From 2d5954c4e622a01bf0215ca1cdcb3a5d4a5c3ecb Mon Sep 17 00:00:00 2001
From: Matheus Sousa <matessousa@outlook.com>
Date: Thu, 6 Jun 2024 13:17:34 -0300
Subject: [PATCH] feat: add new RBAC configuration for k8sgpt (#434)

* feat: migrate k8sgpt rbac configuration to template chart

Signed-off-by: Matheus Sousa <matessousa@outlook.com>

* remove: removed k8sgpt rbac logic because is managed by template chart

Signed-off-by: Matheus Sousa <matessousa@outlook.com>

---------

Signed-off-by: Matheus Sousa <matessousa@outlook.com>
Signed-off-by: Matheus Sousa    <73663610+MateSousa@users.noreply.github.com>
Co-authored-by: Aris Boutselis <arisboutselis08@gmail.com>
---
 .../k8sgpt-cluster-role-binding.yaml          |  14 ++
 .../templates/k8sgpt-cluster-role.yaml        |  23 ++++
 chart/operator/templates/k8sgpt-sa.yaml       |   9 ++
 pkg/resources/k8sgpt.go                       | 126 ------------------
 4 files changed, 46 insertions(+), 126 deletions(-)
 create mode 100644 chart/operator/templates/k8sgpt-cluster-role-binding.yaml
 create mode 100644 chart/operator/templates/k8sgpt-cluster-role.yaml
 create mode 100644 chart/operator/templates/k8sgpt-sa.yaml

diff --git a/chart/operator/templates/k8sgpt-cluster-role-binding.yaml b/chart/operator/templates/k8sgpt-cluster-role-binding.yaml
new file mode 100644
index 00000000..a911be8f
--- /dev/null
+++ b/chart/operator/templates/k8sgpt-cluster-role-binding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "chart.fullname" . }}-k8sgpt
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "chart.fullname" . }}-k8sgpt
+subjects:
+  - kind: ServiceAccount
+    name: "k8sgpt"
+    namespace: {{ .Release.Namespace }}
diff --git a/chart/operator/templates/k8sgpt-cluster-role.yaml b/chart/operator/templates/k8sgpt-cluster-role.yaml
new file mode 100644
index 00000000..dec9e729
--- /dev/null
+++ b/chart/operator/templates/k8sgpt-cluster-role.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "chart.fullname" . }}-k8sgpt
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - create
+      - list
+      - get
+      - watch
+      - delete
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - '*'
+    verbs:
+      - '*'
diff --git a/chart/operator/templates/k8sgpt-sa.yaml b/chart/operator/templates/k8sgpt-sa.yaml
new file mode 100644
index 00000000..b4c8f454
--- /dev/null
+++ b/chart/operator/templates/k8sgpt-sa.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "k8sgpt"
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: k8sgpt-operator
+    app.kubernetes.io/part-of: k8sgpt-operator
+    {{- include "chart.labels" . | nindent 4 }}
diff --git a/pkg/resources/k8sgpt.go b/pkg/resources/k8sgpt.go
index 7d293cf6..37541f00 100644
--- a/pkg/resources/k8sgpt.go
+++ b/pkg/resources/k8sgpt.go
@@ -24,7 +24,6 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
-	r1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -102,108 +101,6 @@ func GetService(config v1alpha1.K8sGPT) (*corev1.Service, error) {
 	return &service, nil
 }
 
-// GetServiceAccount Create Service Account for K8sGPT and bind it to K8sGPT role
-func GetServiceAccount(config v1alpha1.K8sGPT) (*corev1.ServiceAccount, error) {
-	// Create service account
-	serviceAccount := corev1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "k8sgpt",
-			Namespace: config.Namespace,
-			OwnerReferences: []metav1.OwnerReference{
-				{
-					Kind:               config.Kind,
-					Name:               config.Name,
-					UID:                config.UID,
-					APIVersion:         config.APIVersion,
-					BlockOwnerDeletion: utils.PtrBool(true),
-					Controller:         utils.PtrBool(true),
-				},
-			},
-		},
-		ImagePullSecrets: []corev1.LocalObjectReference{},
-	}
-	//Add image pull secrets to service account
-	for _, secret := range config.Spec.ImagePullSecrets {
-		serviceAccount.ImagePullSecrets = append(serviceAccount.ImagePullSecrets, corev1.LocalObjectReference{
-			Name: secret.Name,
-		})
-	}
-
-	return &serviceAccount, nil
-}
-
-// GetClusterRoleBinding Create cluster role binding for K8sGPT
-func GetClusterRoleBinding(config v1alpha1.K8sGPT) (*r1.ClusterRoleBinding, error) {
-
-	// Create cluster role binding
-	clusterRoleBinding := r1.ClusterRoleBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "k8sgpt",
-			OwnerReferences: []metav1.OwnerReference{
-				{
-					Kind:               config.Kind,
-					Name:               config.Name,
-					UID:                config.UID,
-					APIVersion:         config.APIVersion,
-					BlockOwnerDeletion: utils.PtrBool(true),
-					Controller:         utils.PtrBool(true),
-				},
-			},
-		},
-		Subjects: []r1.Subject{
-			{
-				Kind:      "ServiceAccount",
-				Name:      "k8sgpt",
-				Namespace: config.Namespace,
-			},
-		},
-		RoleRef: r1.RoleRef{
-			Kind:     "ClusterRole",
-			Name:     "k8sgpt",
-			APIGroup: "rbac.authorization.k8s.io",
-		},
-	}
-
-	return &clusterRoleBinding, nil
-}
-
-// GetClusterRole Create ClusterRole for K8sGPT with cluster read all
-func GetClusterRole(config v1alpha1.K8sGPT) (*r1.ClusterRole, error) {
-
-	// Create cluster role
-	clusterRole := r1.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "k8sgpt",
-			OwnerReferences: []metav1.OwnerReference{
-				{
-					Kind:               config.Kind,
-					Name:               config.Name,
-					UID:                config.UID,
-					APIVersion:         config.APIVersion,
-					BlockOwnerDeletion: utils.PtrBool(true),
-					Controller:         utils.PtrBool(true),
-				},
-			},
-		},
-		Rules: []r1.PolicyRule{
-			{
-				APIGroups: []string{"*"},
-				Resources: []string{"*"},
-				// This is necessary for the creation of integrations
-				Verbs: []string{"create", "list", "get", "watch", "delete"},
-			},
-			// Allow creation of custom resources
-			{
-				APIGroups: []string{"apiextensions.k8s.io"},
-				Resources: []string{"*"},
-				Verbs:     []string{"*"},
-			},
-		},
-	}
-
-	return &clusterRole, nil
-}
-
 // GetDeployment Create deployment with the latest K8sGPT image
 func GetDeployment(config v1alpha1.K8sGPT, outOfClusterMode bool, c client.Client) (*appsv1.Deployment, error) {
 
@@ -427,29 +324,6 @@ func Sync(ctx context.Context, c client.Client,
 
 	outOfClusterMode := config.Spec.Kubeconfig != nil
 
-	if !outOfClusterMode {
-		svcAcc, er := GetServiceAccount(config)
-		if er != nil {
-			return er
-		}
-
-		objs = append(objs, svcAcc)
-
-		clusterRole, er := GetClusterRole(config)
-		if er != nil {
-			return er
-		}
-
-		objs = append(objs, clusterRole)
-
-		clusterRoleBinding, er := GetClusterRoleBinding(config)
-		if er != nil {
-			return er
-		}
-
-		objs = append(objs, clusterRoleBinding)
-	}
-
 	svc, er := GetService(config)
 	if er != nil {
 		return er