From 078bed621c930284f669677ec777e443b0f8d330 Mon Sep 17 00:00:00 2001 From: Kyle Schochenmaier Date: Wed, 24 Jun 2020 17:01:39 -0500 Subject: [PATCH] remove enterprise license cluster roles (#511) * remove unnecessary cluster role usage for enterprise license templates --- ...role.yaml => enterprise-license-role.yaml} | 3 +- ...ml => enterprise-license-rolebinding.yaml} | 6 ++-- ...role.bats => enterprise-license-role.bats} | 32 +++++++++---------- ...ts => enterprise-license-rolebinding.bats} | 20 ++++++------ 4 files changed, 31 insertions(+), 30 deletions(-) rename templates/{enterprise-license-clusterrole.yaml => enterprise-license-role.yaml} (95%) rename templates/{enterprise-license-clusterrolebinding.yaml => enterprise-license-rolebinding.yaml} (90%) rename test/unit/{enterprise-license-clusterrole.bats => enterprise-license-role.bats} (66%) rename test/unit/{enterprise-license-clusterrolebinding.bats => enterprise-license-rolebinding.bats} (60%) diff --git a/templates/enterprise-license-clusterrole.yaml b/templates/enterprise-license-role.yaml similarity index 95% rename from templates/enterprise-license-clusterrole.yaml rename to templates/enterprise-license-role.yaml index 8b26f6a662..ff851a5344 100644 --- a/templates/enterprise-license-clusterrole.yaml +++ b/templates/enterprise-license-role.yaml @@ -1,9 +1,10 @@ {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/templates/enterprise-license-clusterrolebinding.yaml b/templates/enterprise-license-rolebinding.yaml similarity index 90% rename from templates/enterprise-license-clusterrolebinding.yaml rename to templates/enterprise-license-rolebinding.yaml index 6469adc372..36c3c14e7e 100644 --- a/templates/enterprise-license-clusterrolebinding.yaml +++ b/templates/enterprise-license-rolebinding.yaml @@ -1,9 +1,10 @@ {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -11,11 +12,10 @@ metadata: release: {{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: {{ template "consul.fullname" . }}-enterprise-license subjects: - kind: ServiceAccount name: {{ template "consul.fullname" . }}-enterprise-license - namespace: {{ .Release.Namespace }} {{- end }} {{- end }} diff --git a/test/unit/enterprise-license-clusterrole.bats b/test/unit/enterprise-license-role.bats similarity index 66% rename from test/unit/enterprise-license-clusterrole.bats rename to test/unit/enterprise-license-role.bats index b4ac2f7dd2..0caab2cff3 100644 --- a/test/unit/enterprise-license-clusterrole.bats +++ b/test/unit/enterprise-license-role.bats @@ -2,19 +2,19 @@ load _helpers -@test "enterpriseLicense/ClusterRole: disabled by default" { +@test "enterpriseLicense/Role: disabled by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrole.yaml \ + -x templates/enterprise-license-role.yaml \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } -@test "enterpriseLicense/ClusterRole: disabled with server=false, ent secret defined" { +@test "enterpriseLicense/Role: disabled with server=false, ent secret defined" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrole.yaml \ + -x templates/enterprise-license-role.yaml \ --set 'server.enabled=false' \ --set 'server.enterpriseLicense.secretName=foo' \ --set 'server.enterpriseLicense.secretKey=bar' \ @@ -23,30 +23,30 @@ load _helpers [ "${actual}" = "false" ] } -@test "enterpriseLicense/ClusterRole: disabled when ent secretName missing" { +@test "enterpriseLicense/Role: disabled when ent secretName missing" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrole.yaml \ + -x templates/enterprise-license-role.yaml \ --set 'server.enterpriseLicense.secretKey=bar' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } -@test "enterpriseLicense/ClusterRole: disabled when ent secretKey missing" { +@test "enterpriseLicense/Role: disabled when ent secretKey missing" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrole.yaml \ + -x templates/enterprise-license-role.yaml \ --set 'server.enterpriseLicense.secretName=foo' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } -@test "enterpriseLicense/ClusterRole: enabled when ent license defined" { +@test "enterpriseLicense/Role: enabled when ent license defined" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrole.yaml \ + -x