGroups: [""] + resources: ["pods", "pods/exec"] + - verbs: ["*"] + apiGroups: [""] + resources: ["secrets"] + - verbs: ["*"] + apiGroups: ["apps"] + resources: ["deployments", "deployments/scale", "statefulsets"] + - verbs: ["create", "update", "patch", "get", "list"] + apiGroups: ["route.openshift.io"] + resources: ["routes"] + - verbs: ["update", "patch", "get", "list"] + apiGroups: ["apps.mas.ibm.com"] + resources: ["*"] + - verbs: ["update", "patch", "get", "list"] + apiGroups: ["config.mas.ibm.com"] + resources: ["*"] + - verbs: ["*"] + apiGroups: ["cert-manager.io"] + resources: ["*"] + - verbs: ["*"] + apiGroups: ["acme.cert-manager.io"] + resources: ["*"] + - verbs: ["get", "list", "watch", "update", "patch"] + apiGroups: ["operators.coreos.com"] + resources: ["clusterserviceversions", "installplans", "subscriptions"] +--- +# sre cluster reader binding +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ibm-sre-cluster-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-reader +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: ibm-sre +--- +# sre editor binding +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ibm-sre-editor-rb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ibm-sre-editor +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: ibm-sre +--- +# dba role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ibm-dba-cluster-role +rules: + - verbs: ["*"] + apiGroups: [""] + resources: ["pods", "pods/exec", "services"] + - verbs: ["*"] + apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies"] + - verbs: ["get", "list", "watch"] + apiGroups: [""] + resources: ["secrets"] + - verbs: ["*"] + apiGroups: ["batch"] + resources: ["jobs", "cronjobs"] + - verbs: ["update", "patch", "get", "list"] + apiGroups: ["db2u.databases.ibm.com"] + resources: ["*"] + - verbs: ["update", "patch", "get", "list"] + apiGroups: ["datarefinery.cpd.ibm.com"] + resources: ["*"] + - verbs: ["update", "patch", "get", "list"] + apiGroups: ["databases.cpd.ibm.com"] + resources: ["*"] +--- +# dba cluster reader binding +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cluster-reader +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: ibm-dba +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-reader +--- +# dba edit binding +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ibm-dba-edit-rb +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: ibm-dba +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ibm-dba-cluster-role +--- +# network role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ibm-network-cluster-role +rules: + - verbs: ["*"] + apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies"] + - verbs: ["*"] + apiGroups: ["network.openshift.io"] + resources: ["egressnetworkpolicies"] + - verbs: ["*"] + apiGroups: ["operator.openshift.io"] + resources: ["ingresscontrollers"] + - verbs: ["get"] + apiGroups: ["operator.openshift.io"] + resources: ["dnses"] +--- +# network binding +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ibm-network-rb.yaml +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: ibm-network +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ibm-network-cluster-role +--- +# network cluster reader binding +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ibm-network-cluster-reader +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: ibm-network +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-reader +--- +# ibm-sre-automation cluster admin +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ibm-sre-automation-cluster-admin-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: ibm-sre-automation diff --git a/cluster-applications/TODO-rbac/values.yaml b/cluster-applications/TODO-rbac/values.yaml new file mode 100644 index 000000000..ed97d539c --- /dev/null +++ b/cluster-applications/TODO-rbac/values.yaml @@ -0,0 +1 @@ +--- diff --git a/root-applications/ibm-mas-cluster-root/templates/TODO-rbac-app.yaml b/root-applications/ibm-mas-cluster-root/templates/TODO-rbac-app.yaml new file mode 100644 index 000000000..6ce2aba51 --- /dev/null +++ b/root-applications/ibm-mas-cluster-root/templates/TODO-rbac-app.yaml @@ -0,0 +1,69 @@ +{{- if not (empty .Values.ibm_operator_catalog) }} +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: rbac.{{ .Values.cluster.id }} + namespace: {{ .Values.argo.namespace }} + labels: + environment: '{{ .Values.account.id }}' + region: '{{ .Values.region.id }}' + cluster: '{{ .Values.cluster.id }}' + annotations: + argocd.argoproj.io/sync-wave: TODO + healthCheckTimeout: "1800" + {{- if and .Values.notifications .Values.notifications.slack_channel_id }} + notifications.argoproj.io/subscribe.on-sync-failed.workspace1: {{ .Values.notifications.slack_channel_id }} + notifications.argoproj.io/subscribe.on-sync-succeeded.workspace1: {{ .Values.notifications.slack_channel_id }} + {{- end }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + ignoreDifferences: + - group: '*' + kind: ServiceAccount + jsonPointers: + - /imagePullSecrets + project: "{{ .Values.argo.projects.apps }}" + destination: + server: {{ .Values.cluster.url }} + namespace: default + source: + repoURL: "{{ .Values.source.repo_url }}" + path: cluster-applications/000-ibm-operator-catalog + targetRevision: "{{ .Values.source.revision }}" + plugin: + name: {{ .Values.avp.name }} + env: + - name: {{ .Values.avp.values_varname }} + value: | + ibm_entitlement_key: "{{ .Values.ibm_operator_catalog.ibm_entitlement_key }}" + mas_catalog_version: "{{ .Values.ibm_operator_catalog.mas_catalog_version }}" + mas_catalog_image: "{{ .Values.ibm_operator_catalog.mas_catalog_image }}" + junitreporter: + reporter_name: "ibm-operator-catalog" + cluster_id: "{{ .Values.cluster.id }}" + devops_mongo_uri: "{{ .Values.devops.mongo_uri }}" + devops_build_number: "{{ .Values.devops.build_number }}" + gitops_version: "{{ .Values.source.revision }}" + {{- if .Values.custom_labels }} + custom_labels: {{ .Values.custom_labels | toYaml | nindent 14 }} + {{- end }} + - name: ARGOCD_APP_NAME + value: rbacapp + {{- if not (empty .Values.avp.secret) }} + - name: AVP_SECRET + value: {{ .Values.avp.secret }} + {{- end }} + syncPolicy: + automated: + {{- if .Values.auto_delete }} + prune: true + {{- end }} + selfHeal: true + retry: + limit: 20 + syncOptions: + - CreateNamespace=false + - RespectIgnoreDifferences=true +{{- end }} \ No newline at end of file From fe90ea01b94efba922261ee804c51c87753a2f15 Mon Sep 17 00:00:00 2001 From: "J. Harte" Date: Thu, 7 Nov 2024 09:22:34 +0000 Subject: [PATCH 02/24] feat: roles & bindings --- .../templates/TODO-roles-and-bindings.yaml | 206 ------------------ .../cluster-admin_cluster-role-binding.yaml | 12 + .../dba-editor_cluster-role-binding.yaml | 12 + .../dba-reader_cluster-role-binding.yaml | 12 + .../TODO-rbac/templates/dba_cluster-role.yaml | 26 +++ .../network-reader_cluster-role-binding.yaml | 12 + .../network_cluster-role-binding.yaml | 12 + .../templates/network_cluster-role.yaml | 17 ++ .../provisioning_cluster-role-binding.yaml | 12 + ...automation-admin_cluster-role-binding.yaml | 12 + .../sre-editor_cluster-role-binding.yaml | 12 + .../templates/sre-editor_cluster-role.yaml | 32 +++ .../sre-reader_cluster-role-binding.yaml | 12 + 13 files changed, 183 insertions(+), 206 deletions(-) delete mode 100644 cluster-applications/TODO-rbac/templates/TODO-roles-and-bindings.yaml create mode 100644 cluster-applications/TODO-rbac/templates/cluster-admin_cluster-role-binding.yaml create mode 100644 cluster-applications/TODO-rbac/templates/dba-editor_cluster-role-binding.yaml create mode 100644 cluster-applications/TODO-rbac/templates/dba-reader_cluster-role-binding.yaml create mode 100644 cluster-applications/TODO-rbac/templates/dba_cluster-role.yaml create mode 100644 cluster-applications/TODO-rbac/templates/network-reader_cluster-role-binding.yaml create mode 100644 cluster-applications/TODO-rbac/templates/network_cluster-role-binding.yaml create mode 100644 cluster-applications/TODO-rbac/templates/network_cluster-role.yaml create mode 100644 cluster-applications/TODO-rbac/templates/provisioning_cluster-role-binding.yaml create mode 100644 cluster-applications/TODO-rbac/templates/sre-automation-admin_cluster-role-binding.yaml create mode 100644 cluster-applications/TODO-rbac/templates/sre-editor_cluster-role-binding.yaml create mode 100644 cluster-applications/TODO-rbac/templates/sre-editor_cluster-role.yaml create mode 100644 cluster-applications/TODO-rbac/templates/sre-reader_cluster-role-binding.yaml diff --git a/cluster-applications/TODO-rbac/templates/TODO-roles-and-bindings.yaml b/cluster-applications/TODO-rbac/templates/TODO-roles-and-bindings.yaml deleted file mode 100644 index 0d5642306..000000000 --- a/cluster-applications/TODO-rbac/templates/TODO-roles-and-bindings.yaml +++ /dev/null @@ -1,206 +0,0 @@ -# ibm-provisioning group binding -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ibm-provisioning-rb -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: ibm-provisioning ---- -# cluster admin binding -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ibm-cluster-admins -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: ibm-cluster-admins ---- -# sre role -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ibm-sre-editor -rules: - - verbs: ["*"] - apiGroups: [""] - resources: ["pods", "pods/exec"] - - verbs: ["*"] - apiGroups: [""] - resources: ["secrets"] - - verbs: ["*"] - apiGroups: ["apps"] - resources: ["deployments", "deployments/scale", "statefulsets"] - - verbs: ["create", "update", "patch", "get", "list"] - apiGroups: ["route.openshift.io"] - resources: ["routes"] - - verbs: ["update", "patch", "get", "list"] - apiGroups: ["apps.mas.ibm.com"] - resources: ["*"] - - verbs: ["update", "patch", "get", "list"] - apiGroups: ["config.mas.ibm.com"] - resources: ["*"] - - verbs: ["*"] - apiGroups: ["cert-manager.io"] - resources: ["*"] - - verbs: ["*"] - apiGroups: ["acme.cert-manager.io"] - resources: ["*"] - - verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["operators.coreos.com"] - resources: ["clusterserviceversions", "installplans", "subscriptions"] ---- -# sre cluster reader binding -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ibm-sre-cluster-reader -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-reader -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: ibm-sre ---- -# sre editor binding -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ibm-sre-editor-rb -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ibm-sre-editor -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: ibm-sre ---- -# dba role -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ibm-dba-cluster-role -rules: - - verbs: ["*"] - apiGroups: [""] - resources: ["pods", "pods/exec", "services"] - - verbs: ["*"] - apiGroups: ["networking.k8s.io"] - resources: ["networkpolicies"] - - verbs: ["get", "list", "watch"] - apiGroups: [""] - resources: ["secrets"] - - verbs: ["*"] - apiGroups: ["batch"] - resources: ["jobs", "cronjobs"] - - verbs: ["update", "patch", "get", "list"] - apiGroups: ["db2u.databases.ibm.com"] - resources: ["*"] - - verbs: ["update", "patch", "get", "list"] - apiGroups: ["datarefinery.cpd.ibm.com"] - resources: ["*"] - - verbs: ["update", "patch", "get", "list"] - apiGroups: ["databases.cpd.ibm.com"] - resources: ["*"] ---- -# dba cluster reader binding -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cluster-reader -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: ibm-dba -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-reader ---- -# dba edit binding -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ibm-dba-edit-rb -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: ibm-dba -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ibm-dba-cluster-role ---- -# network role -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ibm-network-cluster-role -rules: - - verbs: ["*"] - apiGroups: ["networking.k8s.io"] - resources: ["networkpolicies"] - - verbs: ["*"] - apiGroups: ["network.openshift.io"] - resources: ["egressnetworkpolicies"] - - verbs: ["*"] - apiGroups: ["operator.openshift.io"] - resources: ["ingresscontrollers"] - - verbs: ["get"] - apiGroups: ["operator.openshift.io"] - resources: ["dnses"] ---- -# network binding -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ibm-network-rb.yaml -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: ibm-network -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ibm-network-cluster-role ---- -# network cluster reader binding -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ibm-network-cluster-reader -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: ibm-network -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-reader ---- -# ibm-sre-automation cluster admin -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ibm-sre-automation-cluster-admin-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: ibm-sre-automation diff --git a/cluster-applications/TODO-rbac/templates/cluster-admin_cluster-role-binding.yaml b/cluster-applications/TODO-rbac/templates/cluster-admin_cluster-role-binding.yaml new file mode 100644 index 000000000..24e059d69 --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/cluster-admin_cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ibm-cluster-admins +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: ibm-cluster-admins diff --git a/cluster-applications/TODO-rbac/templates/dba-editor_cluster-role-binding.yaml b/cluster-applications/TODO-rbac/templates/dba-editor_cluster-role-binding.yaml new file mode 100644 index 000000000..8f325a01e --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/dba-editor_cluster-role-binding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ibm-dba-edit-rb +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: ibm-dba +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ibm-dba-cluster-role \ No newline at end of file diff --git a/cluster-applications/TODO-rbac/templates/dba-reader_cluster-role-binding.yaml b/cluster-applications/TODO-rbac/templates/dba-reader_cluster-role-binding.yaml new file mode 100644 index 000000000..12456da09 --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/dba-reader_cluster-role-binding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cluster-reader +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: ibm-dba +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-reader diff --git a/cluster-applications/TODO-rbac/templates/dba_cluster-role.yaml b/cluster-applications/TODO-rbac/templates/dba_cluster-role.yaml new file mode 100644 index 000000000..603b06ec2 --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/dba_cluster-role.yaml @@ -0,0 +1,26 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ibm-dba-cluster-role +rules: + - verbs: ["*"] + apiGroups: [""] + resources: ["pods", "pods/exec", "services"] + - verbs: ["*"] + apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies"] + - verbs: ["get", "list", "watch"] + apiGroups: [""] + resources: ["secrets"] + - verbs: ["*"] + apiGroups: ["batch"] + resources: ["jobs", "cronjobs"] + - verbs: ["update", "patch", "get", "list"] + apiGroups: ["db2u.databases.ibm.com"] + resources: ["*"] + - verbs: ["update", "patch", "get", "list"] + apiGroups: ["datarefinery.cpd.ibm.com"] + resources: ["*"] + - verbs: ["update", "patch", "get", "list"] + apiGroups: ["databases.cpd.ibm.com"] + resources: ["*"] diff --git a/cluster-applications/TODO-rbac/templates/network-reader_cluster-role-binding.yaml b/cluster-applications/TODO-rbac/templates/network-reader_cluster-role-binding.yaml new file mode 100644 index 000000000..5570dd943 --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/network-reader_cluster-role-binding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ibm-network-cluster-reader +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: ibm-network +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-reader diff --git a/cluster-applications/TODO-rbac/templates/network_cluster-role-binding.yaml b/cluster-applications/TODO-rbac/templates/network_cluster-role-binding.yaml new file mode 100644 index 000000000..2927b0b7c --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/network_cluster-role-binding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ibm-network-rb.yaml +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: ibm-network +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ibm-network-cluster-role diff --git a/cluster-applications/TODO-rbac/templates/network_cluster-role.yaml b/cluster-applications/TODO-rbac/templates/network_cluster-role.yaml new file mode 100644 index 000000000..56b38a6b2 --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/network_cluster-role.yaml @@ -0,0 +1,17 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ibm-network-cluster-role +rules: + - verbs: ["*"] + apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies"] + - verbs: ["*"] + apiGroups: ["network.openshift.io"] + resources: ["egressnetworkpolicies"] + - verbs: ["*"] + apiGroups: ["operator.openshift.io"] + resources: ["ingresscontrollers"] + - verbs: ["get"] + apiGroups: ["operator.openshift.io"] + resources: ["dnses"] diff --git a/cluster-applications/TODO-rbac/templates/provisioning_cluster-role-binding.yaml b/cluster-applications/TODO-rbac/templates/provisioning_cluster-role-binding.yaml new file mode 100644 index 000000000..3189502d9 --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/provisioning_cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ibm-provisioning-rb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: ibm-provisioning diff --git a/cluster-applications/TODO-rbac/templates/sre-automation-admin_cluster-role-binding.yaml b/cluster-applications/TODO-rbac/templates/sre-automation-admin_cluster-role-binding.yaml new file mode 100644 index 000000000..fda52a24b --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/sre-automation-admin_cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ibm-sre-automation-cluster-admin-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: ibm-sre-automation diff --git a/cluster-applications/TODO-rbac/templates/sre-editor_cluster-role-binding.yaml b/cluster-applications/TODO-rbac/templates/sre-editor_cluster-role-binding.yaml new file mode 100644 index 000000000..fe5f4536f --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/sre-editor_cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ibm-sre-editor-rb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ibm-sre-editor +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: ibm-sre diff --git a/cluster-applications/TODO-rbac/templates/sre-editor_cluster-role.yaml b/cluster-applications/TODO-rbac/templates/sre-editor_cluster-role.yaml new file mode 100644 index 000000000..6da6ec2a3 --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/sre-editor_cluster-role.yaml @@ -0,0 +1,32 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ibm-sre-editor +rules: + - verbs: ["*"] + apiGroups: [""] + resources: ["pods", "pods/exec"] + - verbs: ["*"] + apiGroups: [""] + resources: ["secrets"] + - verbs: ["*"] + apiGroups: ["apps"] + resources: ["deployments", "deployments/scale", "statefulsets"] + - verbs: ["create", "update", "patch", "get", "list"] + apiGroups: ["route.openshift.io"] + resources: ["routes"] + - verbs: ["update", "patch", "get", "list"] + apiGroups: ["apps.mas.ibm.com"] + resources: ["*"] + - verbs: ["update", "patch", "get", "list"] + apiGroups: ["config.mas.ibm.com"] + resources: ["*"] + - verbs: ["*"] + apiGroups: ["cert-manager.io"] + resources: ["*"] + - verbs: ["*"] + apiGroups: ["acme.cert-manager.io"] + resources: ["*"] + - verbs: ["get", "list", "watch", "update", "patch"] + apiGroups: ["operators.coreos.com"] + resources: ["clusterserviceversions", "installplans", "subscriptions"] diff --git a/cluster-applications/TODO-rbac/templates/sre-reader_cluster-role-binding.yaml b/cluster-applications/TODO-rbac/templates/sre-reader_cluster-role-binding.yaml new file mode 100644 index 000000000..aeeaf92c8 --- /dev/null +++ b/cluster-applications/TODO-rbac/templates/sre-reader_cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ibm-sre-cluster-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-reader +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: ibm-sre From e4323a2403358dcb1cb30fc491562313def1f47d Mon Sep 17 00:00:00 2001 From: "J. Harte" Date: Thu, 7 Nov 2024 09:36:54 +0000 Subject: [PATCH 03/24] feat: argo app & sync wave --- .../{TODO-rbac => 060-rbac}/Chart.yaml | 0 .../{TODO-rbac => 060-rbac}/README.md | 0 .../cluster-admin_cluster-role-binding.yaml | 0 .../dba-editor_cluster-role-binding.yaml | 0 .../dba-reader_cluster-role-binding.yaml | 0 .../templates/dba_cluster-role.yaml | 0 .../network-reader_cluster-role-binding.yaml | 0 .../templates/network_cluster-role-binding.yaml | 0 .../templates/network_cluster-role.yaml | 0 .../provisioning_cluster-role-binding.yaml | 0 ...re-automation-admin_cluster-role-binding.yaml | 0 .../sre-editor_cluster-role-binding.yaml | 0 .../templates/sre-editor_cluster-role.yaml | 0 .../sre-reader_cluster-role-binding.yaml | 0 .../{TODO-rbac => 060-rbac}/values.yaml | 0 .../{TODO-rbac-app.yaml => 060-rbac-app.yaml} | 16 ++++------------ 16 files changed, 4 insertions(+), 12 deletions(-) rename cluster-applications/{TODO-rbac => 060-rbac}/Chart.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/README.md (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/templates/cluster-admin_cluster-role-binding.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/templates/dba-editor_cluster-role-binding.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/templates/dba-reader_cluster-role-binding.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/templates/dba_cluster-role.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/templates/network-reader_cluster-role-binding.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/templates/network_cluster-role-binding.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/templates/network_cluster-role.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/templates/provisioning_cluster-role-binding.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/templates/sre-automation-admin_cluster-role-binding.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/templates/sre-editor_cluster-role-binding.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/templates/sre-editor_cluster-role.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/templates/sre-reader_cluster-role-binding.yaml (100%) rename cluster-applications/{TODO-rbac => 060-rbac}/values.yaml (100%) rename root-applications/ibm-mas-cluster-root/templates/{TODO-rbac-app.yaml => 060-rbac-app.yaml} (77%) diff --git a/cluster-applications/TODO-rbac/Chart.yaml b/cluster-applications/060-rbac/Chart.yaml similarity index 100% rename from cluster-applications/TODO-rbac/Chart.yaml rename to cluster-applications/060-rbac/Chart.yaml diff --git a/cluster-applications/TODO-rbac/README.md b/cluster-applications/060-rbac/README.md similarity index 100% rename from cluster-applications/TODO-rbac/README.md rename to cluster-applications/060-rbac/README.md diff --git a/cluster-applications/TODO-rbac/templates/cluster-admin_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/cluster-admin_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/TODO-rbac/templates/cluster-admin_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/cluster-admin_cluster-role-binding.yaml diff --git a/cluster-applications/TODO-rbac/templates/dba-editor_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/dba-editor_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/TODO-rbac/templates/dba-editor_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/dba-editor_cluster-role-binding.yaml diff --git a/cluster-applications/TODO-rbac/templates/dba-reader_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/dba-reader_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/TODO-rbac/templates/dba-reader_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/dba-reader_cluster-role-binding.yaml diff --git a/cluster-applications/TODO-rbac/templates/dba_cluster-role.yaml b/cluster-applications/060-rbac/templates/dba_cluster-role.yaml similarity index 100% rename from cluster-applications/TODO-rbac/templates/dba_cluster-role.yaml rename to cluster-applications/060-rbac/templates/dba_cluster-role.yaml diff --git