Merge branch 'master' into kubesaw170_restart

kubesaw · Sep 18, 2024 · 4cd8e26 · 4cd8e26
2 parents ad5348e + a120896
commit 4cd8e26
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 49 deletions.
diff --git a/README.adoc b/README.adoc
@@ -246,24 +246,26 @@ To add a -crtadmin user for a particular component in member cluster, update the
 For an admin of the component that needs to manually approve operator updates:
 ```yaml
 users:
-- name: <your-name>-crtadmin
+- name: <your-name>-maintainer
   id:
   - <sso-identities>
   member:
     roleBindings:
     - namespace: <namespace-name>
       roles:
-      - approve-operator-update
+      - view-secrets
       clusterRoles:
-      - admin
+      - <edit/admin>
+      - some-extra-permissions
     clusterRoleBindings:
       clusterRoles:
-      - list-operators-group
+      - some-extra-cluster-scope-permissions
 ```
+NOTE: The creation of the ClusterRoles is not managed via ksctl, you need to make sure that they are created in the cluster.
 
 For a maintainer of the component with limited permissions:
 ```yaml
-- name: <your-name>-crtadmin
+- name: <your-name>-maintainer
   id:
   - <sso-identities>
   member:
@@ -275,7 +277,7 @@ For a maintainer of the component with limited permissions:
 
 If you need any permissions also in a namespace in host cluster (to be used mainly by KubeSaw maintainers), then include the host section in the user's definition as well:
 ```yaml
-- name: <your-name>-crtadmin
+- name: <your-name>-maintainer
   id:
   - <sso-identities>
   host:

diff --git a/pkg/cmd/generate/permissions.go b/pkg/cmd/generate/permissions.go
@@ -171,7 +171,7 @@ func ensureServiceAccount(saNamespace string) newSubjectFunc {
 
 // ensureUserIdentityAndGroups ensures that all - User, Identity, IdentityMapping, and Group manifests - exist
 func ensureUserIdentityAndGroups(IDs []string, groups []string) newSubjectFunc {
-	return func(ctx *clusterContext, cache objectsCache, subjectBaseName, targetNamespace string, labels map[string]string) (rbacv1.Subject, error) {
+	return func(ctx *clusterContext, cache objectsCache, subjectBaseName, _ string, labels map[string]string) (rbacv1.Subject, error) {
 		// create user
 		user := &userv1.User{
 			ObjectMeta: metav1.ObjectMeta{

diff --git a/pkg/cmd/generate/permissions_test.go b/pkg/cmd/generate/permissions_test.go
@@ -135,7 +135,7 @@ func TestEnsureUserAndIdentity(t *testing.T) {
 		cache := objectsCache{}
 
 		// when
-		subject, err := ensureUserIdentityAndGroups([]string{"12345", "abc:19944:FZZ"}, []string{"crtadmins", "cooladmins"})(ctx, cache, "john-crtadmin", commontest.HostOperatorNs, labels)
+		subject, err := ensureUserIdentityAndGroups([]string{"12345", "abc:19944:FZZ"}, []string{"crtadmins", "cooladmins"})(ctx, cache, "john-crtadmin", "not-used", labels)
 
 		// then
 		require.NoError(t, err)
@@ -156,7 +156,7 @@ func TestEnsureUserAndIdentity(t *testing.T) {
 		cache := objectsCache{}
 
 		// when
-		subject, err := ensureUserIdentityAndGroups([]string{"12345", "abc:19944:FZZ"}, []string{})(ctx, cache, "john-crtadmin", commontest.HostOperatorNs, labels)
+		subject, err := ensureUserIdentityAndGroups([]string{"12345", "abc:19944:FZZ"}, []string{})(ctx, cache, "john-crtadmin", "not-used", labels)
 
 		// then
 		require.NoError(t, err)
@@ -175,7 +175,7 @@ func TestEnsureUserAndIdentity(t *testing.T) {
 		cache := objectsCache{}
 
 		// when
-		_, err := ensureUserIdentityAndGroups([]string{"12345"}, []string{})(ctx, cache, "john-crtadmin", commontest.HostOperatorNs, labels)
+		_, err := ensureUserIdentityAndGroups([]string{"12345"}, []string{})(ctx, cache, "john-crtadmin", "not-used", labels)
 
 		// then
 		require.NoError(t, err)

diff --git a/resources/roles/member.yaml b/resources/roles/member.yaml
@@ -4,25 +4,6 @@ metadata:
   name: member-roles
 objects:
 
-- kind: Role
-  apiVersion: rbac.authorization.k8s.io/v1
-  metadata:
-    name: approve-operator-update
-    labels:
-      provider: ksctl
-  rules:
-  - apiGroups:
-    - operators.coreos.com
-    resources:
-    - "installplans"
-    verbs:
-    - "get"
-    - "list"
-    - "create"
-    - "patch"
-    - "update"
-    - "delete"
-
 - kind: Role
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
@@ -73,20 +54,3 @@ objects:
     - "create"
     - "update"
     - "patch"
-
-- kind: Role
-  apiVersion: rbac.authorization.k8s.io/v1
-  metadata:
-    name: edit-csv
-    labels:
-      provider: ksctl
-  rules:
-  - apiGroups:
-    - operators.coreos.com
-    resources:
-    - "clusterserviceversions"
-    verbs:
-    - "get"
-    - "list"
-    - "patch"
-    - "update"
diff --git a/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml b/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml
@@ -143,13 +143,12 @@ users:
   member:
     roleBindings:
     - namespace: some-component
-      roles:
-      - approve-operator-update
       clusterRoles:
       - edit
+      - approve-operator-update # needs to be created separately
     clusterRoleBindings:
       clusterRoles:
-      - list-operators-group
+      - list-operators-group # needs to be created separately
 
 - name: other-component-viewer
   id: