Merge pull request #492 from mbaldessari/imperative-admin

Add an imperative-admin-sa service account

Author: mbaldessari

clustergroup/templates/imperative/clusterrole.yaml

@@ -1,5 +1,6 @@
 {{- if not (eq .Values.enabled "plumbing") }}
 {{/* This is always defined as we always unseal the cluster with an imperative job */}}
+{{- if $.Values.clusterGroup.imperative.serviceAccountCreate }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -18,4 +19,19 @@ rules:
     - list
     - watch
 {{- end }}
+{{- end }} {{/* if $.Values.clusterGroup.imperative.serviceAccountCreate */}}
+{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $.Values.clusterGroup.imperative.adminClusterRoleName }}
+rules:
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - '*'
+{{- end }} {{/* if $.Values.clusterGroup.imperative.adminServiceAccountCreate */}}
 {{- end }}

clustergroup/templates/imperative/rbac.yaml

@@ -1,10 +1,11 @@
 {{- if not (eq .Values.enabled "plumbing") }}
 {{/* This is always defined as we always unseal the cluster with an imperative job */}}
+{{- if $.Values.clusterGroup.imperative.serviceAccountCreate -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ $.Values.clusterGroup.imperative.namespace }}-cluster-admin-rolebinding
+  name: {{ $.Values.clusterGroup.imperative.namespace }}-cluster-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -17,7 +18,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ $.Values.clusterGroup.imperative.namespace }}-admin-rolebinding
+  name: {{ $.Values.clusterGroup.imperative.namespace }}-rolebinding
   namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -28,3 +29,19 @@ subjects:
     name: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
     namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 {{- end }}
+{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $.Values.clusterGroup.imperative.namespace }}-admin-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $.Values.clusterGroup.imperative.adminClusterRoleName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Values.clusterGroup.imperative.adminServiceAccountName }}
+    namespace: {{ $.Values.clusterGroup.imperative.namespace }}
+{{- end }}
+{{- end }}

clustergroup/templates/imperative/serviceaccount.yaml

@@ -1,10 +1,18 @@
 {{- if not (eq .Values.enabled "plumbing") }}
 {{/* This is always defined as we always unseal the cluster with an imperative job */}}
-{{- if $.Values.clusterGroup.imperative.serviceAccountCreate -}}
+{{- if $.Values.clusterGroup.imperative.serviceAccountCreate }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
   namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 {{- end }}
+{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Values.clusterGroup.imperative.adminServiceAccountName }}
+  namespace: {{ $.Values.clusterGroup.imperative.namespace }}
+{{- end }}
 {{- end }}

clustergroup/values.schema.json

@@ -677,6 +677,15 @@
         },
         "roleYaml": {
           "type": "string"
+        },
+        "adminServiceAccountCreate": {
+          "type": "boolean"
+        },
+        "adminServiceAccountName": {
+          "type": "string"
+        },
+        "adminClusterRoleName": {
+          "type": "string"
         }
       },
       "required": [

clustergroup/values.yaml

@@ -51,6 +51,10 @@ clusterGroup:
     clusterRoleYaml: ""
     roleName: imperative-role
     roleYaml: ""
+    adminServiceAccountCreate: true
+    adminServiceAccountName: imperative-admin-sa
+    adminClusterRoleName: imperative-admin-cluster-role
+
   managedClusterGroups: {}
   namespaces: []
 #  - name: factory

tests/clustergroup-industrial-edge-factory.expected.yaml

@@ -64,6 +64,13 @@ metadata:
   name: imperative-sa
   namespace: imperative
 ---
+# Source: clustergroup/templates/imperative/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: imperative-admin-sa
+  namespace: imperative
+---
 # Source: clustergroup/templates/imperative/configmap.yaml
 apiVersion: v1
 kind: ConfigMap
@@ -116,6 +123,9 @@ data:
         initContainers: []
       imperative:
         activeDeadlineSeconds: 3600
+        adminClusterRoleName: imperative-admin-cluster-role
+        adminServiceAccountCreate: true
+        adminServiceAccountName: imperative-admin-sa
         clusterRoleName: imperative-cluster-role
         clusterRoleYaml: ""
         cronJobName: imperative-cronjob
@@ -264,11 +274,24 @@ rules:
     - list
     - watch
 ---
+# Source: clustergroup/templates/imperative/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: imperative-admin-cluster-role
+rules:
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - '*'
+---
 # Source: clustergroup/templates/imperative/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: imperative-cluster-admin-rolebinding
+  name: imperative-cluster-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -278,6 +301,20 @@ subjects:
     name: imperative-sa
     namespace: imperative
 ---
+# Source: clustergroup/templates/imperative/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: imperative-admin-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: imperative-admin-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: imperative-admin-sa
+    namespace: imperative
+---
 # Source: clustergroup/templates/plumbing/argocd-super-role.yaml
 # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
 apiVersion: rbac.authorization.k8s.io/v1
@@ -340,7 +377,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: imperative-admin-rolebinding
+  name: imperative-rolebinding
   namespace: imperative
 roleRef:
   apiGroup: rbac.authorization.k8s.io