templates/enterprise-license-role.yaml \ --set 'server.enterpriseLicense.secretName=foo' \ --set 'server.enterpriseLicense.secretKey=bar' \ . | tee /dev/stderr | @@ -54,10 +54,10 @@ load _helpers [ "${actual}" = "true" ] } -@test "enterpriseLicense/ClusterRole: rules are empty if global.acls.manageSystemACLs and global.enablePodSecurityPolicies are false" { +@test "enterpriseLicense/Role: rules are empty if global.acls.manageSystemACLs and global.enablePodSecurityPolicies are false" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrole.yaml \ + -x templates/enterprise-license-role.yaml \ --set 'server.enterpriseLicense.secretName=foo' \ --set 'server.enterpriseLicense.secretKey=bar' \ . | tee /dev/stderr | @@ -68,10 +68,10 @@ load _helpers #-------------------------------------------------------------------- # global.acls.manageSystemACLs -@test "enterpriseLicense/ClusterRole: allows acl token when global.acls.manageSystemACLs is true" { +@test "enterpriseLicense/Role: allows acl token when global.acls.manageSystemACLs is true" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrole.yaml \ + -x templates/enterprise-license-role.yaml \ --set 'server.enterpriseLicense.secretName=foo' \ --set 'server.enterpriseLicense.secretKey=bar' \ --set 'global.acls.manageSystemACLs=true' \ @@ -84,10 +84,10 @@ load _helpers #-------------------------------------------------------------------- # global.enablePodSecurityPolicies -@test "enterpriseLicense/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" { +@test "enterpriseLicense/Role: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrole.yaml \ + -x templates/enterprise-license-role.yaml \ --set 'server.enterpriseLicense.secretName=foo' \ --set 'server.enterpriseLicense.secretKey=bar' \ --set 'global.enablePodSecurityPolicies=true' \ diff --git a/test/unit/enterprise-license-clusterrolebinding.bats b/test/unit/enterprise-license-rolebinding.bats similarity index 60% rename from test/unit/enterprise-license-clusterrolebinding.bats rename to test/unit/enterprise-license-rolebinding.bats index eee9bbf994..c763a872c2 100644 --- a/test/unit/enterprise-license-clusterrolebinding.bats +++ b/test/unit/enterprise-license-rolebinding.bats @@ -2,19 +2,19 @@ load _helpers -@test "enterpriseLicense/ClusterRoleBinding: disabled by default" { +@test "enterpriseLicense/RoleBinding: disabled by default" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrolebinding.yaml \ + -x templates/enterprise-license-rolebinding.yaml \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } -@test "enterpriseLicense/ClusterRoleBinding: disabled with server=false, ent secret defined" { +@test "enterpriseLicense/RoleBinding: disabled with server=false, ent secret defined" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrolebinding.yaml \ + -x templates/enterprise-license-rolebinding.yaml \ --set 'server.enabled=false' \ --set 'server.enterpriseLicense.secretName=foo' \ --set 'server.enterpriseLicense.secretKey=bar' \ @@ -23,30 +23,30 @@ load _helpers [ "${actual}" = "false" ] } -@test "enterpriseLicense/ClusterRoleBinding: disabled when ent secretName missing" { +@test "enterpriseLicense/RoleBinding: disabled when ent secretName missing" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrolebinding.yaml \ + -x templates/enterprise-license-rolebinding.yaml \ --set 'server.enterpriseLicense.secretKey=bar' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } -@test "enterpriseLicense/ClusterRoleBinding: disabled when ent secretKey missing" { +@test "enterpriseLicense/RoleBinding: disabled when ent secretKey missing" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrolebinding.yaml \ + -x templates/enterprise-license-rolebinding.yaml \ --set 'server.enterpriseLicense.secretName=foo' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } -@test "enterpriseLicense/ClusterRoleBinding: enabled when ent license defined" { +@test "enterpriseLicense/RoleBinding: enabled when ent license defined" { cd `chart_dir` local actual=$(helm template \ - -x templates/enterprise-license-clusterrolebinding.yaml \ + -x templates/enterprise-license-rolebinding.yaml \ --set 'server.enterpriseLicense.secretName=foo' \ --set 'server.enterpriseLicense.secretKey=bar' \ . | tee /dev/stderr |