build: generate a separate NFS CSI RBAC manifest

Because the NFS CSI driver is optional and rarely deployed, make RBAC for this driver an optional example that is generated by the helm chart. Signed-off-by: Blaine Gardner <[email protected]>
Albe83 · Apr 12, 2022 · bca2f12 · bca2f12
1 parent 5470d9c
commit bca2f12
Show file tree

Hide file tree

Showing 7 changed files with 159 additions and 62 deletions.
diff --git a/Makefile b/Makefile
@@ -194,6 +194,7 @@ crds: $(CONTROLLER_GEN) $(YQ)
 gen-rbac: $(HELM) $(YQ) ## generate RBAC from Helm charts
 	@# output only stdout to the file; stderr for debugging should keep going to stderr
 	HELM=$(HELM) ./build/rbac/gen-common.sh
+	HELM=$(HELM) ./build/rbac/gen-nfs-rbac.sh
 
 .PHONY: all build.common
 .PHONY: build build.all install test check vet fmt codegen mod.check clean distclean prune

diff --git a/build/rbac/gen-nfs-rbac.sh b/build/rbac/gen-nfs-rbac.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -xeEuo pipefail
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+pushd "$SCRIPT_DIR" &>/dev/stderr
+
+NFS_RBAC_YAML_FILE="$SCRIPT_DIR/../../deploy/examples/csi/nfs/rbac.yaml"
+
+tmpdir="$(mktemp -d)"
+WITHOUT_FILE="${tmpdir}"/without-nfs.yaml # intermediate file of yaml that doesn't include NFS RBAC
+WITH_FILE="${tmpdir}"/with-nfs.yaml # intermediate file of yaml that includes previous plus NFS RBAC
+
+./get-helm-rbac.sh > "$WITHOUT_FILE"
+
+export ADDITIONAL_HELM_CLI_OPTIONS="--set csi.nfs.enabled=true"
+./get-helm-rbac.sh > "$WITH_FILE"
+
+rm -f "$NFS_RBAC_YAML_FILE"
+cat nfs-rbac.yaml.header >> "$NFS_RBAC_YAML_FILE"
+./keep-added.sh "$WITHOUT_FILE" "$WITH_FILE" >> "$NFS_RBAC_YAML_FILE"
+
+rm -rf "$tmpdir"
+popd &>/dev/stderr
diff --git a/build/rbac/get-helm-rbac.sh b/build/rbac/get-helm-rbac.sh
@@ -12,21 +12,28 @@ fi
 # Empty string means DO include PSP resources. Any other value means do NOT include PSP resources.
 : "${DO_NOT_INCLUDE_POD_SECURITY_POLICY_RESOURCES:=""}"
 
+# Supply additional CLI options to the helm command used for generating RBAC.
+# e.g., '--set key=value'
+: "${ADDITIONAL_HELM_CLI_OPTIONS:=""}"
+
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 pushd "$SCRIPT_DIR" &>/dev/stderr
 
 options=(
   --namespace rook-ceph
   --set crds.enabled=false
   --set csi.csiAddons.enabled=true
-  --set csi.nfs.enabled=true
 )
 if [[ -z "${DO_NOT_INCLUDE_POD_SECURITY_POLICY_RESOURCES}" ]]; then
   options+=(--set pspEnable=true)
 else
   options+=(--set pspEnable=false)
 fi
 
+for option in ${ADDITIONAL_HELM_CLI_OPTIONS}; do
+  options+=("$option")
+done
+
 echo "generating Helm template with options: ${options[*]}" &>/dev/stderr
 
 ${HELM} template ../../deploy/charts/rook-ceph "${options[@]}" | ./keep-rbac-yaml.sh

