diff --git a/Makefile b/Makefile index d1c61ff2bee6..9638aff252a5 100644 --- a/Makefile +++ b/Makefile @@ -194,6 +194,7 @@ crds: $(CONTROLLER_GEN) $(YQ) gen-rbac: $(HELM) $(YQ) ## generate RBAC from Helm charts @# output only stdout to the file; stderr for debugging should keep going to stderr HELM=$(HELM) ./build/rbac/gen-common.sh + HELM=$(HELM) ./build/rbac/gen-nfs-rbac.sh .PHONY: all build.common .PHONY: build build.all install test check vet fmt codegen mod.check clean distclean prune diff --git a/build/rbac/gen-nfs-rbac.sh b/build/rbac/gen-nfs-rbac.sh new file mode 100755 index 000000000000..4d1c55e4c82a --- /dev/null +++ b/build/rbac/gen-nfs-rbac.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash +set -xeEuo pipefail + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" +pushd "$SCRIPT_DIR" &>/dev/stderr + +NFS_RBAC_YAML_FILE="$SCRIPT_DIR/../../deploy/examples/csi/nfs/rbac.yaml" + +tmpdir="$(mktemp -d)" +WITHOUT_FILE="${tmpdir}"/without-nfs.yaml # intermediate file of yaml that doesn't include NFS RBAC +WITH_FILE="${tmpdir}"/with-nfs.yaml # intermediate file of yaml that includes previous plus NFS RBAC + +./get-helm-rbac.sh > "$WITHOUT_FILE" + +export ADDITIONAL_HELM_CLI_OPTIONS="--set csi.nfs.enabled=true" +./get-helm-rbac.sh > "$WITH_FILE" + +rm -f "$NFS_RBAC_YAML_FILE" +cat nfs-rbac.yaml.header >> "$NFS_RBAC_YAML_FILE" +./keep-added.sh "$WITHOUT_FILE" "$WITH_FILE" >> "$NFS_RBAC_YAML_FILE" + +rm -rf "$tmpdir" +popd &>/dev/stderr diff --git a/build/rbac/get-helm-rbac.sh b/build/rbac/get-helm-rbac.sh index af758072f665..82286217d3f1 100755 --- a/build/rbac/get-helm-rbac.sh +++ b/build/rbac/get-helm-rbac.sh @@ -12,6 +12,10 @@ fi # Empty string means DO include PSP resources. Any other value means do NOT include PSP resources. : "${DO_NOT_INCLUDE_POD_SECURITY_POLICY_RESOURCES:=""}" +# Supply additional CLI options to the helm command used for generating RBAC. +# e.g., '--set key=value' +: "${ADDITIONAL_HELM_CLI_OPTIONS:=""}" + SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" pushd "$SCRIPT_DIR" &>/dev/stderr @@ -19,7 +23,6 @@ options=( --namespace rook-ceph --set crds.enabled=false --set csi.csiAddons.enabled=true - --set csi.nfs.enabled=true ) if [[ -z "${DO_NOT_INCLUDE_POD_SECURITY_POLICY_RESOURCES}" ]]; then options+=(--set pspEnable=true) @@ -27,6 +30,10 @@ else options+=(--set pspEnable=false) fi +for option in ${ADDITIONAL_HELM_CLI_OPTIONS}; do + options+=("$option") +done + echo "generating Helm template with options: ${options[*]}" &>/dev/stderr ${HELM} template ../../deploy/charts/rook-ceph "${options[@]}" | ./keep-rbac-yaml.sh diff --git a/build/rbac/keep-added.sh b/build/rbac/keep-added.sh new file mode 100755 index 000000000000..13ff3669aaff --- /dev/null +++ b/build/rbac/keep-added.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +set -eEuo pipefail + +DROP_FILE="$1" +KEEP_FILE="$2" + +# WRITES TO STDOUT +# DEBUGS TO STDERR + +: ${YQ:=yq} + +if [[ "$($YQ --version)" != "yq (https://github.com/mikefarah/yq/) version 4."* ]]; then + echo "yq must be version 4.x" + exit 1 +fi + +# +# Create a file for each resource present in the drop set +# +drop_dir="$(mktemp -d)" +pushd "${drop_dir}" &>/dev/stderr + +$YQ eval --split-exp '.kind + " " + .metadata.name + " "' "$DROP_FILE" # split into files by .yaml +# outputting the filenames with spaces after kind and name keeps the same sorting from before + +popd &>/dev/stderr + +# +# Create a file for each resource present in the keep set +# +keep_dir="$(mktemp -d)" +pushd "${keep_dir}" &>/dev/stderr + +$YQ eval --split-exp '.kind + " " + .metadata.name + " "' "$KEEP_FILE" # split into files by .yaml +# outputting the filenames with spaces after kind and name keeps the same sorting from before + +popd &>/dev/stderr + +# +# In the keep set, remove every file