From 0cddc5180138c03e1ded55c6ac7bcbe9043e82aa Mon Sep 17 00:00:00 2001 From: Kjeld Schouten Date: Sat, 27 Apr 2024 19:27:34 +0200 Subject: [PATCH] feat(common): add support for RBAC nonResourceURLs (#794) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **Description** Some applications do need this. **โš™๏ธ Type of change** - [x] โš™๏ธ Feature/App addition - [ ] ๐Ÿช› Bugfix - [ ] โš ๏ธ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] ๐Ÿ”ƒ Refactor of current code **๐Ÿงช How Has This Been Tested?** **๐Ÿ“ƒ Notes:** **โœ”๏ธ Checklist:** - [ ] โš–๏ธ My code follows the style guidelines of this project - [ ] ๐Ÿ‘€ I have performed a self-review of my own code - [ ] #๏ธโƒฃ I have commented my code, particularly in hard-to-understand areas - [ ] ๐Ÿ“„ I have made corresponding changes to the documentation - [ ] โš ๏ธ My changes generate no new warnings - [ ] ๐Ÿงช I have added tests to this description that prove my fix is effective or that my feature works - [ ] โฌ†๏ธ I increased versions for any altered app according to semantic versioning - [ ] I made sure the title starts with `feat(chart-name):`, `fix(chart-name):` or `chore(chart-name):` **โž• App addition** If this PR is an app addition please make sure you have done the following. - [ ] ๐Ÿ–ผ๏ธ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._ --------- Co-authored-by: Stavros kois --- .github/workflows/common.release.yaml | 2 +- .github/workflows/common_library_tests.yaml | 14 +++--- library/common-test/tests/rbac/data_test.yaml | 6 ++- .../tests/rbac/validation_test.yaml | 49 +++++++++++++++++++ library/common/Chart.yaml | 2 +- library/common/templates/lib/rbac/_rules.tpl | 16 ++++++ 6 files changed, 78 insertions(+), 11 deletions(-) diff --git a/.github/workflows/common.release.yaml b/.github/workflows/common.release.yaml index 60796452..a8dc2d76 100644 --- a/.github/workflows/common.release.yaml +++ b/.github/workflows/common.release.yaml @@ -30,7 +30,7 @@ jobs: - name: Install Helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4 with: - version: v3.14.1 + version: v3.14.4 # Optional step if GPG signing is used - name: Prepare GPG key diff --git a/.github/workflows/common_library_tests.yaml b/.github/workflows/common_library_tests.yaml index 766122af..bb495f68 100644 --- a/.github/workflows/common_library_tests.yaml +++ b/.github/workflows/common_library_tests.yaml @@ -24,7 +24,7 @@ jobs: helm-version: - v3.11.3 - v3.12.3 - - v3.14.1 + - v3.14.4 steps: - name: Checkout uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 @@ -62,7 +62,7 @@ jobs: fail-fast: false matrix: helm-version: - - v3.14.1 + - v3.14.4 steps: - name: Checkout uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 @@ -112,7 +112,7 @@ jobs: helm-version: - v3.11.3 - v3.12.3 - - v3.14.1 + - v3.14.4 values: - basic-values.yaml - configmap-values.yaml @@ -202,8 +202,6 @@ jobs: tar -xvzf kail_${KAIL_VERSION}_linux_amd64.tar.gz chmod +x kail - - - name: Add Dependencies run: | if [[ "${{ matrix.values }}" =~ (ingress|metrics|cnpg).*-values.yaml ]]; then @@ -257,7 +255,7 @@ jobs: # # We run tests on Helm version of latest SCALE release # helm-version: # - v3.12.3 -# - v3.14.0 +# - v3.14.4 # values: # - basic-values.yaml # - configmap-values.yaml @@ -321,7 +319,7 @@ jobs: # # We run tests on Helm version of latest SCALE release # helm-version: # - v3.12.3 -# - v3.14.0 +# - v3.14.4 # values: # - ingress-values.yaml # - metrics-values.yaml @@ -377,7 +375,7 @@ jobs: # # We run tests on Helm version of latest SCALE release # helm-version: # - v3.12.3 -# - v3.14.0 +# - v3.14.4 # values: # - vpn-gluetun-values.yaml # - vpn-tailscale-values.yaml diff --git a/library/common-test/tests/rbac/data_test.yaml b/library/common-test/tests/rbac/data_test.yaml index 289fb4f7..5484b3e6 100644 --- a/library/common-test/tests/rbac/data_test.yaml +++ b/library/common-test/tests/rbac/data_test.yaml @@ -13,6 +13,7 @@ tests: some_kind: some-kind some_name: some-name some_api_group: rbac.authorization.k8s.io + some_non_resource_url: /health serviceAccount: my-sa: enabled: true @@ -39,6 +40,8 @@ tests: - "{{ .Values.some_name }}" verbs: - "{{ .Values.some_verb }}" + nonResourceURLs: + - "{{ .Values.some_non_resource_url }}" subjects: - kind: a-kind name: a-name @@ -46,7 +49,6 @@ tests: - kind: "{{ .Values.some_kind }}" name: "{{ .Values.some_name }}" apiGroup: "{{ .Values.some_api_group }}" - asserts: - documentIndex: &roleDoc 2 isKind: @@ -73,6 +75,8 @@ tests: - some-name verbs: - list + nonResourceURLs: + - /health - documentIndex: &roleBinding 3 isKind: of: RoleBinding diff --git a/library/common-test/tests/rbac/validation_test.yaml b/library/common-test/tests/rbac/validation_test.yaml index f256e2e8..bf54997b 100644 --- a/library/common-test/tests/rbac/validation_test.yaml +++ b/library/common-test/tests/rbac/validation_test.yaml @@ -141,6 +141,36 @@ tests: - failedTemplate: errorMessage: RBAC - Expected non-empty [rbac.rules.verbs] + - it: should fail without apiGroups in rules in rbac + set: + rbac: + my-rbac: + enabled: true + primary: true + rules: + - resources: + - pods + - verbs: + - get + asserts: + - failedTemplate: + errorMessage: RBAC - Expected non-empty [rbac.rules.apiGroups] + + - it: should fail without apiGroups in rules in rbac + set: + rbac: + my-rbac: + enabled: true + primary: true + rules: + - resources: + - "pods" + - verbs: + - get + asserts: + - failedTemplate: + errorMessage: RBAC - Expected non-empty [rbac.rules.apiGroups] + - it: should fail with empty entry in resources in rules in rbac set: rbac: @@ -159,6 +189,25 @@ tests: - failedTemplate: errorMessage: RBAC - Expected non-empty entry in [rbac.rules.resources] + - it: should fail with empty entry in nonResourceURLs in rules in rbac + set: + rbac: + my-rbac: + enabled: true + primary: true + rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + nonResourceURLs: + - "" + asserts: + - failedTemplate: + errorMessage: RBAC - Expected non-empty entry in [rbac.rules.nonResourceURLs] + - it: should fail with empty entry in verbs in rules in rbac set: rbac: diff --git a/library/common/Chart.yaml b/library/common/Chart.yaml index 14414720..6aca6562 100644 --- a/library/common/Chart.yaml +++ b/library/common/Chart.yaml @@ -15,7 +15,7 @@ maintainers: name: common sources: null type: library -version: 20.4.0 +version: 20.4.1 annotations: artifacthub.io/category: "integration-delivery" artifacthub.io/license: "BUSL-1.1" diff --git a/library/common/templates/lib/rbac/_rules.tpl b/library/common/templates/lib/rbac/_rules.tpl index 9b330388..54813d15 100644 --- a/library/common/templates/lib/rbac/_rules.tpl +++ b/library/common/templates/lib/rbac/_rules.tpl @@ -14,6 +14,12 @@ objectData: The object data to be used to render the RBAC. {{- end -}} {{- range $objectData.rules -}} + {{- if not .apiGroups -}} + {{- fail "RBAC - Expected non-empty [rbac.rules.apiGroups]" -}} + {{- end -}} + {{- if not .resources -}} + {{- fail "RBAC - Expected non-empty [rbac.rules.resources]" -}} + {{- end -}} {{- if not .verbs -}} {{- fail "RBAC - Expected non-empty [rbac.rules.verbs]" -}} {{- end -}} @@ -41,6 +47,16 @@ objectData: The object data to be used to render the RBAC. - {{ tpl . $rootCtx | quote }} {{- end -}} {{- end -}} + {{- /* nonResourceURLs */}} + {{- if .nonResourceURLs }} + nonResourceURLs: + {{- range .nonResourceURLs }} + {{- if not . -}} + {{- fail "RBAC - Expected non-empty entry in [rbac.rules.nonResourceURLs]" -}} + {{- end }} + - {{ tpl . $rootCtx | quote }} + {{- end -}} + {{- end -}} {{- /* verbs */}} verbs: {{- range .verbs -}}