From bca2f128abc6ff8ec6bf39b94b4fbbb10effdef2 Mon Sep 17 00:00:00 2001 From: Blaine Gardner Date: Tue, 12 Apr 2022 15:20:42 -0600 Subject: [PATCH] build: generate a separate NFS CSI RBAC manifest Because the NFS CSI driver is optional and rarely deployed, make RBAC for this driver an optional example that is generated by the helm chart. Signed-off-by: Blaine Gardner --- Makefile | 1 + build/rbac/gen-nfs-rbac.sh | 23 +++++++++++ build/rbac/get-helm-rbac.sh | 9 ++++- build/rbac/keep-added.sh | 60 +++++++++++++++++++++++++++++ build/rbac/nfs-rbac.yaml.header | 3 ++ deploy/examples/common.yaml | 61 ----------------------------- deploy/examples/csi/nfs/rbac.yaml | 64 +++++++++++++++++++++++++++++++ 7 files changed, 159 insertions(+), 62 deletions(-) create mode 100755 build/rbac/gen-nfs-rbac.sh create mode 100755 build/rbac/keep-added.sh create mode 100644 build/rbac/nfs-rbac.yaml.header create mode 100644 deploy/examples/csi/nfs/rbac.yaml diff --git a/Makefile b/Makefile index d1c61ff2bee6..9638aff252a5 100644 --- a/Makefile +++ b/Makefile @@ -194,6 +194,7 @@ crds: $(CONTROLLER_GEN) $(YQ) gen-rbac: $(HELM) $(YQ) ## generate RBAC from Helm charts @# output only stdout to the file; stderr for debugging should keep going to stderr HELM=$(HELM) ./build/rbac/gen-common.sh + HELM=$(HELM) ./build/rbac/gen-nfs-rbac.sh .PHONY: all build.common .PHONY: build build.all install test check vet fmt codegen mod.check clean distclean prune diff --git a/build/rbac/gen-nfs-rbac.sh b/build/rbac/gen-nfs-rbac.sh new file mode 100755 index 000000000000..4d1c55e4c82a --- /dev/null +++ b/build/rbac/gen-nfs-rbac.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash +set -xeEuo pipefail + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" +pushd "$SCRIPT_DIR" &>/dev/stderr + +NFS_RBAC_YAML_FILE="$SCRIPT_DIR/../../deploy/examples/csi/nfs/rbac.yaml" + +tmpdir="$(mktemp -d)" +WITHOUT_FILE="${tmpdir}"/without-nfs.yaml # intermediate file of yaml that doesn't include NFS RBAC +WITH_FILE="${tmpdir}"/with-nfs.yaml # intermediate file of yaml that includes previous plus NFS RBAC + +./get-helm-rbac.sh > "$WITHOUT_FILE" + +export ADDITIONAL_HELM_CLI_OPTIONS="--set csi.nfs.enabled=true" +./get-helm-rbac.sh > "$WITH_FILE" + +rm -f "$NFS_RBAC_YAML_FILE" +cat nfs-rbac.yaml.header >> "$NFS_RBAC_YAML_FILE" +./keep-added.sh "$WITHOUT_FILE" "$WITH_FILE" >> "$NFS_RBAC_YAML_FILE" + +rm -rf "$tmpdir" +popd &>/dev/stderr diff --git a/build/rbac/get-helm-rbac.sh b/build/rbac/get-helm-rbac.sh index af758072f665..82286217d3f1 100755 --- a/build/rbac/get-helm-rbac.sh +++ b/build/rbac/get-helm-rbac.sh @@ -12,6 +12,10 @@ fi # Empty string means DO include PSP resources. Any other value means do NOT include PSP resources. : "${DO_NOT_INCLUDE_POD_SECURITY_POLICY_RESOURCES:=""}" +# Supply additional CLI options to the helm command used for generating RBAC. +# e.g., '--set key=value' +: "${ADDITIONAL_HELM_CLI_OPTIONS:=""}" + SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" pushd "$SCRIPT_DIR" &>/dev/stderr @@ -19,7 +23,6 @@ options=( --namespace rook-ceph --set crds.enabled=false --set csi.csiAddons.enabled=true - --set csi.nfs.enabled=true ) if [[ -z "${DO_NOT_INCLUDE_POD_SECURITY_POLICY_RESOURCES}" ]]; then options+=(--set pspEnable=true) @@ -27,6 +30,10 @@ else options+=(--set pspEnable=false) fi +for option in ${ADDITIONAL_HELM_CLI_OPTIONS}; do + options+=("$option") +done + echo "generating Helm template with options: ${options[*]}" &>/dev/stderr ${HELM} template ../../deploy/charts/rook-ceph "${options[@]}" | ./keep-rbac-yaml.sh diff --git a/build/rbac/keep-added.sh b/build/rbac/keep-added.sh new file mode 100755 index 000000000000..13ff3669aaff --- /dev/null +++ b/build/rbac/keep-added.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +set -eEuo pipefail + +DROP_FILE="$1" +KEEP_FILE="$2" + +# WRITES TO STDOUT +# DEBUGS TO STDERR + +: ${YQ:=yq} + +if [[ "$($YQ --version)" != "yq (https://github.com/mikefarah/yq/) version 4."