tests/clustergroup-industrial-edge-hub.expected.yaml

@@ -109,6 +109,13 @@ metadata:
   name: imperative-sa
   namespace: imperative
 ---
+# Source: clustergroup/templates/imperative/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: imperative-admin-sa
+  namespace: imperative
+---
 # Source: clustergroup/templates/imperative/configmap.yaml
 apiVersion: v1
 kind: ConfigMap
@@ -237,6 +244,9 @@ data:
         initContainers: []
       imperative:
         activeDeadlineSeconds: 3600
+        adminClusterRoleName: imperative-admin-cluster-role
+        adminServiceAccountCreate: true
+        adminServiceAccountName: imperative-admin-sa
         clusterRoleName: imperative-cluster-role
         clusterRoleYaml: ""
         cronJobName: imperative-cronjob
@@ -425,11 +435,24 @@ rules:
     - list
     - watch
 ---
+# Source: clustergroup/templates/imperative/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: imperative-admin-cluster-role
+rules:
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - '*'
+---
 # Source: clustergroup/templates/imperative/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: imperative-cluster-admin-rolebinding
+  name: imperative-cluster-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -439,6 +462,20 @@ subjects:
     name: imperative-sa
     namespace: imperative
 ---
+# Source: clustergroup/templates/imperative/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: imperative-admin-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: imperative-admin-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: imperative-admin-sa
+    namespace: imperative
+---
 # Source: clustergroup/templates/plumbing/argocd-super-role.yaml
 # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
 apiVersion: rbac.authorization.k8s.io/v1
@@ -501,7 +538,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: imperative-admin-rolebinding
+  name: imperative-rolebinding
   namespace: imperative
 roleRef:
   apiGroup: rbac.authorization.k8s.io

tests/clustergroup-medical-diagnosis-hub.expected.yaml

@@ -109,6 +109,13 @@ metadata:
   name: imperative-sa
   namespace: imperative
 ---
+# Source: clustergroup/templates/imperative/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: imperative-admin-sa
+  namespace: imperative
+---
 # Source: clustergroup/templates/imperative/configmap.yaml
 apiVersion: v1
 kind: ConfigMap
@@ -220,6 +227,9 @@ data:
         initContainers: []
       imperative:
         activeDeadlineSeconds: 3600
+        adminClusterRoleName: imperative-admin-cluster-role
+        adminServiceAccountCreate: true
+        adminServiceAccountName: imperative-admin-sa
         clusterRoleName: imperative-cluster-role
         clusterRoleYaml: ""
         cronJobName: imperative-cronjob
@@ -352,11 +362,24 @@ rules:
     - list
     - watch
 ---
+# Source: clustergroup/templates/imperative/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: imperative-admin-cluster-role
+rules:
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - '*'
+---
 # Source: clustergroup/templates/imperative/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: imperative-cluster-admin-rolebinding
+  name: imperative-cluster-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -366,6 +389,20 @@ subjects:
     name: imperative-sa
     namespace: imperative
 ---
+# Source: clustergroup/templates/imperative/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: imperative-admin-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: imperative-admin-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: imperative-admin-sa
+    namespace: imperative
+---
 # Source: clustergroup/templates/plumbing/argocd-super-role.yaml
 # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
 apiVersion: rbac.authorization.k8s.io/v1
@@ -428,7 +465,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: imperative-admin-rolebinding
+  name: imperative-rolebinding
   namespace: imperative
 roleRef:
   apiGroup: rbac.authorization.k8s.io