Merge pull request #995 from bdunne/workflows_rbac

Add RBAC for the automation worker
ManageIQ · Sep 27, 2023 · b34c2f4 · b34c2f4
2 parents 176b398 + 47a2d33
commit b34c2f4
Show file tree

Hide file tree

Showing 2 changed files with 105 additions and 0 deletions.
diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/rbac.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/rbac.go
@@ -5,6 +5,7 @@ import (
 
 	miqv1alpha1 "github.com/ManageIQ/manageiq-pods/manageiq-operator/api/v1alpha1"
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -52,3 +53,84 @@ func DefaultServiceAccount(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*c
 
 	return sa, f
 }
+
+func AutomationRole(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*rbacv1.Role, controllerutil.MutateFn) {
+	role := &rbacv1.Role{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "manageiq-automation",
+			Namespace: cr.ObjectMeta.Namespace,
+		},
+	}
+
+	f := func() error {
+		if err := controllerutil.SetControllerReference(cr, role, scheme); err != nil {
+			return err
+		}
+
+		role.Rules = []rbacv1.PolicyRule{
+			rbacv1.PolicyRule{
+				APIGroups: []string{""},
+				Resources: []string{"pods", "secrets"},
+				Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+			},
+		}
+
+		return nil
+	}
+
+	return role, f
+}
+
+func AutomationRoleBinding(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*rbacv1.RoleBinding, controllerutil.MutateFn) {
+	rb := &rbacv1.RoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "manageiq-automation",
+			Namespace: cr.ObjectMeta.Namespace,
+		},
+	}
+
+	f := func() error {
+		if err := controllerutil.SetControllerReference(cr, rb, scheme); err != nil {
+			return err
+		}
+
+		rb.RoleRef = rbacv1.RoleRef{
+			Kind:     "Role",
+			Name:     "manageiq-automation",
+			APIGroup: "rbac.authorization.k8s.io",
+		}
+		rb.Subjects = []rbacv1.Subject{
+			rbacv1.Subject{
+				Kind: "ServiceAccount",
+				Name: "manageiq-automation",
+			},
+		}
+
+		return nil
+	}
+
+	return rb, f
+}
+
+func AutomationServiceAccount(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*corev1.ServiceAccount, controllerutil.MutateFn) {
+	sa := &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "manageiq-automation",
+			Namespace: cr.ObjectMeta.Namespace,
+		},
+	}
+
+	f := func() error {
+		if err := controllerutil.SetControllerReference(cr, sa, scheme); err != nil {
+			return err
+		}
+
+		if cr.Spec.ImagePullSecret != "" {
+			addSAPullSecret(sa, cr.Spec.ImagePullSecret)
+		}
+
+		return nil
+	}
+
+	return sa, f
+}
diff --git a/manageiq-operator/internal/controller/manageiq_controller.go b/manageiq-operator/internal/controller/manageiq_controller.go
@@ -143,11 +143,13 @@ func (r *ManageIQReconciler) Reconcile(ctx context.Context, request ctrl.Request
 	if e := r.manageApplicationResources(miqInstance); e != nil {
 		return reconcile.Result{}, e
 	}
+	logger.Info("Reconciling the CR status...")
 	if err := r.updateManageIQStatus(miqInstance); err != nil {
 		reqLogger.Error(err, "Failed setting ManageIQ status")
 		return reconcile.Result{}, err
 	}
 
+	logger.Info("Reconcile complete.")
 	return reconcile.Result{}, nil
 }
 
@@ -826,5 +828,26 @@ func (r *ManageIQReconciler) manageApplicationResources(cr *miqv1alpha1.ManageIQ
 		logger.Info("ConfigMap has been reconciled", "component", "application remote console", "result", result)
 	}
 
+	role, mutateFunc := miqtool.AutomationRole(cr, r.Scheme)
+	if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, role, mutateFunc); err != nil {
+		return err
+	} else if result != controllerutil.OperationResultNone {
+		logger.Info("Role has been reconciled", "component", "automation", "result", result)
+	}
+
+	roleBinding, mutateFunc := miqtool.AutomationRoleBinding(cr, r.Scheme)
+	if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, roleBinding, mutateFunc); err != nil {
+		return err
+	} else if result != controllerutil.OperationResultNone {
+		logger.Info("RoleBinding has been reconciled", "component", "automation", "result", result)
+	}
+
+	serviceAccount, mutateFunc := miqtool.AutomationServiceAccount(cr, r.Scheme)
+	if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, serviceAccount, mutateFunc); err != nil {
+		return err
+	} else if result != controllerutil.OperationResultNone {
+		logger.Info("ServiceAccount has been reconciled", "component", "automation", "result", result)
+	}
+
 	return nil
 }