a/cluster-applications/TODO-rbac/templates/network-reader_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/network-reader_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/TODO-rbac/templates/network-reader_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/network-reader_cluster-role-binding.yaml diff --git a/cluster-applications/TODO-rbac/templates/network_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/network_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/TODO-rbac/templates/network_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/network_cluster-role-binding.yaml diff --git a/cluster-applications/TODO-rbac/templates/network_cluster-role.yaml b/cluster-applications/060-rbac/templates/network_cluster-role.yaml similarity index 100% rename from cluster-applications/TODO-rbac/templates/network_cluster-role.yaml rename to cluster-applications/060-rbac/templates/network_cluster-role.yaml diff --git a/cluster-applications/TODO-rbac/templates/provisioning_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/provisioning_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/TODO-rbac/templates/provisioning_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/provisioning_cluster-role-binding.yaml diff --git a/cluster-applications/TODO-rbac/templates/sre-automation-admin_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/sre-automation-admin_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/TODO-rbac/templates/sre-automation-admin_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/sre-automation-admin_cluster-role-binding.yaml diff --git a/cluster-applications/TODO-rbac/templates/sre-editor_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/sre-editor_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/TODO-rbac/templates/sre-editor_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/sre-editor_cluster-role-binding.yaml diff --git a/cluster-applications/TODO-rbac/templates/sre-editor_cluster-role.yaml b/cluster-applications/060-rbac/templates/sre-editor_cluster-role.yaml similarity index 100% rename from cluster-applications/TODO-rbac/templates/sre-editor_cluster-role.yaml rename to cluster-applications/060-rbac/templates/sre-editor_cluster-role.yaml diff --git a/cluster-applications/TODO-rbac/templates/sre-reader_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/sre-reader_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/TODO-rbac/templates/sre-reader_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/sre-reader_cluster-role-binding.yaml diff --git a/cluster-applications/TODO-rbac/values.yaml b/cluster-applications/060-rbac/values.yaml similarity index 100% rename from cluster-applications/TODO-rbac/values.yaml rename to cluster-applications/060-rbac/values.yaml diff --git a/root-applications/ibm-mas-cluster-root/templates/TODO-rbac-app.yaml b/root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml similarity index 77% rename from root-applications/ibm-mas-cluster-root/templates/TODO-rbac-app.yaml rename to root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml index 6ce2aba51..9a11ef5e7 100644 --- a/root-applications/ibm-mas-cluster-root/templates/TODO-rbac-app.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml @@ -1,4 +1,4 @@ -{{- if not (empty .Values.ibm_operator_catalog) }} +{{- if not (empty .Values.rbac) }} --- apiVersion: argoproj.io/v1alpha1 kind: Application @@ -10,7 +10,7 @@ metadata: region: '{{ .Values.region.id }}' cluster: '{{ .Values.cluster.id }}' annotations: - argocd.argoproj.io/sync-wave: TODO + argocd.argoproj.io/sync-wave: "060" healthCheckTimeout: "1800" {{- if and .Values.notifications .Values.notifications.slack_channel_id }} notifications.argoproj.io/subscribe.on-sync-failed.workspace1: {{ .Values.notifications.slack_channel_id }} @@ -19,29 +19,21 @@ metadata: finalizers: - resources-finalizer.argocd.argoproj.io spec: - ignoreDifferences: - - group: '*' - kind: ServiceAccount - jsonPointers: - - /imagePullSecrets project: "{{ .Values.argo.projects.apps }}" destination: server: {{ .Values.cluster.url }} namespace: default source: repoURL: "{{ .Values.source.repo_url }}" - path: cluster-applications/000-ibm-operator-catalog + path: cluster-applications/TODO-rbac targetRevision: "{{ .Values.source.revision }}" plugin: name: {{ .Values.avp.name }} env: - name: {{ .Values.avp.values_varname }} value: | - ibm_entitlement_key: "{{ .Values.ibm_operator_catalog.ibm_entitlement_key }}" - mas_catalog_version: "{{ .Values.ibm_operator_catalog.mas_catalog_version }}" - mas_catalog_image: "{{ .Values.ibm_operator_catalog.mas_catalog_image }}" junitreporter: - reporter_name: "ibm-operator-catalog" + reporter_name: "rbac" cluster_id: "{{ .Values.cluster.id }}" devops_mongo_uri: "{{ .Values.devops.mongo_uri }}" devops_build_number: "{{ .Values.devops.build_number }}" From 7e2680450946f9f86f239f7c8e4b922ac6584c95 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Thu, 7 Nov 2024 09:45:12 +0000 Subject: [PATCH 04/24] fix: app path --- .../ibm-mas-cluster-root/templates/060-rbac-app.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml b/root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml index 9a11ef5e7..69e5c7da7 100644 --- a/root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml @@ -25,7 +25,7 @@ spec: namespace: default source: repoURL: "{{ .Values.source.repo_url }}" - path: cluster-applications/TODO-rbac + path: cluster-applications/060-rbac targetRevision: "{{ .Values.source.revision }}" plugin: name: {{ .Values.avp.name }} From aaf93c5ef247329e5e0d96fd8d05f7a2817e6900 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Thu, 7 Nov 2024 09:49:16 +0000 Subject: [PATCH 05/24] fix: missing EOL chars --- cluster-applications/060-rbac/Chart.yaml | 2 +- .../060-rbac/templates/dba-editor_cluster-role-binding.yaml | 2 +- .../ibm-mas-cluster-root/templates/060-rbac-app.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cluster-applications/060-rbac/Chart.yaml b/cluster-applications/060-rbac/Chart.yaml index 509e6e35f..9155d8fc9 100644 --- a/cluster-applications/060-rbac/Chart.yaml +++ b/cluster-applications/060-rbac/Chart.yaml @@ -8,4 +8,4 @@ dependencies: - name: junitreporter version: 1.0.0 repository: "file://../../sub-charts/junitreporter/" - condition: junitreporter.devops_mongo_uri != "" \ No newline at end of file + condition: junitreporter.devops_mongo_uri != "" diff --git a/cluster-applications/060-rbac/templates/dba-editor_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/dba-editor_cluster-role-binding.yaml index 8f325a01e..99c1c0cdf 100644 --- a/cluster-applications/060-rbac/templates/dba-editor_cluster-role-binding.yaml +++ b/cluster-applications/060-rbac/templates/dba-editor_cluster-role-binding.yaml @@ -9,4 +9,4 @@ subjects: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: ibm-dba-cluster-role \ No newline at end of file + name: ibm-dba-cluster-role diff --git a/root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml b/root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml index 69e5c7da7..425a39ef2 100644 --- a/root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml @@ -58,4 +58,4 @@ spec: syncOptions: - CreateNamespace=false - RespectIgnoreDifferences=true -{{- end }} \ No newline at end of file +{{- end }} From 7b075b1c0d0dfff04d43f63c2fac92720ffd1000 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Thu, 7 Nov 2024 13:24:15 +0000 Subject: [PATCH 06/24] feat: parameterized groups --- .../cluster-admin_cluster-role-binding.yaml | 0 .../dba-editor_cluster-role-binding.yaml | 0 .../dba-reader_cluster-role-binding.yaml | 0 .../network-reader_cluster-role-binding.yaml | 0 .../network_cluster-role-binding.yaml | 0 .../provisioning_cluster-role-binding.yaml | 0 .../sre-automation-admin_cluster-role-binding.yaml | 0 .../sre-editor_cluster-role-binding.yaml | 0 .../sre-reader_cluster-role-binding.yaml | 0 .../templates/{ => cluster-roles}/dba_cluster-role.yaml | 0 .../templates/{ => cluster-roles}/network_cluster-role.yaml | 0 .../{ => cluster-roles}/sre-editor_cluster-role.yaml | 0 .../060-rbac/templates/groups/cluster-admin_group.yaml | 6 ++++++ .../060-rbac/templates/groups/dba_group.yaml | 6 ++++++ .../060-rbac/templates/groups/network_group.yaml | 6 ++++++ .../060-rbac/templates/groups/provisioning_group.yaml | 6 ++++++ .../060-rbac/templates/groups/sre-automation_group.yaml | 6 ++++++ .../060-rbac/templates/groups/sre_group.yaml | 6 ++++++ 18 files changed, 36 insertions(+) rename cluster-applications/060-rbac/templates/{ => cluster-role-bindings}/cluster-admin_cluster-role-binding.yaml (100%) rename cluster-applications/060-rbac/templates/{ => cluster-role-bindings}/dba-editor_cluster-role-binding.yaml (100%) rename cluster-applications/060-rbac/templates/{ => cluster-role-bindings}/dba-reader_cluster-role-binding.yaml (100%) rename cluster-applications/060-rbac/templates/{ => cluster-role-bindings}/network-reader_cluster-role-binding.yaml (100%) rename cluster-applications/060-rbac/templates/{ => cluster-role-bindings}/network_cluster-role-binding.yaml (100%) rename cluster-applications/060-rbac/templates/{ => cluster-role-bindings}/provisioning_cluster-role-binding.yaml (100%) rename cluster-applications/060-rbac/templates/{ => cluster-role-bindings}/sre-automation-admin_cluster-role-binding.yaml (100%) rename cluster-applications/060-rbac/templates/{ => cluster-role-bindings}/sre-editor_cluster-role-binding.yaml (100%) rename cluster-applications/060-rbac/templates/{ => cluster-role-bindings}/sre-reader_cluster-role-binding.yaml (100%) rename cluster-applications/060-rbac/templates/{ => cluster-roles}/dba_cluster-role.yaml (100%) rename cluster-applications/060-rbac/templates/{ => cluster-roles}/network_cluster-role.yaml (100%) rename cluster-applications/060-rbac/templates/{ => cluster-roles}/sre-editor_cluster-role.yaml (100%) create mode 100644 cluster-applications/060-rbac/templates/groups/cluster-admin_group.yaml create mode 100644 cluster-applications/060-rbac/templates/groups/dba_group.yaml create mode 100644 cluster-applications/060-rbac/templates/groups/network_group.yaml create mode 100644 cluster-applications/060-rbac/templates/groups/provisioning_group.yaml create mode 100644 cluster-applications/060-rbac/templates/groups/sre-automation_group.yaml create mode 100644 cluster-applications/060-rbac/templates/groups/sre_group.yaml diff --git a/cluster-applications/060-rbac/templates/cluster-admin_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/cluster-admin_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml diff --git a/cluster-applications/060-rbac/templates/dba-editor_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/dba-editor_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml diff --git a/cluster-applications/060-rbac/templates/dba-reader_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/dba-reader_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml diff --git a/cluster-applications/060-rbac/templates/network-reader_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/network-reader_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml diff --git a/cluster-applications/060-rbac/templates/network_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/cluster-role-bindings/network_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/network_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/cluster-role-bindings/network_cluster-role-binding.yaml diff --git a/cluster-applications/060-rbac/templates/provisioning_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/provisioning_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml diff --git a/cluster-applications/060-rbac/templates/sre-automation-admin_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/sre-automation-admin_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml diff --git a/cluster-applications/060-rbac/templates/sre-editor_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/sre-editor_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml diff --git a/cluster-applications/060-rbac/templates/sre-reader_cluster-role-binding.yaml b/cluster-applications/060-rbac/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/sre-reader_cluster-role-binding.yaml rename to cluster-applications/060-rbac/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml diff --git a/cluster-applications/060-rbac/templates/dba_cluster-role.yaml b/cluster-applications/060-rbac/templates/cluster-roles/dba_cluster-role.