* ]]; then + echo "yq must be version 4.x" + exit 1 +fi + +# +# Create a file for each resource present in the drop set +# +drop_dir="$(mktemp -d)" +pushd "${drop_dir}" &>/dev/stderr + +$YQ eval --split-exp '.kind + " " + .metadata.name + " "' "$DROP_FILE" # split into files by .yaml +# outputting the filenames with spaces after kind and name keeps the same sorting from before + +popd &>/dev/stderr + +# +# Create a file for each resource present in the keep set +# +keep_dir="$(mktemp -d)" +pushd "${keep_dir}" &>/dev/stderr + +$YQ eval --split-exp '.kind + " " + .metadata.name + " "' "$KEEP_FILE" # split into files by .yaml +# outputting the filenames with spaces after kind and name keeps the same sorting from before + +popd &>/dev/stderr + +# +# In the keep set, remove every file that also exists in the drop set +# +pushd "${drop_dir}" &>/dev/stderr + +find . -type f -name '*.yml' -exec rm "${keep_dir}"/{} \; + +popd &>/dev/stderr + +# +# Combine the kept files back into one yaml +# +RBAC_FILES=() +while read -r line; do + RBAC_FILES+=("$line") +done < <(find "${keep_dir}"/. -type f -name '*.yml' | sort) + +# use keep-rbac-yaml.sh at the end to strip out only the RBAC, and sort and format it as we want +$YQ eval-all '.' "${RBAC_FILES[@]}" | ./keep-rbac-yaml.sh + +rm -rf "${drop_dir}" +rm -rf "${keep_dir}" diff --git a/build/rbac/nfs-rbac.yaml.header b/build/rbac/nfs-rbac.yaml.header new file mode 100644 index 000000000000..618c53cfff04 --- /dev/null +++ b/build/rbac/nfs-rbac.yaml.header @@ -0,0 +1,3 @@ +#################################################################################################### +# These RBAC resources are required to allow Rook to run the NFS export CSI driver components. +#################################################################################################### diff --git a/deploy/examples/common.yaml b/deploy/examples/common.yaml index 62a5d1bb00a2..9f1f7691a1b4 100644 --- a/deploy/examples/common.yaml +++ b/deploy/examples/common.yaml @@ -13,36 +13,6 @@ metadata: --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ceph-nfs-external-provisioner-runner -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-csi-nodeplugin rules: @@ -604,19 +574,6 @@ rules: --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ceph-nfs-csi-provisioner-role -subjects: - - kind: ServiceAccount - name: rook-csi-nfs-provisioner-sa - namespace: rook-ceph # namespace:operator -roleRef: - kind: ClusterRole - name: ceph-nfs-external-provisioner-runner - apiGroup: rbac.authorization.k8s.io ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-csi-nodeplugin subjects: @@ -1405,24 +1362,6 @@ metadata: # imagePullSecrets: # - name: my-registry-secret --- -# Service account for the NFS CSI driver -apiVersion: v1 -kind: ServiceAccount -metadata: - name: rook-csi-nfs-plugin-sa - namespace: rook-ceph # namespace:operator -# imagePullSecrets: -# - name: my-registry-secret ---- -# Service account for the NFS CSI provisioner -apiVersion: v1 -kind: ServiceAccount -metadata: - name: rook-csi-nfs-provisioner-sa - namespace: rook-ceph # namespace:operator -# imagePullSecrets: -# - name: my-registry-secret ---- # Service account for the RBD CSI driver apiVersion: v1 kind: ServiceAccount diff --git a/deploy/examples/csi/nfs/rbac.yaml b/deploy/examples/csi/nfs/rbac.yaml new file mode 100644 index 000000000000..8a98ae6741ce --- /dev/null +++ b/deploy/examples/csi/nfs/rbac.yaml @@ -0,0 +1,64 @@ +#################################################################################################### +# These RBAC resources are required to allow Rook to run the NFS export CSI driver components. +#################################################################################################### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ceph-nfs-external-provisioner-runner +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ceph-nfs-csi-provisioner-role +subjects: + - kind: ServiceAccount + name: rook-csi-nfs-provisioner-sa + namespace: rook-ceph # namespace:operator +roleRef: + kind: ClusterRole + name: ceph-nfs-external-provisioner-runner + apiGroup: rbac.authorization.k8s.io +--- +# Service account for the NFS CSI driver +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-csi-nfs-plugin-sa + namespace: rook-ceph # namespace:operator +# imagePullSecrets: +# - name: my-registry-secret +--- +# Service account for the NFS CSI provisioner +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-csi-nfs-provisioner-sa + namespace: rook-ceph # namespace:operator +# imagePullSecrets: +# - name: my-registry-secret