diff --git a/build/rbac/keep-added.sh b/build/rbac/keep-added.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+set -eEuo pipefail
+
+DROP_FILE="$1"
+KEEP_FILE="$2"
+
+# WRITES TO STDOUT
+# DEBUGS TO STDERR
+
+: ${YQ:=yq}
+
+if [[ "$($YQ --version)" != "yq (https://github.com/mikefarah/yq/) version 4."* ]]; then
+  echo "yq must be version 4.x"
+  exit 1
+fi
+
+#
+# Create a file for each resource present in the drop set
+#
+drop_dir="$(mktemp -d)"
+pushd "${drop_dir}" &>/dev/stderr
+
+$YQ eval --split-exp '.kind + " " + .metadata.name + " "' "$DROP_FILE" # split into files by <kind> <name> .yaml
+# outputting the filenames with spaces after kind and name keeps the same sorting from before
+
+popd &>/dev/stderr
+
+#
+# Create a file for each resource present in the keep set
+#
+keep_dir="$(mktemp -d)"
+pushd "${keep_dir}" &>/dev/stderr
+
+$YQ eval --split-exp '.kind + " " + .metadata.name + " "' "$KEEP_FILE" # split into files by <kind> <name> .yaml
+# outputting the filenames with spaces after kind and name keeps the same sorting from before
+
+popd &>/dev/stderr
+
+#
+# In the keep set, remove every file that also exists in the drop set
+#
+pushd "${drop_dir}" &>/dev/stderr
+
+find . -type f -name '*.yml' -exec rm "${keep_dir}"/{} \;
+
+popd &>/dev/stderr
+
+#
+# Combine the kept files back into one yaml
+#
+RBAC_FILES=()
+while read -r line; do
+  RBAC_FILES+=("$line")
+done < <(find "${keep_dir}"/. -type f -name '*.yml' | sort)
+
+# use keep-rbac-yaml.sh at the end to strip out only the RBAC, and sort and format it as we want
+$YQ eval-all '.' "${RBAC_FILES[@]}" | ./keep-rbac-yaml.sh
+
+rm -rf "${drop_dir}"
+rm -rf "${keep_dir}"
diff --git a/build/rbac/nfs-rbac.yaml.header b/build/rbac/nfs-rbac.yaml.header
@@ -0,0 +1,3 @@
+####################################################################################################
+# These RBAC resources are required to allow Rook to run the NFS export CSI driver components.
+####################################################################################################
diff --git a/deploy/examples/common.yaml b/deploy/examples/common.yaml
@@ -13,36 +13,6 @@ metadata:
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: ceph-nfs-external-provisioner-runner
-rules:
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "create", "delete"]
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims"]
-    verbs: ["get", "list", "watch", "update"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["storageclasses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["csinodes"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get"]
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-nodeplugin
 rules:
@@ -604,19 +574,6 @@ rules:
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: ceph-nfs-csi-provisioner-role
-subjects:
-  - kind: ServiceAccount
-    name: rook-csi-nfs-provisioner-sa
-    namespace: rook-ceph # namespace:operator
-roleRef:
-  kind: ClusterRole
-  name: ceph-nfs-external-provisioner-runner
-  apiGroup: rbac.authorization.k8s.io
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-nodeplugin
 subjects:
@@ -1405,24 +1362,6 @@ metadata:
 # imagePullSecrets:
 #   - name: my-registry-secret
 ---
-# Service account for the NFS CSI driver
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: rook-csi-nfs-plugin-sa
-  namespace: rook-ceph # namespace:operator
-# imagePullSecrets:
-#   - name: my-registry-secret
----
-# Service account for the NFS CSI provisioner
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: rook-csi-nfs-provisioner-sa
-  namespace: rook-ceph # namespace:operator
-# imagePullSecrets:
-#   - name: my-registry-secret
----
 # Service account for the RBD CSI driver
 apiVersion: v1
 kind: ServiceAccount

diff --git a/deploy/examples/csi/nfs/rbac.yaml b/deploy/examples/csi/nfs/rbac.yaml
@@ -0,0 +1,64 @@
+####################################################################################################
+# These RBAC resources are required to allow Rook to run the NFS export CSI driver components.
+####################################################################################################
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ceph-nfs-external-provisioner-runner
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ceph-nfs-csi-provisioner-role
+subjects:
+  - kind: ServiceAccount
+    name: rook-csi-nfs-provisioner-sa
+    namespace: rook-ceph # namespace:operator
+roleRef:
+  kind: ClusterRole
+  name: ceph-nfs-external-provisioner-runner
+  apiGroup: rbac.authorization.k8s.io
+---
+# Service account for the NFS CSI driver
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rook-csi-nfs-plugin-sa
+  namespace: rook-ceph # namespace:operator
+# imagePullSecrets:
+#   - name: my-registry-secret
+---
+# Service account for the NFS CSI provisioner
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rook-csi-nfs-provisioner-sa
+  namespace: rook-ceph # namespace:operator
+# imagePullSecrets:
+#   - name: my-registry-secret