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/dba_cluster-role.yaml rename to cluster-applications/060-rbac/templates/cluster-roles/dba_cluster-role.yaml diff --git a/cluster-applications/060-rbac/templates/network_cluster-role.yaml b/cluster-applications/060-rbac/templates/cluster-roles/network_cluster-role.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/network_cluster-role.yaml rename to cluster-applications/060-rbac/templates/cluster-roles/network_cluster-role.yaml diff --git a/cluster-applications/060-rbac/templates/sre-editor_cluster-role.yaml b/cluster-applications/060-rbac/templates/cluster-roles/sre-editor_cluster-role.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/sre-editor_cluster-role.yaml rename to cluster-applications/060-rbac/templates/cluster-roles/sre-editor_cluster-role.yaml diff --git a/cluster-applications/060-rbac/templates/groups/cluster-admin_group.yaml b/cluster-applications/060-rbac/templates/groups/cluster-admin_group.yaml new file mode 100644 index 000000000..397693ecc --- /dev/null +++ b/cluster-applications/060-rbac/templates/groups/cluster-admin_group.yaml @@ -0,0 +1,6 @@ +apiVersion: user.openshift.io/v1 +kind: Group +metadata: + name: ibm-cluster-admins +users: +{{ .Values.cluster-admin-users | toYaml | indent 2 }} diff --git a/cluster-applications/060-rbac/templates/groups/dba_group.yaml b/cluster-applications/060-rbac/templates/groups/dba_group.yaml new file mode 100644 index 000000000..ebe0e95c6 --- /dev/null +++ b/cluster-applications/060-rbac/templates/groups/dba_group.yaml @@ -0,0 +1,6 @@ +apiVersion: user.openshift.io/v1 +kind: Group +metadata: + name: ibm-dba +users: +{{ .Values.dba-users | toYaml | indent 2 }} diff --git a/cluster-applications/060-rbac/templates/groups/network_group.yaml b/cluster-applications/060-rbac/templates/groups/network_group.yaml new file mode 100644 index 000000000..57d834234 --- /dev/null +++ b/cluster-applications/060-rbac/templates/groups/network_group.yaml @@ -0,0 +1,6 @@ +apiVersion: user.openshift.io/v1 +kind: Group +metadata: + name: ibm-network +users: +{{ .Values.network-users | toYaml | indent 2 }} diff --git a/cluster-applications/060-rbac/templates/groups/provisioning_group.yaml b/cluster-applications/060-rbac/templates/groups/provisioning_group.yaml new file mode 100644 index 000000000..e976bd6fa --- /dev/null +++ b/cluster-applications/060-rbac/templates/groups/provisioning_group.yaml @@ -0,0 +1,6 @@ +apiVersion: user.openshift.io/v1 +kind: Group +metadata: + name: ibm-provisioning +users: +{{ .Values.provisioning-users | toYaml | indent 2 }} diff --git a/cluster-applications/060-rbac/templates/groups/sre-automation_group.yaml b/cluster-applications/060-rbac/templates/groups/sre-automation_group.yaml new file mode 100644 index 000000000..dfc3595cb --- /dev/null +++ b/cluster-applications/060-rbac/templates/groups/sre-automation_group.yaml @@ -0,0 +1,6 @@ +apiVersion: user.openshift.io/v1 +kind: Group +metadata: + name: ibm-sre-automation +users: +{{ .Values.sre-automation-users | toYaml | indent 2 }} diff --git a/cluster-applications/060-rbac/templates/groups/sre_group.yaml b/cluster-applications/060-rbac/templates/groups/sre_group.yaml new file mode 100644 index 000000000..683b3d0b4 --- /dev/null +++ b/cluster-applications/060-rbac/templates/groups/sre_group.yaml @@ -0,0 +1,6 @@ +apiVersion: user.openshift.io/v1 +kind: Group +metadata: + name: ibm-sre +users: +{{ .Values.sre-users | toYaml | indent 2 }} From b0d6d0be30970733b60bf6aa293e476533049593 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Tue, 19 Nov 2024 11:10:05 +0000 Subject: [PATCH 07/24] [feat] group sync operator --- .../052-group-sync-operator/Chart.yaml | 11 +++ .../052-group-sync-operator/README.md | 3 + .../templates/01-gso_OperatorGroup.yaml | 15 ++++ .../templates/02-gso_Subcription.yaml | 18 +++++ .../templates/03-gso_GroupSync.yaml | 17 +++++ .../052-group-sync-operator/values.yaml | 3 + .../052-group-sync-operator-app.yaml | 68 +++++++++++++++++++ 7 files changed, 135 insertions(+) create mode 100644 cluster-applications/052-group-sync-operator/Chart.yaml create mode 100644 cluster-applications/052-group-sync-operator/README.md create mode 100644 cluster-applications/052-group-sync-operator/templates/01-gso_OperatorGroup.yaml create mode 100644 cluster-applications/052-group-sync-operator/templates/02-gso_Subcription.yaml create mode 100644 cluster-applications/052-group-sync-operator/templates/03-gso_GroupSync.yaml create mode 100644 cluster-applications/052-group-sync-operator/values.yaml create mode 100644 root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml diff --git a/cluster-applications/052-group-sync-operator/Chart.yaml b/cluster-applications/052-group-sync-operator/Chart.yaml new file mode 100644 index 000000000..311552c35 --- /dev/null +++ b/cluster-applications/052-group-sync-operator/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: group-sync-operator +description: Group Sync Operator +type: application +version: 1.0.0 + +dependencies: +- name: junitreporter + version: 1.0.0 + repository: "file://../../sub-charts/junitreporter/" + condition: junitreporter.devops_mongo_uri != "" diff --git a/cluster-applications/052-group-sync-operator/README.md b/cluster-applications/052-group-sync-operator/README.md new file mode 100644 index 000000000..3a5891bd4 --- /dev/null +++ b/cluster-applications/052-group-sync-operator/README.md @@ -0,0 +1,3 @@ +Group Sync Operator +=============================================================================== +Installs the Group Sync Operator diff --git a/cluster-applications/052-group-sync-operator/templates/01-gso_OperatorGroup.yaml b/cluster-applications/052-group-sync-operator/templates/01-gso_OperatorGroup.yaml new file mode 100644 index 000000000..585d76dce --- /dev/null +++ b/cluster-applications/052-group-sync-operator/templates/01-gso_OperatorGroup.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: group-sync-operator + namespace: group-sync-operator + annotations: + argocd.argoproj.io/sync-wave: "052" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +spec: + targetNamespaces: + - group-sync-operator diff --git a/cluster-applications/052-group-sync-operator/templates/02-gso_Subcription.yaml b/cluster-applications/052-group-sync-operator/templates/02-gso_Subcription.yaml new file mode 100644 index 000000000..fb04d8ded --- /dev/null +++ b/cluster-applications/052-group-sync-operator/templates/02-gso_Subcription.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: group-sync-operator + namespace: group-sync-operator + annotations: + argocd.argoproj.io/sync-wave: "053" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +spec: + channel: "{{ .Values.group_sync_operator_channel }}" + installPlanApproval: {{ .Values.group_sync_operator_install_plan | default "Automatic" | quote }} + name: group-sync-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/cluster-applications/052-group-sync-operator/templates/03-gso_GroupSync.yaml b/cluster-applications/052-group-sync-operator/templates/03-gso_GroupSync.yaml new file mode 100644 index 000000000..026cd0990 --- /dev/null +++ b/cluster-applications/052-group-sync-operator/templates/03-gso_GroupSync.yaml @@ -0,0 +1,17 @@ +apiVersion: redhatcop.redhat.io/v1alpha1 +kind: GroupSync +metadata: + name: isv-group-sync + namespace: group-sync-operator +spec: + schedule: {{ .Values.group_sync_operator_cron_schedule }} + providers: + - name: ibmsecurityverify + ibmsecurityverify: + credentialsSecret: + name: isv-group-sync + namespace: group-sync-operator + tenantUrl: {{ .Values.group_sync_operator_isv_tenant_url }} + groups: +{{ .Values.group_sync_operator_isv_groups | toYaml | indent 10 }} + \ No newline at end of file diff --git a/cluster-applications/052-group-sync-operator/values.yaml b/cluster-applications/052-group-sync-operator/values.yaml new file mode 100644 index 000000000..227676898 --- /dev/null +++ b/cluster-applications/052-group-sync-operator/values.yaml @@ -0,0 +1,3 @@ +--- +group_sync_operator_channel: "alpha" +group_sync_operator_cron_schedule: "*/30 * * * *" # every 30 minutes diff --git a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml new file mode 100644 index 000000000..7631ea765 --- /dev/null +++ b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml @@ -0,0 +1,68 @@ +{{- if not (empty .Values.group-sync-operator) }} +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: group-sync-operator.{{ .Values.cluster.id }} + namespace: {{ .Values.argo.namespace }} + labels: + environment: '{{ .Values.account.id }}' + region: '{{ .Values.region.id }}' + cluster: '{{ .Values.cluster.id }}' + annotations: + argocd.argoproj.io/sync-wave: "052" + healthCheckTimeout: "1800" + {{- if and .Values.notifications .Values.notifications.slack_channel_id }} + notifications.argoproj.io/subscribe.on-sync-failed.workspace1: {{ .Values.notifications.slack_channel_id }} + notifications.argoproj.io/subscribe.on-sync-succeeded.workspace1: {{ .Values.notifications.slack_channel_id }} + {{- end }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: "{{ .Values.argo.projects.apps }}" + destination: + server: {{ .Values.cluster.url }} + namespace: group-sync-operator + source: + repoURL: "{{ .Values.source.repo_url }}" + path: cluster-applications/052-group-sync-operator + targetRevision: "{{ .Values.source.revision }}" + plugin: + name: {{ .Values.avp.name }} + env: + - name: {{ .Values.avp.values_varname }} + value: | + group_sync_operator_cron_schedule: "{{ .Values.group_sync_operator.cron_schedule }}" + group_sync_operator_isv_tenant_url: "{{ .Values.group_sync_operator.isv_tenant_url }}" + group_sync_operator_isv_groups: "{{ .Values.group_sync_operator.isv_groups }}" + junitreporter: + reporter_name: "group-sync-operator" + cluster_id: "{{ .Values.cluster.id }}" + devops_mongo_uri: "{{ .Values.devops.mongo_uri }}" + devops_build_number: "{{ .Values.devops.build_number }}" + gitops_version: "{{ .Values.source.revision }}" + {{- if .Values.custom_labels }} + custom_labels: {{ .Values.custom_labels | toYaml | nindent 14 }} + {{- end }} + - name: ARGOCD_APP_NAME + value: groupsyncoperatorapp + {{- if not (empty .Values.avp.secret) }} + - name: AVP_SECRET + value: {{ .Values.avp.secret }} + {{- end }} + syncPolicy: + automated: + {{- if .Values.auto_delete }} + prune: true + {{- end }} + selfHeal: true + retry: + limit: 20 + syncOptions: + - CreateNamespace=true + managedNamespaceMetadata: + labels: +{{- if .Values.custom_labels }} +{{ .Values.custom_labels | toYaml | indent 8 }} +{{- end }} +{{- end }} From a02008326e8f0962e9a1fa3ac4b49244184238bb Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Tue, 19 Nov 2024 11:35:53 +0000 Subject: [PATCH 08/24] add ISV secret --- .../templates/03-gso_Secret.yaml | 16 ++++++++++++++++ ...