You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by pc...@apache.org on 2023/12/13 08:29:19 UTC

(camel-k) 03/04: feat(install): Adaptations for namespaced/descoped separation rbacs

This is an automated email from the ASF dual-hosted git repository.

pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git

commit ce5c6903bcf8c253a0248d007b06c59eca6cfe6b
Author: Gaelle Fournier <ga...@gmail.com>
AuthorDate: Mon Nov 13 14:13:08 2023 +0100

    feat(install): Adaptations for namespaced/descoped separation rbacs
---
 e2e/support/test_support.go      |  4 +--
 install/setup/kustomization.yaml | 12 +++++++++
 pkg/install/operator.go          | 55 ++++++++++++++++------------------------
 3 files changed, 36 insertions(+), 35 deletions(-)

diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go
index 2415efee2..371e8491a 100644
--- a/e2e/support/test_support.go
+++ b/e2e/support/test_support.go
@@ -2399,7 +2399,7 @@ func CreateOperatorRole(ns string) (err error) {
 		// This should ideally be removed from the common RBAC manifest.
 		customizer = install.RemoveIngressRoleCustomizer
 	}
-	err = install.Resource(TestContext, TestClient(), ns, true, customizer, "/rbac/operator-role.yaml")
+	err = install.Resource(TestContext, TestClient(), ns, true, customizer, "/rbac/namespaced/operator-role.yaml")
 	if err != nil {
 		return err
 	}
@@ -2414,7 +2414,7 @@ func CreateOperatorRoleBinding(ns string) error {
 	if err != nil {
 		failTest(err)
 	}
-	err = install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/operator-role-binding.yaml")
+	err = install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/namespaced/operator-role-binding.yaml")
 	if err != nil {
 		return err
 	}
diff --git a/install/setup/kustomization.yaml b/install/setup/kustomization.yaml
index c10dfd653..9598726ca 100644
--- a/install/setup/kustomization.yaml
+++ b/install/setup/kustomization.yaml
@@ -19,3 +19,15 @@ kind: Kustomization
 
 resources:
 - ../config/rbac
+
+transformers:
+- |-
+  apiVersion: builtin
+  kind: PatchTransformer
+  metadata:
+    name: fix-local-registry-rbac-namespace
+  patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
+  target:
+    group: rbac.authorization.k8s.io
+    kind: RoleBinding
+    name: camel-k-operator-local-registry
diff --git a/pkg/install/operator.go b/pkg/install/operator.go
index b12cb734c..b24dbe2f3 100644
--- a/pkg/install/operator.go
+++ b/pkg/install/operator.go
@@ -200,41 +200,30 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
 					envvar.SetVal(&d.Spec.Template.Spec.Containers[0].Env, "WATCH_NAMESPACE", "")
 				}
 			}
-
-			// Turn Role & RoleBinding into their equivalent cluster types
-			if r, ok := o.(*rbacv1.Role); ok {
-				if strings.HasPrefix(r.Name, "camel-k-operator") {
-					o = &rbacv1.ClusterRole{
-						ObjectMeta: metav1.ObjectMeta{
-							Namespace: cfg.Namespace,
-							Name:      r.Name,
-							Labels: map[string]string{
-								"app": "camel-k",
-							},
-						},
-						Rules: r.Rules,
+			// Configure subject on ClusterRoleBindings
+			if crb, ok := o.(*rbacv1.ClusterRoleBinding); ok {
+				if strings.HasPrefix(crb.Name, "camel-k-operator") {
+					crb.ObjectMeta.Name = fmt.Sprintf("%s-%s", crb.ObjectMeta.Name, cfg.Namespace)
+					bound := false
+					for i, subject := range crb.Subjects {
+						if subject.Name == "camel-k-operator" {
+							if subject.Namespace == cfg.Namespace {
+								bound = true
+								break
+							} else if subject.Namespace == "" || subject.Namespace == "placeholder" {
+								crb.Subjects[i].Namespace = cfg.Namespace
+								bound = true
+								break
+							}
+						}
 					}
-				}
-			}
-
-			if rb, ok := o.(*rbacv1.RoleBinding); ok {
-				if strings.HasPrefix(rb.Name, "camel-k-operator") {
-					rb.Subjects[0].Namespace = cfg.Namespace
 
-					o = &rbacv1.ClusterRoleBinding{
-						ObjectMeta: metav1.ObjectMeta{
+					if !bound {
+						crb.Subjects = append(crb.Subjects, rbacv1.Subject{
+							Kind:      "ServiceAccount",
 							Namespace: cfg.Namespace,
-							Name:      fmt.Sprintf("%s-%s", rb.Name, cfg.Namespace),
-							Labels: map[string]string{
-								"app": "camel-k",
-							},
-						},
-						Subjects: rb.Subjects,
-						RoleRef: rbacv1.RoleRef{
-							APIGroup: rb.RoleRef.APIGroup,
-							Kind:     "ClusterRole",
-							Name:     rb.RoleRef.Name,
-						},
+							Name:      "camel-k-operator",
+						})
 					}
 				}
 			}
@@ -444,7 +433,7 @@ func installClusterRoleBinding(ctx context.Context, c client.Client, collection
 				bound = true
 
 				break
-			} else if subject.Namespace == "" {
+			} else if subject.Namespace == "" || subject.Namespace == "placeholder" {
 				target.Subjects[i].Namespace = namespace
 				bound = true