that also exists in the drop set +# +pushd "${drop_dir}" &>/dev/stderr + +find . -type f -name '*.yml' -exec rm "${keep_dir}"/{} \; + +popd &>/dev/stderr + +# +# Combine the kept files back into one yaml +# +RBAC_FILES=() +while read -r line; do + RBAC_FILES+=("$line") +done < <(find "${keep_dir}"/. -type f -name '*.yml' | sort) + +# use keep-rbac-yaml.sh at the end to strip out only the RBAC, and sort and format it as we want +$YQ eval-all '.' "${RBAC_FILES[@]}" | ./keep-rbac-yaml.sh + +rm -rf "${drop_dir}" +rm -rf "${keep_dir}" diff --git a/build/rbac/nfs-rbac.yaml.header b/build/rbac/nfs-rbac.yaml.header new file mode 100644 index 000000000000..618c53cfff04 --- /dev/null +++ b/build/rbac/nfs-rbac.yaml.header @@ -0,0 +1,3 @@ +#################################################################################################### +# These RBAC resources are required to allow Rook to run the NFS export CSI driver components. +#################################################################################################### diff --git a/deploy/examples/common.yaml b/deploy/examples/common.yaml index 62a5d1bb00a2..9f1f7691a1b4 100644 --- a/deploy/examples/common.yaml +++ b/deploy/examples/common.yaml @@ -13,36 +13,6 @@ metadata: --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ceph-nfs-external-provisioner-runner -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-csi-nodeplugin rules: @@ -604,19 +574,6 @@ rules: --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ceph-nfs-csi-provisioner-role -subjects: - - kind: ServiceAccount - name: rook-csi-nfs-provisioner-sa - namespace: rook-ceph # namespace:operator -roleRef: - kind: ClusterRole - name: ceph-nfs-external-provisioner-runner - apiGroup: rbac.authorization.k8s.io ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-csi-nodeplugin subjects: @@ -1405,24 +1362,6 @@ metadata: # imagePullSecrets: # - name: my-registry-secret --- -# Service account for the NFS CSI driver -apiVersion: v1 -kind: ServiceAccount -metadata: - name: rook-csi-nfs-plugin-sa - namespace: rook-ceph # namespace:operator -# imagePullSecrets: -# - name: my-registry-secret ---- -# Service account for the NFS CSI provisioner -apiVersion: v1 -kind: ServiceAccount -metadata: - name: rook-csi-nfs-provisioner-sa - namespace: rook-ceph # namespace:operator -# imagePullSecrets: -# - name: my-registry-secret ---- # Service account for the RBD CSI driver apiVersion: v1 kind: ServiceAccount diff --git a/deploy/examples/csi/nfs/rbac.yaml b/deploy/examples/csi/nfs/rbac.yaml new file mode 100644 index 000000000000..8a98ae6741ce --- /dev/null +++ b/deploy/examples/csi/nfs/rbac.yaml @@ -0,0 +1,64 @@ +#################################################################################################### +# These RBAC resources are required to allow Rook to run the NFS export CSI driver components. +#################################################################################################### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ceph-nfs-external-provisioner-runner +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ceph-nfs-csi-provisioner-role +subjects: + - kind: ServiceAccount + name: rook-csi-nfs-provisioner-sa + namespace: rook-ceph # namespace:operator +roleRef: + kind: ClusterRole + name: ceph-nfs-external-provisioner-runner + apiGroup: rbac.authorization.k8s.io +--- +# Service account for the NFS CSI driver +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-csi-nfs-plugin-sa + namespace: rook-ceph # namespace:operator +# imagePullSecrets: +# - name: my-registry-secret +--- +# Service account for the NFS CSI provisioner +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-csi-nfs-provisioner-sa + namespace: rook-ceph # namespace:operator +# imagePullSecrets: +# - name: my-registry-secret