-gso_GroupSync.yaml => 04-gso_GroupSync.yaml} | 3 +++ .../templates/052-group-sync-operator-app.yaml | 2 ++ 3 files changed, 21 insertions(+) create mode 100644 cluster-applications/052-group-sync-operator/templates/03-gso_Secret.yaml rename cluster-applications/052-group-sync-operator/templates/{03-gso_GroupSync.yaml => 04-gso_GroupSync.yaml} (89%) diff --git a/cluster-applications/052-group-sync-operator/templates/03-gso_Secret.yaml b/cluster-applications/052-group-sync-operator/templates/03-gso_Secret.yaml new file mode 100644 index 000000000..a958315dc --- /dev/null +++ b/cluster-applications/052-group-sync-operator/templates/03-gso_Secret.yaml @@ -0,0 +1,16 @@ +--- +kind: Secret +apiVersion: v1 +metadata: + name: isv-group-sync + namespace: group-sync-operator + annotations: + argocd.argoproj.io/sync-wave: "054" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +type: Opaque +data: + clientId: {{ .Values.group_sync_operator_isv_client_id }} + clientSecret: {{ .Values.group_sync_operator_isv_client_secret }} diff --git a/cluster-applications/052-group-sync-operator/templates/03-gso_GroupSync.yaml b/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml similarity index 89% rename from cluster-applications/052-group-sync-operator/templates/03-gso_GroupSync.yaml rename to cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml index 026cd0990..21e9a0cb4 100644 --- a/cluster-applications/052-group-sync-operator/templates/03-gso_GroupSync.yaml +++ b/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml @@ -1,8 +1,11 @@ +--- apiVersion: redhatcop.redhat.io/v1alpha1 kind: GroupSync metadata: name: isv-group-sync namespace: group-sync-operator + annotations: + argocd.argoproj.io/sync-wave: "055" spec: schedule: {{ .Values.group_sync_operator_cron_schedule }} providers: diff --git a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml index 7631ea765..26d6a0f90 100644 --- a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml @@ -35,6 +35,8 @@ spec: group_sync_operator_cron_schedule: "{{ .Values.group_sync_operator.cron_schedule }}" group_sync_operator_isv_tenant_url: "{{ .Values.group_sync_operator.isv_tenant_url }}" group_sync_operator_isv_groups: "{{ .Values.group_sync_operator.isv_groups }}" + group_sync_operator_isv_client_id: "{{ .Values.group_sync_operator.isv_client_id }}" + group_sync_operator_isv_client_secret: "{{ .Values.group_sync_operator.isv_client_secret }}" junitreporter: reporter_name: "group-sync-operator" cluster_id: "{{ .Values.cluster.id }}" From ce1e1e845c4e2a73c352e283fbb760389d90a9bc Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Mon, 25 Nov 2024 10:40:40 +0000 Subject: [PATCH 09/24] fix: base64 encode secret --- .../052-group-sync-operator/templates/03-gso_Secret.yaml | 4 ++-- .../052-group-sync-operator/templates/04-gso_GroupSync.yaml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/cluster-applications/052-group-sync-operator/templates/03-gso_Secret.yaml b/cluster-applications/052-group-sync-operator/templates/03-gso_Secret.yaml index a958315dc..10600f505 100644 --- a/cluster-applications/052-group-sync-operator/templates/03-gso_Secret.yaml +++ b/cluster-applications/052-group-sync-operator/templates/03-gso_Secret.yaml @@ -12,5 +12,5 @@ metadata: {{- end }} type: Opaque data: - clientId: {{ .Values.group_sync_operator_isv_client_id }} - clientSecret: {{ .Values.group_sync_operator_isv_client_secret }} + clientId: {{ .Values.group_sync_operator_isv_client_id | b64enc }} + clientSecret: {{ .Values.group_sync_operator_isv_client_secret | b64enc }} diff --git a/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml b/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml index 21e9a0cb4..00b4b9f20 100644 --- a/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml +++ b/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml @@ -17,4 +17,5 @@ spec: tenantUrl: {{ .Values.group_sync_operator_isv_tenant_url }} groups: {{ .Values.group_sync_operator_isv_groups | toYaml | indent 10 }} + \ No newline at end of file From 5bd5a66928e638d677dbe8c5f403abc6f729920e Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Mon, 25 Nov 2024 13:13:22 +0000 Subject: [PATCH 10/24] map groups to bindings --- .../{060-rbac => 060-ibm-rbac}/Chart.yaml | 4 ++-- cluster-applications/060-ibm-rbac/README.md | 3 +++ .../cluster-admin_cluster-role-binding.yaml | 2 +- .../dba-editor_cluster-role-binding.yaml | 2 +- .../dba-reader_cluster-role-binding.yaml | 2 +- .../network-reader_cluster-role-binding.yaml | 2 +- .../network_cluster-role-binding.yaml | 4 ++-- .../provisioning_cluster-role-binding.yaml | 2 +- .../sre-automation-admin_cluster-role-binding.yaml | 2 +- .../sre-editor_cluster-role-binding.yaml | 2 +- .../sre-reader_cluster-role-binding.yaml | 2 +- .../templates/cluster-roles/dba_cluster-role.yaml | 0 .../cluster-roles/network_cluster-role.yaml | 0 .../cluster-roles/sre-editor_cluster-role.yaml | 0 cluster-applications/060-ibm-rbac/values.yaml | 13 +++++++++++++ cluster-applications/060-rbac/README.md | 3 --- .../templates/groups/cluster-admin_group.yaml | 6 ------ .../060-rbac/templates/groups/dba_group.yaml | 6 ------ .../060-rbac/templates/groups/network_group.yaml | 6 ------ .../templates/groups/provisioning_group.yaml | 6 ------ .../templates/groups/sre-automation_group.yaml | 6 ------ .../060-rbac/templates/groups/sre_group.yaml | 6 ------ cluster-applications/060-rbac/values.yaml | 1 - .../{060-rbac-app.yaml => 060-ibm-rbac-app.yaml} | 11 ++++++----- 24 files changed, 34 insertions(+), 57 deletions(-) rename cluster-applications/{060-rbac => 060-ibm-rbac}/Chart.yaml (84%) create mode 100644 cluster-applications/060-ibm-rbac/README.md rename cluster-applications/{060-rbac => 060-ibm-rbac}/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml (79%) rename cluster-applications/{060-rbac => 060-ibm-rbac}/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml (80%) rename cluster-applications/{060-rbac => 060-ibm-rbac}/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml (80%) rename cluster-applications/{060-rbac => 060-ibm-rbac}/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml (78%) rename cluster-applications/{060-rbac => 060-ibm-rbac}/templates/cluster-role-bindings/network_cluster-role-binding.yaml (73%) rename cluster-applications/{060-rbac => 060-ibm-rbac}/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml (79%) rename cluster-applications/{060-rbac => 060-ibm-rbac}/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml (76%) rename cluster-applications/{060-rbac => 060-ibm-rbac}/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml (79%) rename cluster-applications/{060-rbac => 060-ibm-rbac}/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml (78%) rename cluster-applications/{060-rbac => 060-ibm-rbac}/templates/cluster-roles/dba_cluster-role.yaml (100%) rename cluster-applications/{060-rbac => 060-ibm-rbac}/templates/cluster-roles/network_cluster-role.yaml (100%) rename cluster-applications/{060-rbac => 060-ibm-rbac}/templates/cluster-roles/sre-editor_cluster-role.yaml (100%) create mode 100644 cluster-applications/060-ibm-rbac/values.yaml delete mode 100644 cluster-applications/060-rbac/README.md delete mode 100644 cluster-applications/060-rbac/templates/groups/cluster-admin_group.yaml delete mode 100644 cluster-applications/060-rbac/templates/groups/dba_group.yaml delete mode 100644 cluster-applications/060-rbac/templates/groups/network_group.yaml delete mode 100644 cluster-applications/060-rbac/templates/groups/provisioning_group.yaml delete mode 100644 cluster-applications/060-rbac/templates/groups/sre-automation_group.yaml delete mode 100644 cluster-applications/060-rbac/templates/groups/sre_group.yaml delete mode 100644 cluster-applications/060-rbac/values.yaml rename root-applications/ibm-mas-cluster-root/templates/{060-rbac-app.yaml => 060-ibm-rbac-app.yaml} (87%) diff --git a/cluster-applications/060-rbac/Chart.yaml b/cluster-applications/060-ibm-rbac/Chart.yaml similarity index 84% rename from cluster-applications/060-rbac/Chart.yaml rename to cluster-applications/060-ibm-rbac/Chart.yaml index 9155d8fc9..950e4c215 100644 --- a/cluster-applications/060-rbac/Chart.yaml +++ b/cluster-applications/060-ibm-rbac/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -name: rbac -description: RBAC +name: ibm-rbac +description: IBM RBAC type: application version: 1.0.0 diff --git a/cluster-applications/060-ibm-rbac/README.md b/cluster-applications/060-ibm-rbac/README.md new file mode 100644 index 000000000..e3d682c47 --- /dev/null +++ b/cluster-applications/060-ibm-rbac/README.md @@ -0,0 +1,3 @@ +IBM Resource-Based Access Control (RBAC) +=============================================================================== +Installs the IBM RBAC groups, together with the necessary roles and role bindings. diff --git a/cluster-applications/060-rbac/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml similarity index 79% rename from cluster-applications/060-rbac/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml rename to cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml index 24e059d69..2070b56f8 100644 --- a/cluster-applications/060-rbac/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml +++ b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: ibm-cluster-admins + name: {{ .Values.ibm_rbac_group_bindings.ibm-cluster-admins }} diff --git a/cluster-applications/060-rbac/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml similarity index 80% rename from cluster-applications/060-rbac/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml rename to cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml index 99c1c0cdf..8ee70c2b2 100644 --- a/cluster-applications/060-rbac/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml +++ b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml @@ -5,7 +5,7 @@ metadata: subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: ibm-dba + name: {{ .Values.ibm_rbac_group_bindings.ibm-dba-edit-rb }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/cluster-applications/060-rbac/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml similarity index 80% rename from cluster-applications/060-rbac/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml rename to cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml index 12456da09..22a1dac90 100644 --- a/cluster-applications/060-rbac/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml +++ b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml @@ -5,7 +5,7 @@ metadata: subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: ibm-dba + name: {{ .Values.ibm_rbac_group_bindings.cluster-reader }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/cluster-applications/060-rbac/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml similarity index 78% rename from cluster-applications/060-rbac/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml rename to cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml index 5570dd943..39f71a326 100644 --- a/cluster-applications/060-rbac/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml +++ b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml @@ -5,7 +5,7 @@ metadata: subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: ibm-network + name: {{ .Values.ibm_rbac_group_bindings.ibm-network-cluster-reader }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/cluster-applications/060-rbac/templates/cluster-role-bindings/network_cluster-role-binding.yaml b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/network_cluster-role-binding.yaml similarity index 73% rename from cluster-applications/060-rbac/templates/cluster-role-bindings/network_cluster-role-binding.yaml rename to cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/network_cluster-role-binding.yaml index 2927b0b7c..32a4501d1 100644 --- a/cluster-applications/060-rbac/templates/cluster-role-bindings/network_cluster-role-binding.yaml +++ b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/network_cluster-role-binding.yaml @@ -1,11 +1,11 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ibm-network-rb.yaml + name: ibm-network-rb subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: ibm-network + name: {{ .Values.ibm_rbac_group_bindings.ibm-network-rb }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/cluster-applications/060-rbac/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml similarity index 79% rename from cluster-applications/060-rbac/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml rename to cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml index 3189502d9..8f74e8d8d 100644 --- a/cluster-applications/060-rbac/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml +++ b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: ibm-provisioning + name: {{ .Values.ibm_rbac_group_bindings.ibm-provisioning-rb }} diff --git a/cluster-applications/060-rbac/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml similarity index 76% rename from cluster-applications/060-rbac/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml rename to cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml index fda52a24b..ed1667d69 100644 --- a/cluster-applications/060-rbac/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml +++ b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: ibm-sre-automation + name: {{ .Values.ibm_rbac_group_bindings.ibm-sre-automation-cluster-admin-binding }} diff --git a/cluster-applications/060-rbac/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml similarity index 79% rename from cluster-applications/060-rbac/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml rename to cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml index fe5f4536f..5f1208845 100644 --- a/cluster-applications/060-rbac/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml +++ b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: ibm-sre + name: {{ .Values.ibm_rbac_group_bindings.ibm-sre-editor-rb }} diff --git a/cluster-applications/060-rbac/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml similarity index 78% rename from cluster-applications/060-rbac/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml rename to cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml index aeeaf92c8..d87476f8a 100644 --- a/cluster-applications/060-rbac/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml +++ b/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: ibm-sre + name: {{ .Values.ibm_rbac_group_bindings.ibm-sre-cluster-reader }} diff --git a/cluster-applications/060-rbac/templates/cluster-roles/dba_cluster-role.yaml b/cluster-applications/060-ibm-rbac/templates/cluster-roles/dba_cluster-role.