diff --git a/internal/tools/deploy/deploy.go b/internal/tools/deploy/deploy.go index fc9da87..ca62f58 100644 --- a/internal/tools/deploy/deploy.go +++ b/internal/tools/deploy/deploy.go @@ -49,7 +49,21 @@ func Undeploy(ctx context.Context, kube client.Client, opts UndeployOptions) err return err } gvr := tools.ToGroupVersionResource(gvk) - rbgen := rbacgen.NewRbacGenerator(opts.DiscoveryClient, pkg, opts.NamespacedName.Name, opts.NamespacedName.Namespace) + + secretns, secretname := "", "" + if opts.Spec.Credentials != nil { + secretns = opts.Spec.Credentials.PasswordRef.Namespace + secretname = opts.Spec.Credentials.PasswordRef.Name + } + + rbgen := rbacgen.NewRbacGenerator( + opts.DiscoveryClient, + pkg, + opts.NamespacedName.Name, + opts.NamespacedName.Namespace, + secretname, + secretns, + ) rbMap, err := rbgen.PopulateRBAC(gvr.Resource) if err != nil && !errors.Is(err, rbacgen.ErrKindApiVersion) { return err @@ -139,7 +153,21 @@ func Deploy(ctx context.Context, kube client.Client, opts DeployOptions) (err er gvr := tools.ToGroupVersionResource(gvk) - rbgen := rbacgen.NewRbacGenerator(opts.DiscoveryClient, pkg, opts.NamespacedName.Name, opts.NamespacedName.Namespace) + secretns, secretname := "", "" + + if opts.Spec.Credentials != nil { + secretns = opts.Spec.Credentials.PasswordRef.Namespace + secretname = opts.Spec.Credentials.PasswordRef.Name + } + + rbgen := rbacgen.NewRbacGenerator( + opts.DiscoveryClient, + pkg, + opts.NamespacedName.Name, + opts.NamespacedName.Namespace, + secretname, + secretns, + ) rbMap, err := rbgen.PopulateRBAC(gvr.Resource) if errors.Is(err, rbacgen.ErrKindApiVersion) { diff --git a/internal/tools/rbacgen/rbacgen.go b/internal/tools/rbacgen/rbacgen.go index ca86bb2..2e422ff 100644 --- a/internal/tools/rbacgen/rbacgen.go +++ b/internal/tools/rbacgen/rbacgen.go @@ -40,6 +40,8 @@ type RbacGenerator struct { pkg *chartfs.ChartFS deployName string deployNamespace string + secretNamespace string + secretName string } type RBAC struct { @@ -50,12 +52,14 @@ type RBAC struct { ServiceAccount *corev1.ServiceAccount } -func NewRbacGenerator(discovery discovery.DiscoveryInterface, pkg *chartfs.ChartFS, deployName string, deployNamespace string) *RbacGenerator { +func NewRbacGenerator(discovery discovery.DiscoveryInterface, pkg *chartfs.ChartFS, deployName string, deployNamespace string, secretName string, secretNamespace string) *RbacGenerator { return &RbacGenerator{ discovery: discovery, pkg: pkg, deployName: deployName, deployNamespace: deployNamespace, + secretNamespace: secretNamespace, + secretName: secretName, } } @@ -156,11 +160,6 @@ func (r *RbacGenerator) PopulateRBAC(resourceName string) (map[string]RBAC, erro Resources: []string{resourceName, fmt.Sprintf("%s/status", resourceName)}, Verbs: []string{"*"}, }, - { - APIGroups: []string{""}, - Resources: []string{"secrets"}, - Verbs: []string{"*"}, - }, } rb := rbacMap[r.deployNamespace] @@ -179,6 +178,29 @@ func (r *RbacGenerator) PopulateRBAC(resourceName string) (map[string]RBAC, erro rb.Role.Rules = append(rb.Role.Rules, compositionRules...) rbacMap[r.deployNamespace] = rb + //Secret Namespace RBAC + if r.secretNamespace != "" && r.secretName != "" { + rb, ok := rbacMap[r.secretNamespace] + if !ok { + rb = RBAC{} + } + if rb.Role == nil { + rb.Role = ptr(rbactools.InitRole(resourceName, types.NamespacedName{Name: r.deployName, Namespace: r.secretNamespace})) + } + if rb.RoleBinding == nil { + rb.RoleBinding = ptr(rbactools.CreateRoleBinding( + types.NamespacedName{Name: r.deployName, Namespace: r.deployNamespace}, + types.NamespacedName{Name: r.deployName, Namespace: r.secretNamespace})) + } + rb.Role.Rules = append(rb.Role.Rules, rbacv1.PolicyRule{ + APIGroups: []string{""}, + Resources: []string{"secrets"}, + Verbs: []string{"get"}, + ResourceNames: []string{r.secretName}, + }) + rbacMap[r.secretNamespace] = rb + } + if err != nil { return nil, err }