ibm-mas · whitfiea · Dec 10, 2024 · Nov 6, 2024 · Nov 7, 2024 · Nov 7, 2024
diff --git a/cluster-applications/061-ibm-rbac/Chart.yaml b/cluster-applications/061-ibm-rbac/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+name: ibm-rbac
+description: IBM RBAC
+type: application
+version: 1.0.0
+
+dependencies:
+- name: junitreporter
+  version: 1.0.0
+  repository: "file://../../sub-charts/junitreporter/"
+  condition: junitreporter.devops_mongo_uri != ""
diff --git a/cluster-applications/061-ibm-rbac/README.md b/cluster-applications/061-ibm-rbac/README.md
@@ -0,0 +1,3 @@
+IBM Resource-Based Access Control (RBAC)
+===============================================================================
+Installs the IBM RBAC roles and role bindings. Groups are managed by the Group Sync Operator.
diff --git a/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/cluster-admin.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/cluster-admin.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ibm-cluster-admins
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ .Values.ibm_rbac_binding_to_group.ibm_cluster_admins }}
diff --git a/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/dba-editor.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/dba-editor.yaml
@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ibm-dba-edit-rb
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: {{ .Values.ibm_rbac_binding_to_group.ibm_dba_edit_rb }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ibm-dba-cluster-role
diff --git a/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/dba-reader.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/dba-reader.yaml
@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cluster-reader
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: {{ .Values.ibm_rbac_binding_to_group.cluster_reader }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-reader
diff --git a/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/network-reader.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/network-reader.yaml
@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ibm-network-cluster-reader
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: {{ .Values.ibm_rbac_binding_to_group.ibm_network_cluster_reader }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-reader
diff --git a/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/network.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/network.yaml
@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ibm-network-rb
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: {{ .Values.ibm_rbac_binding_to_group.ibm_network_rb }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ibm-network-cluster-role
diff --git a/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/provisioning.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/provisioning.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ibm-provisioning-rb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ .Values.ibm_rbac_binding_to_group.ibm_provisioning_rb }}
diff --git a/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-automation-admin.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ibm-sre-automation-cluster-admin-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ .Values.ibm_rbac_binding_to_group.ibm_sre_automation_cluster_admin_binding }}
diff --git a/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-editor.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-editor.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ibm-sre-editor-rb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ibm-sre-editor
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ .Values.ibm_rbac_binding_to_group.ibm_sre_editor_rb }}
diff --git a/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-reader.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-role-bindings/sre-reader.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ibm-sre-cluster-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-reader
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ .Values.ibm_rbac_binding_to_group.ibm_sre_cluster_reader }}
diff --git a/cluster-applications/061-ibm-rbac/templates/cluster-roles/dba.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-roles/dba.yaml
@@ -0,0 +1,27 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ibm-dba-cluster-role
+rules:
+  - verbs: ["*"]
+    apiGroups: [""]
+    resources: ["pods", "pods/exec", "services"]
+  - verbs: ["*"]
+    apiGroups: ["networking.k8s.io"]
+    resources: ["networkpolicies"]
+  - verbs: ["get", "list", "watch"]
+    apiGroups: [""]
+    resources: ["secrets"]
+  - verbs: ["*"]
+    apiGroups: ["batch"]
+    resources: ["jobs", "cronjobs"]
+  - verbs: ["update", "patch", "get", "list"]
+    apiGroups: ["db2u.databases.ibm.com"]
+    resources: ["*"]
+  - verbs: ["update", "patch", "get", "list"]
+    apiGroups: ["datarefinery.cpd.ibm.com"]
+    resources: ["*"]
+  - verbs: ["update", "patch", "get", "list"]
+    apiGroups: ["databases.cpd.ibm.com"]
+    resources: ["*"]
diff --git a/cluster-applications/061-ibm-rbac/templates/cluster-roles/network.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-roles/network.yaml
@@ -0,0 +1,18 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ibm-network-cluster-role
+rules:
+  - verbs: ["*"]
+    apiGroups: ["networking.k8s.io"]
+    resources: ["networkpolicies"]
+  - verbs: ["*"]
+    apiGroups: ["network.openshift.io"]
+    resources: ["egressnetworkpolicies"]
+  - verbs: ["*"]
+    apiGroups: ["operator.openshift.io"]
+    resources: ["ingresscontrollers"]
+  - verbs: ["get"]
+    apiGroups: ["operator.openshift.io"]
+    resources: ["dnses"]
diff --git a/cluster-applications/061-ibm-rbac/templates/cluster-roles/sre-editor.yaml b/cluster-applications/061-ibm-rbac/templates/cluster-roles/sre-editor.yaml
@@ -0,0 +1,33 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ibm-sre-editor
+rules:
+  - verbs: ["*"]
+    apiGroups: [""]
+    resources: ["pods", "pods/exec"]
+  - verbs: ["*"]
+    apiGroups: [""]
+    resources: ["secrets"]
+  - verbs: ["*"]
+    apiGroups: ["apps"]
+    resources: ["deployments", "deployments/scale", "statefulsets"]
+  - verbs: ["create", "update", "patch", "get", "list"]
+    apiGroups: ["route.openshift.io"]
+    resources: ["routes"]
+  - verbs: ["update", "patch", "get", "list"]
+    apiGroups: ["apps.mas.ibm.com"]
+    resources: ["*"]
+  - verbs: ["update", "patch", "get", "list"]
+    apiGroups: ["config.mas.ibm.com"]
+    resources: ["*"]
+  - verbs: ["*"]
+    apiGroups: ["cert-manager.io"]
+    resources: ["*"]
+  - verbs: ["*"]
+    apiGroups: ["acme.cert-manager.io"]
+    resources: ["*"]
+  - verbs: ["get", "list", "watch", "update", "patch"]
+    apiGroups: ["operators.coreos.com"]
+    resources: ["clusterserviceversions", "installplans", "subscriptions"]
diff --git a/cluster-applications/061-ibm-rbac/values.yaml b/cluster-applications/061-ibm-rbac/values.yaml
@@ -0,0 +1,13 @@
+---
+# Key: name of role binding or cluster role binding
+# Value: name of OpenShift group 
+ibm_rbac_binding_to_group:
+    ibm_cluster_admins: admin
+    ibm_dba_edit_rb: admin
+    ibm_provisioning_rb: admin
+    ibm_sre_automation_cluster_admin_binding: admin
+    ibm_sre_editor_rb: admin
+    cluster_reader: developer
+    ibm_network_rb: developer
+    ibm_network_cluster_reader: developer
+    ibm_sre_cluster_reader: developer
diff --git a/root-applications/ibm-mas-account-root/templates/000-cluster-appset.yaml b/root-applications/ibm-mas-account-root/templates/000-cluster-appset.yaml
@@ -77,6 +77,11 @@ spec:
               revision: "{{ .Values.generator.revision }}"
               files:
               - path: "{{ .Values.account.id }}/*/group-sync-operator.yaml"
+          - git:
+              repoURL: "{{ .Values.generator.repo_url }}"
+              revision: "{{ .Values.generator.revision }}"
+              files:
+              - path: "{{ .Values.account.id }}/*/ibm-rbac.yaml"
   syncPolicy:
     applicationsSync: "{{- if .Values.auto_delete }}sync{{- else }}create-update{{- end }}"
   template:

diff --git a/root-applications/ibm-mas-cluster-root/templates/061-ibm-rbac-app.yaml b/root-applications/ibm-mas-cluster-root/templates/061-ibm-rbac-app.yaml
@@ -0,0 +1,62 @@
+{{- if not (empty .Values.ibm_rbac) }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ibm-rbac.{{ .Values.cluster.id }}
+  namespace: {{ .Values.argo.namespace }}
+  labels:
+    environment: '{{ .Values.account.id }}'
+    region: '{{ .Values.region.id }}'
+    cluster: '{{ .Values.cluster.id }}'
+  annotations:
+    argocd.argoproj.io/sync-wave: "061"
+    healthCheckTimeout: "1800"
+    {{- if and .Values.notifications .Values.notifications.slack_channel_id }}
+    notifications.argoproj.io/subscribe.on-sync-failed.workspace1: {{ .Values.notifications.slack_channel_id }}
+    notifications.argoproj.io/subscribe.on-sync-succeeded.workspace1: {{ .Values.notifications.slack_channel_id }}
+    {{- end }}
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: "{{ .Values.argo.projects.apps }}"
+  destination:
+    server: {{ .Values.cluster.url }}
+    namespace: default
+  source:
+    repoURL: "{{ .Values.source.repo_url }}"
+    path: cluster-applications/061-ibm-rbac
+    targetRevision: "{{ .Values.source.revision }}"
+    plugin:
+      name: {{ .Values.avp.name }}
+      env:
+        - name: {{ .Values.avp.values_varname }}
+          value: |
+            ibm_rbac_binding_to_group: {{ .Values.ibm_rbac.binding_to_group | toYaml | nindent 14 }}
+            junitreporter:
+              reporter_name: "ibm-rbac"
+              cluster_id: "{{ .Values.cluster.id }}"
+              devops_mongo_uri: "{{ .Values.devops.mongo_uri }}"
+              devops_build_number: "{{ .Values.devops.build_number }}"
+              gitops_version: "{{ .Values.source.revision }}"
+            {{- if .Values.custom_labels }}
+            custom_labels: {{ .Values.custom_labels | toYaml | nindent 14 }}
+            {{- end }}
+        - name: ARGOCD_APP_NAME
+          value: ibmrbacapp
+        {{- if not (empty .Values.avp.secret) }}
+        - name: AVP_SECRET
+          value: {{ .Values.avp.secret }}
+        {{- end }}
+  syncPolicy:
+    automated:
+      {{- if .Values.auto_delete }}
+      prune: true
+      {{- end }}
+      selfHeal: true
+    retry:
+      limit: 20
+    syncOptions:
+      - CreateNamespace=false
+      - RespectIgnoreDifferences=true
+{{- end }}