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/cluster-roles/dba_cluster-role.yaml rename to cluster-applications/060-ibm-rbac/templates/cluster-roles/dba_cluster-role.yaml diff --git a/cluster-applications/060-rbac/templates/cluster-roles/network_cluster-role.yaml b/cluster-applications/060-ibm-rbac/templates/cluster-roles/network_cluster-role.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/cluster-roles/network_cluster-role.yaml rename to cluster-applications/060-ibm-rbac/templates/cluster-roles/network_cluster-role.yaml diff --git a/cluster-applications/060-rbac/templates/cluster-roles/sre-editor_cluster-role.yaml b/cluster-applications/060-ibm-rbac/templates/cluster-roles/sre-editor_cluster-role.yaml similarity index 100% rename from cluster-applications/060-rbac/templates/cluster-roles/sre-editor_cluster-role.yaml rename to cluster-applications/060-ibm-rbac/templates/cluster-roles/sre-editor_cluster-role.yaml diff --git a/cluster-applications/060-ibm-rbac/values.yaml b/cluster-applications/060-ibm-rbac/values.yaml new file mode 100644 index 000000000..e99758b7d --- /dev/null +++ b/cluster-applications/060-ibm-rbac/values.yaml @@ -0,0 +1,13 @@ +--- +# Key: name of role binding or cluster role binding +# Value: name of OpenShift group +ibm_rbac_binding_to_group: + ibm-cluster-admins: admin + ibm-dba-edit-rb: admin + ibm-provisioning-rb: admin + ibm-sre-automation-cluster-admin-binding: admin + ibm-sre-editor-rb: admin + cluster-reader: developer + ibm-network-rb: developer + ibm-network-cluster-reader: developer + ibm-sre-cluster-reader: developer diff --git a/cluster-applications/060-rbac/README.md b/cluster-applications/060-rbac/README.md deleted file mode 100644 index 6663cf455..000000000 --- a/cluster-applications/060-rbac/README.md +++ /dev/null @@ -1,3 +0,0 @@ -Resource-Based Access Control (RBAC) -=============================================================================== -Installs the RBAC groups, together with the necessary roles and role bindings. diff --git a/cluster-applications/060-rbac/templates/groups/cluster-admin_group.yaml b/cluster-applications/060-rbac/templates/groups/cluster-admin_group.yaml deleted file mode 100644 index 397693ecc..000000000 --- a/cluster-applications/060-rbac/templates/groups/cluster-admin_group.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: user.openshift.io/v1 -kind: Group -metadata: - name: ibm-cluster-admins -users: -{{ .Values.cluster-admin-users | toYaml | indent 2 }} diff --git a/cluster-applications/060-rbac/templates/groups/dba_group.yaml b/cluster-applications/060-rbac/templates/groups/dba_group.yaml deleted file mode 100644 index ebe0e95c6..000000000 --- a/cluster-applications/060-rbac/templates/groups/dba_group.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: user.openshift.io/v1 -kind: Group -metadata: - name: ibm-dba -users: -{{ .Values.dba-users | toYaml | indent 2 }} diff --git a/cluster-applications/060-rbac/templates/groups/network_group.yaml b/cluster-applications/060-rbac/templates/groups/network_group.yaml deleted file mode 100644 index 57d834234..000000000 --- a/cluster-applications/060-rbac/templates/groups/network_group.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: user.openshift.io/v1 -kind: Group -metadata: - name: ibm-network -users: -{{ .Values.network-users | toYaml | indent 2 }} diff --git a/cluster-applications/060-rbac/templates/groups/provisioning_group.yaml b/cluster-applications/060-rbac/templates/groups/provisioning_group.yaml deleted file mode 100644 index e976bd6fa..000000000 --- a/cluster-applications/060-rbac/templates/groups/provisioning_group.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: user.openshift.io/v1 -kind: Group -metadata: - name: ibm-provisioning -users: -{{ .Values.provisioning-users | toYaml | indent 2 }} diff --git a/cluster-applications/060-rbac/templates/groups/sre-automation_group.yaml b/cluster-applications/060-rbac/templates/groups/sre-automation_group.yaml deleted file mode 100644 index dfc3595cb..000000000 --- a/cluster-applications/060-rbac/templates/groups/sre-automation_group.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: user.openshift.io/v1 -kind: Group -metadata: - name: ibm-sre-automation -users: -{{ .Values.sre-automation-users | toYaml | indent 2 }} diff --git a/cluster-applications/060-rbac/templates/groups/sre_group.yaml b/cluster-applications/060-rbac/templates/groups/sre_group.yaml deleted file mode 100644 index 683b3d0b4..000000000 --- a/cluster-applications/060-rbac/templates/groups/sre_group.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: user.openshift.io/v1 -kind: Group -metadata: - name: ibm-sre -users: -{{ .Values.sre-users | toYaml | indent 2 }} diff --git a/cluster-applications/060-rbac/values.yaml b/cluster-applications/060-rbac/values.yaml deleted file mode 100644 index ed97d539c..000000000 --- a/cluster-applications/060-rbac/values.yaml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml b/root-applications/ibm-mas-cluster-root/templates/060-ibm-rbac-app.yaml similarity index 87% rename from root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml rename to root-applications/ibm-mas-cluster-root/templates/060-ibm-rbac-app.yaml index 425a39ef2..6a9e1fbee 100644 --- a/root-applications/ibm-mas-cluster-root/templates/060-rbac-app.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/060-ibm-rbac-app.yaml @@ -1,9 +1,9 @@ -{{- if not (empty .Values.rbac) }} +{{- if not (empty .Values.ibm-rbac) }} --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: rbac.{{ .Values.cluster.id }} + name: ibm-rbac.{{ .Values.cluster.id }} namespace: {{ .Values.argo.namespace }} labels: environment: '{{ .Values.account.id }}' @@ -25,15 +25,16 @@ spec: namespace: default source: repoURL: "{{ .Values.source.repo_url }}" - path: cluster-applications/060-rbac + path: cluster-applications/060-ibm-rbac targetRevision: "{{ .Values.source.revision }}" plugin: name: {{ .Values.avp.name }} env: - name: {{ .Values.avp.values_varname }} value: | + ibm_rbac_binding_to_group: "{{ .Values.ibm_rbac.binding_to_group }}" junitreporter: - reporter_name: "rbac" + reporter_name: "ibm-rbac" cluster_id: "{{ .Values.cluster.id }}" devops_mongo_uri: "{{ .Values.devops.mongo_uri }}" devops_build_number: "{{ .Values.devops.build_number }}" @@ -42,7 +43,7 @@ spec: custom_labels: {{ .Values.custom_labels | toYaml | nindent 14 }} {{- end }} - name: ARGOCD_APP_NAME - value: rbacapp + value: ibmrbacapp {{- if not (empty .Values.avp.secret) }} - name: AVP_SECRET value: {{ .Values.avp.secret }} From 5a06538489201a3d4a6b924dc760c345267263f6 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Mon, 25 Nov 2024 13:22:38 +0000 Subject: [PATCH 11/24] enable group sync operator app --- .../ibm-mas-account-root/templates/000-cluster-appset.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/root-applications/ibm-mas-account-root/templates/000-cluster-appset.yaml b/root-applications/ibm-mas-account-root/templates/000-cluster-appset.yaml index 18340bcce..569ba66d7 100644 --- a/root-applications/ibm-mas-account-root/templates/000-cluster-appset.yaml +++ b/root-applications/ibm-mas-account-root/templates/000-cluster-appset.yaml @@ -67,6 +67,11 @@ spec: revision: "{{ .Values.generator.revision }}" files: - path: "{{ .Values.account.id }}/*/selenium-grid.yaml" + - git: + repoURL: "{{ .Values.generator.repo_url }}" + revision: "{{ .Values.generator.revision }}" + files: + - path: "{{ .Values.account.id }}/*/group-sync-operator.yaml" syncPolicy: applicationsSync: "{{- if .Values.auto_delete }}sync{{- else }}create-update{{- end }}" template: From 906499973becea77d203d3eb71890142d8678e04 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Mon, 25 Nov 2024 13:28:21 +0000 Subject: [PATCH 12/24] test indent --- .../templates/052-group-sync-operator-app.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml index 26d6a0f90..47219e301 100644 --- a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml @@ -34,7 +34,7 @@ spec: value: | group_sync_operator_cron_schedule: "{{ .Values.group_sync_operator.cron_schedule }}" group_sync_operator_isv_tenant_url: "{{ .Values.group_sync_operator.isv_tenant_url }}" - group_sync_operator_isv_groups: "{{ .Values.group_sync_operator.isv_groups }}" + group_sync_operator_isv_groups: "{{ .Values.group_sync_operator.isv_groups | indent 2 }}" group_sync_operator_isv_client_id: "{{ .Values.group_sync_operator.isv_client_id }}" group_sync_operator_isv_client_secret: "{{ .Values.group_sync_operator.isv_client_secret }}" junitreporter: From 0c93152b8e121fe347c5c8b8e68510f5f8561f6b Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Mon, 25 Nov 2024 13:31:57 +0000 Subject: [PATCH 13/24] fix value ref --- .../templates/052-group-sync-operator-app.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml index 47219e301..b5e4bb59d 100644 --- a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml @@ -1,4 +1,4 @@ -{{- if not (empty .Values.group-sync-operator) }} +{{- if not (empty .Values.group_sync_operator) }} --- apiVersion: argoproj.io/v1alpha1 kind: Application From 046a0947795c650be668284e2a75217bc9c1a4ca Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Mon, 25 Nov 2024 13:36:20 +0000 Subject: [PATCH 14/24] test yaml fix --- .../templates/052-group-sync-operator-app.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml index b5e4bb59d..c736c1571 100644 --- a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml @@ -34,7 +34,7 @@ spec: value: | group_sync_operator_cron_schedule: "{{ .Values.group_sync_operator.cron_schedule }}" group_sync_operator_isv_tenant_url: "{{ .Values.group_sync_operator.isv_tenant_url }}" - group_sync_operator_isv_groups: "{{ .Values.group_sync_operator.isv_groups | indent 2 }}" + group_sync_operator_isv_groups: {{ .Values.group_sync_operator.isv_groups | toYaml | indent 2 }} group_sync_operator_isv_client_id: "{{ .Values.group_sync_operator.isv_client_id }}" group_sync_operator_isv_client_secret: "{{ .Values.group_sync_operator.isv_client_secret }}" junitreporter: From 8f17e7c728a3ab5166bac6b7ba1f9697e4155555 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Mon, 25 Nov 2024 14:56:01 +0000 Subject: [PATCH 15/24] fix yaml var --- .../templates/052-group-sync-operator-app.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml index c736c1571..d0375444e 100644 --- a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml @@ -34,7 +34,7 @@ spec: value: | group_sync_operator_cron_schedule: "{{ .Values.group_sync_operator.cron_schedule }}" group_sync_operator_isv_tenant_url: "{{ .Values.group_sync_operator.isv_tenant_url }}" - group_sync_operator_isv_groups: {{ .Values.group_sync_operator.isv_groups | toYaml | indent 2 }} + group_sync_operator_isv_groups: {{ .Values.group_sync_operator.isv_groups | toYaml | nindent 14 }} group_sync_operator_isv_client_id: "{{ .Values.group_sync_operator.isv_client_id }}" group_sync_operator_isv_client_secret: "{{ .Values.group_sync_operator.isv_client_secret }}" junitreporter: From 29b50d018402aaa1e7db37e375dd840cfd23b776 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Mon, 25 Nov 2024 15:21:29 +0000 Subject: [PATCH 16/24] fix group sync vars --- .../052-group-sync-operator/templates/04-gso_GroupSync.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml b/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml index 00b4b9f20..50ab187f7 100644 --- a/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml +++ b/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml @@ -7,14 +7,14 @@ metadata: annotations: argocd.argoproj.io/sync-wave: "055" spec: - schedule: {{ .Values.group_sync_operator_cron_schedule }} + schedule: "{{ .Values.group_sync_operator_cron_schedule }}" providers: - name: ibmsecurityverify ibmsecurityverify: credentialsSecret: name: isv-group-sync namespace: group-sync-operator - tenantUrl: {{ .Values.group_sync_operator_isv_tenant_url }} + tenantUrl: "{{ .Values.group_sync_operator_isv_tenant_url }}" groups: {{ .Values.group_sync_operator_isv_groups | toYaml | indent 10 }} From b57396f45388ad630e71c64d688280fd0af1dded Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Mon, 25 Nov 2024 15:33:35 +0000 Subject: [PATCH 17/24] change param order --- .../templates/052-group-sync-operator-app.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml index d0375444e..e8832ac5b 100644 --- a/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/052-group-sync-operator-app.yaml @@ -34,9 +34,9 @@ spec: value: | group_sync_operator_cron_schedule: "{{ .Values.group_sync_operator.cron_schedule }}" group_sync_operator_isv_tenant_url: "{{ .Values.group_sync_operator.isv_tenant_url }}" - group_sync_operator_isv_groups: {{ .Values.group_sync_operator.isv_groups | toYaml | nindent 14 }} group_sync_operator_isv_client_id: "{{ .Values.group_sync_operator.isv_client_id }}" group_sync_operator_isv_client_secret: "{{ .Values.group_sync_operator.isv_client_secret }}" + group_sync_operator_isv_groups: {{ .Values.group_sync_operator.isv_groups | toYaml | nindent 14 }} junitreporter: reporter_name: "group-sync-operator" cluster_id: "{{ .Values.cluster.id }}" From dd58e0dad90a33b64402a773006746282948c17a Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Mon, 25 Nov 2024 15:40:58 +0000 Subject: [PATCH 18/24] set subscription source --- .../052-group-sync-operator/templates/02-gso_Subcription.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster-applications/052-group-sync-operator/templates/02-gso_Subcription.yaml b/cluster-applications/052-group-sync-operator/templates/02-gso_Subcription.yaml index fb04d8ded..2827573f9 100644 --- a/cluster-applications/052-group-sync-operator/templates/02-gso_Subcription.yaml +++ b/cluster-applications/052-group-sync-operator/templates/02-gso_Subcription.yaml @@ -14,5 +14,5 @@ spec: channel: "{{ .Values.group_sync_operator_channel }}" installPlanApproval: {{ .Values.group_sync_operator_install_plan | default "Automatic" | quote }} name: group-sync-operator - source: redhat-operators + source: community-operators sourceNamespace: openshift-marketplace From 9e3aa5d267aded5108a8175cd0066c66c8c830c2 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Wed, 27 Nov 2024 10:04:51 +0000 Subject: [PATCH 19/24] add EOL char --- .../052-group-sync-operator/templates/04-gso_GroupSync.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml b/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml index 50ab187f7..1d74b4e95 100644 --- a/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml +++ b/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml @@ -17,5 +17,4 @@ spec: tenantUrl: "{{ .Values.group_sync_operator_isv_tenant_url }}" groups: {{ .Values.group_sync_operator_isv_groups | toYaml | indent 10 }} - \ No newline at end of file From 237242cde8ff63fc4aa82e528ded9719f472611a Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Wed, 27 Nov 2024 10:14:44 +0000 Subject: [PATCH 20/24] fix linting --- cluster-applications/052-group-sync-operator/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cluster-applications/052-group-sync-operator/values.yaml b/cluster-applications/052-group-sync-operator/values.yaml index 227676898..ff0d89259 100644 --- a/cluster-applications/052-group-sync-operator/values.yaml +++ b/cluster-applications/052-group-sync-operator/values.yaml @@ -1,3 +1,5 @@ --- group_sync_operator_channel: "alpha" group_sync_operator_cron_schedule: "*/30 * * * *" # every 30 minutes +group_sync_operator_isv_client_id: xxx +group_sync_operator_isv_client_secret: xxx From ce042eebed1a96987c8ca35cfd4680c2d1c8e385 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:53:52 +0000 Subject: [PATCH 21/24] update sync wave --- .../052-group-sync-operator/templates/02-gso_Subcription.yaml | 2 +- .../052-group-sync-operator/templates/03-gso_Secret.yaml | 2 +- .../052-group-sync-operator/templates/04-gso_GroupSync.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cluster-applications/052-group-sync-operator/templates/02-gso_Subcription.yaml b/cluster-applications/052-group-sync-operator/templates/02-gso_Subcription.yaml index 2827573f9..4a7e63fdf 100644 --- a/cluster-applications/052-group-sync-operator/templates/02-gso_Subcription.yaml +++ b/cluster-applications/052-group-sync-operator/templates/02-gso_Subcription.yaml @@ -5,7 +5,7 @@ metadata: name: group-sync-operator namespace: group-sync-operator annotations: - argocd.argoproj.io/sync-wave: "053" + argocd.argoproj.io/sync-wave: "052" {{- if .Values.custom_labels }} labels: {{ .Values.custom_labels | toYaml | indent 4 }} diff --git a/cluster-applications/052-group-sync-operator/templates/03-gso_Secret.yaml b/cluster-applications/052-group-sync-operator/templates/03-gso_Secret.yaml index 10600f505..1f9d884f1 100644 --- a/cluster-applications/052-group-sync-operator/templates/03-gso_Secret.yaml +++ b/cluster-applications/052-group-sync-operator/templates/03-gso_Secret.yaml @@ -5,7 +5,7 @@ metadata: name: isv-group-sync namespace: group-sync-operator annotations: - argocd.argoproj.io/sync-wave: "054" + argocd.argoproj.io/sync-wave: "052" {{- if .Values.custom_labels }} labels: {{ .Values.custom_labels | toYaml | indent 4 }} diff --git a/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml b/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml index 1d74b4e95..804407640 100644 --- a/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml +++ b/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml @@ -5,7 +5,7 @@ metadata: name: isv-group-sync namespace: group-sync-operator annotations: - argocd.argoproj.io/sync-wave: "055" + argocd.argoproj.io/sync-wave: "052" spec: schedule: "{{ .Values.group_sync_operator_cron_schedule }}" providers: From 56a734deacee7149b11b0896d7f8203191ea88f1 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:58:26 +0000 Subject: [PATCH 22/24] missing EOL char --- .../052-group-sync-operator/templates/04-gso_GroupSync.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml b/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml index 804407640..768512a62 100644 --- a/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml +++ b/cluster-applications/052-group-sync-operator/templates/04-gso_GroupSync.yaml @@ -17,4 +17,3 @@ spec: tenantUrl: "{{ .Values.group_sync_operator_isv_tenant_url }}" groups: {{ .Values.group_sync_operator_isv_groups | toYaml | indent 10 }} - \ No newline at end of file From 83b7fcea8ca5562aedd9e627211e1405c431af86 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Fri, 6 Dec 2024 12:06:06 +0000 Subject: [PATCH 23/24] RBAC roles and bindings --- cluster-applications/060-ibm-rbac/values.yaml | 13 ------------- .../{060-ibm-rbac => 061-ibm-rbac}/Chart.yaml | 0 .../{060-ibm-rbac => 061-ibm-rbac}/README.md | 2 +- .../cluster-role-bindings/cluster-admin.yaml} | 3 ++- .../cluster-role-bindings/dba-editor.yaml} | 3 ++- .../cluster-role-bindings/dba-reader.yaml} | 3 ++- .../cluster-role-bindings/network-reader.yaml} | 3 ++- .../templates/cluster-role-bindings/network.yaml} | 3 ++- .../cluster-role-bindings/provisioning.yaml} | 3 ++- .../sre-automation-admin.yaml} | 3 ++- .../cluster-role-bindings/sre-editor.yaml} | 3 ++- .../cluster-role-bindings/sre-reader.yaml} | 3 ++- .../templates/cluster-roles/dba.yaml} | 1 + .../templates/cluster-roles/network.yaml} | 1 + .../templates/cluster-roles/sre-editor.yaml} | 1 + cluster-applications/061-ibm-rbac/values.yaml | 13 +++++++++++++ .../templates/000-cluster-appset.yaml | 5 +++++ ...{060-ibm-rbac-app.yaml => 061-ibm-rbac-app.yaml} | 6 +++--- 18 files changed, 43 insertions(+), 26 deletions(-) delete mode 100644 cluster-applications/060-ibm-rbac/values.yaml rename cluster-applications/{060-ibm-rbac => 061-ibm-rbac}/Chart.yaml (100%) rename cluster-applications/{060-ibm-rbac => 061-ibm-rbac}/README.md (56%) rename cluster-applications/{060-ibm-rbac/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml => 061-ibm-rbac/templates/cluster-role-bindings/cluster-admin.yaml} (78%) rename cluster-applications/{060-ibm-rbac/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml => 061-ibm-rbac/templates/cluster-role-bindings/dba-editor.yaml} (78%) rename cluster-applications/{060-ibm-rbac/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml => 061-ibm-rbac/templates/cluster-role-bindings/dba-reader.yaml} (78%) rename cluster-applications/{060-ibm-rbac/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml => 061-ibm-rbac/templates/cluster-role-bindings/network-reader.yaml} (76%) rename cluster-applications/{060-ibm-rbac/templates/cluster-role-bindings/network_cluster-role-binding.yaml => 061-ibm-rbac/templates/cluster-role-bindings/network.yaml} (79%) rename cluster-applications/{060-ibm-rbac/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml => 061-ibm-rbac/templates/cluster-role-bindings/provisioning.yaml} (77%) rename cluster-applications/{060-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml => 061-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin.yaml} (74%) rename cluster-applications/{060-ibm-rbac/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml => 061-ibm-rbac/templates/cluster-role-bindings/sre-editor.yaml} (78%) rename cluster-applications/{060-ibm-rbac/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml => 061-ibm-rbac/templates/cluster-role-bindings/sre-reader.yaml} (77%) rename cluster-applications/{060-ibm-rbac/templates/cluster-roles/dba_cluster-role.yaml => 061-ibm-rbac/templates/cluster-roles/dba.yaml} (99%) rename cluster-applications/{060-ibm-rbac/templates/cluster-roles/network_cluster-role.yaml => 061-ibm-rbac/templates/cluster-roles/network.yaml} (99%) rename cluster-applications/{060-ibm-rbac/templates/cluster-roles/sre-editor_cluster-role.yaml => 061-ibm-rbac/templates/cluster-roles/sre-editor.yaml} (99%) create mode 100644 cluster-applications/061-ibm-rbac/values.yaml rename root-applications/ibm-mas-cluster-root/templates/{060-ibm-rbac-app.yaml => 061-ibm-rbac-app.yaml} (94%) diff --git a/cluster-applications/060-ibm-rbac/values.yaml b/cluster-applications/060-ibm-rbac/values.yaml deleted file mode 100644 index e99758b7d..000000000 --- a/cluster-applications/060-ibm-rbac/values.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# Key: name of role binding or cluster role binding -# Value: name of OpenShift group -ibm_rbac_binding_to_group: - ibm-cluster-admins: admin - ibm-dba-edit-rb: admin - ibm-provisioning-rb: admin - ibm-sre-automation-cluster-admin-binding: admin - ibm-sre-editor-rb: admin - cluster-reader: developer - ibm-network-rb: developer - ibm-network-cluster-reader: developer - ibm-sre-cluster-reader: developer diff --git a/cluster-applications/060-ibm-rbac/Chart.yaml b/cluster-applications/061-ibm-rbac/Chart.yaml similarity index 100% rename from cluster-applications/060-ibm-rbac/Chart.yaml rename to cluster-applications/061-ibm-rbac/Chart.yaml diff --git a/cluster-applications/060-ibm-rbac/README.md b/cluster-applications/061-ibm-rbac/README.md similarity index 56% rename from cluster-applications/060-ibm-rbac/README.md rename to cluster-applications/061-ibm-rbac/README.md index e3d682c47..24aac3333 100644 --- a/cluster-applications/060-ibm-rbac/README.md +++ b/cluster-applications/061-ibm-rbac/README.md @@ -1,3 +1,3 @@ IBM Resource-Based Access Control (RBAC) =============================================================================== -Installs the IBM RBAC groups, together with the necessary roles and role bindings. +Installs the IBM RBAC roles and role bindings. Groups are managed by the Group Sync Operator. diff --git a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/cluster-admin.yaml similarity index 78% rename from cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml rename to cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/cluster-admin.yaml index 2070b56f8..08819ce37 100644 --- a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/cluster-admin_cluster-role-binding.yaml +++ b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/cluster-admin.yaml @@ -1,3 +1,4 @@ +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9,4 +10,4 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: {{ .Values.ibm_rbac_group_bindings.ibm-cluster-admins }} + name: {{ .Values.ibm_rbac_binding_to_group.ibm_cluster_admins }} diff --git a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/dba-editor.yaml similarity index 78% rename from cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml rename to cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/dba-editor.yaml index 8ee70c2b2..9fd1300b5 100644 --- a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/dba-editor_cluster-role-binding.yaml +++ b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/dba-editor.yaml @@ -1,3 +1,4 @@ +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -5,7 +6,7 @@ metadata: subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: {{ .Values.ibm_rbac_group_bindings.ibm-dba-edit-rb }} + name: {{ .Values.ibm_rbac_binding_to_group.ibm_dba_edit_rb }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/dba-reader.yaml similarity index 78% rename from cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml rename to cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/dba-reader.yaml index 22a1dac90..ce8098cec 100644 --- a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/dba-reader_cluster-role-binding.yaml +++ b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/dba-reader.yaml @@ -1,3 +1,4 @@ +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -5,7 +6,7 @@ metadata: subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: {{ .Values.ibm_rbac_group_bindings.cluster-reader }} + name: {{ .Values.ibm_rbac_binding_to_group.cluster_reader }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/network-reader.yaml similarity index 76% rename from cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml rename to cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/network-reader.yaml index 39f71a326..d24a3be07 100644 --- a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/network-reader_cluster-role-binding.yaml +++ b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/network-reader.yaml @@ -1,3 +1,4 @@ +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -5,7 +6,7 @@ metadata: subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: {{ .Values.ibm_rbac_group_bindings.ibm-network-cluster-reader }} + name: {{ .Values.ibm_rbac_binding_to_group.ibm_network_cluster_reader }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/network_cluster-role-binding.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/network.yaml similarity index 79% rename from cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/network_cluster-role-binding.yaml rename to cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/network.yaml index 32a4501d1..255921d63 100644 --- a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/network_cluster-role-binding.yaml +++ b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/network.yaml @@ -1,3 +1,4 @@ +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -5,7 +6,7 @@ metadata: subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: {{ .Values.ibm_rbac_group_bindings.ibm-network-rb }} + name: {{ .Values.ibm_rbac_binding_to_group.ibm_network_rb }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/provisioning.yaml similarity index 77% rename from cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml rename to cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/provisioning.yaml index 8f74e8d8d..7a4e521b9 100644 --- a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/provisioning_cluster-role-binding.yaml +++ b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/provisioning.yaml @@ -1,3 +1,4 @@ +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9,4 +10,4 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: {{ .Values.ibm_rbac_group_bindings.ibm-provisioning-rb }} + name: {{ .Values.ibm_rbac_binding_to_group.ibm_provisioning_rb }} diff --git a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin.yaml similarity index 74% rename from cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml rename to cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin.yaml index ed1667d69..9cfd12211 100644 --- a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin_cluster-role-binding.yaml +++ b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin.yaml @@ -1,3 +1,4 @@ +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9,4 +10,4 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: {{ .Values.ibm_rbac_group_bindings.ibm-sre-automation-cluster-admin-binding }} + name: {{ .Values.ibm_rbac_binding_to_group.ibm_sre_automation_cluster_admin_binding }} diff --git a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-editor.yaml similarity index 78% rename from cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml rename to cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-editor.yaml index 5f1208845..577194332 100644 --- a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-editor_cluster-role-binding.yaml +++ b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-editor.yaml @@ -1,3 +1,4 @@ +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9,4 +10,4 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: {{ .Values.ibm_rbac_group_bindings.ibm-sre-editor-rb }} + name: {{ .Values.ibm_rbac_binding_to_group.ibm_sre_editor_rb }} diff --git a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-reader.yaml similarity index 77% rename from cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml rename to cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-reader.yaml index d87476f8a..01241c9b5 100644 --- a/cluster-applications/060-ibm-rbac/templates/cluster-role-bindings/sre-reader_cluster-role-binding.yaml +++ b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-reader.yaml @@ -1,3 +1,4 @@ +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9,4 +10,4 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: {{ .Values.ibm_rbac_group_bindings.ibm-sre-cluster-reader }} + name: {{ .Values.ibm_rbac_binding_to_group.ibm_sre_cluster_reader }} diff --git a/cluster-applications/060-ibm-rbac/templates/cluster-roles/dba_cluster-role.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-roles/dba.yaml similarity index 99% rename from cluster-applications/060-ibm-rbac/templates/cluster-roles/dba_cluster-role.yaml rename to cluster-applications/061-ibm-rbac/templates/cluster-roles/dba.yaml index 603b06ec2..4e45e782b 100644 --- a/cluster-applications/060-ibm-rbac/templates/cluster-roles/dba_cluster-role.yaml +++ b/cluster-applications/061-ibm-rbac/templates/cluster-roles/dba.yaml @@ -1,3 +1,4 @@ +--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/cluster-applications/060-ibm-rbac/templates/cluster-roles/network_cluster-role.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-roles/network.yaml similarity index 99% rename from cluster-applications/060-ibm-rbac/templates/cluster-roles/network_cluster-role.yaml rename to cluster-applications/061-ibm-rbac/templates/cluster-roles/network.yaml index 56b38a6b2..928612032 100644 --- a/cluster-applications/060-ibm-rbac/templates/cluster-roles/network_cluster-role.yaml +++ b/cluster-applications/061-ibm-rbac/templates/cluster-roles/network.yaml @@ -1,3 +1,4 @@ +--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/cluster-applications/060-ibm-rbac/templates/cluster-roles/sre-editor_cluster-role.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-roles/sre-editor.yaml similarity index 99% rename from cluster-applications/060-ibm-rbac/templates/cluster-roles/sre-editor_cluster-role.yaml rename to cluster-applications/061-ibm-rbac/templates/cluster-roles/sre-editor.yaml index 6da6ec2a3..0453d01d0 100644 --- a/cluster-applications/060-ibm-rbac/templates/cluster-roles/sre-editor_cluster-role.yaml +++ b/cluster-applications/061-ibm-rbac/templates/cluster-roles/sre-editor.yaml @@ -1,3 +1,4 @@ +--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/cluster-applications/061-ibm-rbac/values.yaml b/cluster-applications/061-ibm-rbac/values.yaml new file mode 100644 index 000000000..d74e4d16c --- /dev/null +++ b/cluster-applications/061-ibm-rbac/values.yaml @@ -0,0 +1,13 @@ +--- +# Key: name of role binding or cluster role binding +# Value: name of OpenShift group +ibm_rbac_binding_to_group: + ibm_cluster_admins: admin + ibm_dba_edit_rb: admin + ibm_provisioning_rb: admin + ibm_sre_automation_cluster_admin_binding: admin + ibm_sre_editor_rb: admin + cluster_reader: developer + ibm_network_rb: developer + ibm_network_cluster_reader: developer + ibm_sre_cluster_reader: developer diff --git a/root-applications/ibm-mas-account-root/templates/000-cluster-appset.yaml b/root-applications/ibm-mas-account-root/templates/000-cluster-appset.yaml index 3ed178489..eeb2994c3 100644 --- a/root-applications/ibm-mas-account-root/templates/000-cluster-appset.yaml +++ b/root-applications/ibm-mas-account-root/templates/000-cluster-appset.yaml @@ -77,6 +77,11 @@ spec: revision: "{{ .Values.generator.revision }}" files: - path: "{{ .Values.account.id }}/*/group-sync-operator.yaml" + - git: + repoURL: "{{ .Values.generator.repo_url }}" + revision: "{{ .Values.generator.revision }}" + files: + - path: "{{ .Values.account.id }}/*/ibm-rbac.yaml" syncPolicy: applicationsSync: "{{- if .Values.auto_delete }}sync{{- else }}create-update{{- end }}" template: diff --git a/root-applications/ibm-mas-cluster-root/templates/060-ibm-rbac-app.yaml b/root-applications/ibm-mas-cluster-root/templates/061-ibm-rbac-app.yaml similarity index 94% rename from root-applications/ibm-mas-cluster-root/templates/060-ibm-rbac-app.yaml rename to root-applications/ibm-mas-cluster-root/templates/061-ibm-rbac-app.yaml index 6a9e1fbee..a725ce97a 100644 --- a/root-applications/ibm-mas-cluster-root/templates/060-ibm-rbac-app.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/061-ibm-rbac-app.yaml @@ -1,4 +1,4 @@ -{{- if not (empty .Values.ibm-rbac) }} +{{- if not (empty .Values.ibm_rbac) }} --- apiVersion: argoproj.io/v1alpha1 kind: Application @@ -10,7 +10,7 @@ metadata: region: '{{ .Values.region.id }}' cluster: '{{ .Values.cluster.id }}' annotations: - argocd.argoproj.io/sync-wave: "060" + argocd.argoproj.io/sync-wave: "061" healthCheckTimeout: "1800" {{- if and .Values.notifications .Values.notifications.slack_channel_id }} notifications.argoproj.io/subscribe.on-sync-failed.workspace1: {{ .Values.notifications.slack_channel_id }} @@ -25,7 +25,7 @@ spec: namespace: default source: repoURL: "{{ .Values.source.repo_url }}" - path: cluster-applications/060-ibm-rbac + path: cluster-applications/061-ibm-rbac targetRevision: "{{ .Values.source.revision }}" plugin: name: {{ .Values.avp.name }} From ba210c9b740f9fc681381af50d90844968eb1cd1 Mon Sep 17 00:00:00 2001 From: "J. Harte" <13206585+boonware@users.noreply.github.com> Date: Mon, 9 Dec 2024 12:10:43 +0000 Subject: [PATCH 24/24] fix: yaml props --- .../ibm-mas-cluster-root/templates/061-ibm-rbac-app.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root-applications/ibm-mas-cluster-root/templates/061-ibm-rbac-app.yaml b/root-applications/ibm-mas-cluster-root/templates/061-ibm-rbac-app.yaml index a725ce97a..de1acd28c 100644 --- a/root-applications/ibm-mas-cluster-root/templates/061-ibm-rbac-app.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/061-ibm-rbac-app.yaml @@ -32,7 +32,7 @@ spec: env: - name: {{ .Values.avp.values_varname }} value: | - ibm_rbac_binding_to_group: "{{ .Values.ibm_rbac.binding_to_group }}" + ibm_rbac_binding_to_group: {{ .Values.ibm_rbac.binding_to_group | toYaml | nindent 14 }} junitreporter: reporter_name: "ibm-rbac" cluster_id: "{{ .Values.cluster.id }}"