Add: Additional permissions allowed via the Config object

Signed-off-by: Stephen Cuppett <[email protected]>

Makefile

@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 0.0.1
+VERSION ?= 0.0.2
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")

README.md

@@ -571,6 +571,44 @@ the controller will attempt to discover credentials using the SDK, but then fall
 permissions identified from above.
 The resulting secret will be used.
 
+###### Additional Permissions
+
+You can add permissions to the credentials minted by OpenShift via the Config object:
+
+```yaml
+apiVersion: services.k8s.aws.cuppett.dev/v1alpha1
+kind: Config
+metadata:
+  name: default
+  namespace: aws-cloudformation-operator-system
+spec:
+  tags:
+    cluster: prod1  
+  additionalPermissions:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+      - action:
+        - 's3:CreateBucket'
+        - 's3:ListBuckets'
+        effect: Allow
+        resource: '*'
+      ## Allowing all S3 actions against buckets owned by this cluster tag
+      - action:
+        - 's3:*'
+        effect: Allow
+        policyCondition:
+          StringEquals:
+            'aws:ResourceTag/cluster': prod1
+        resource: '*'
+```
+
+> NOTE: You *only* need supply additional permissions here. The default permissions will always be included in the `CredentialsRequest`.
+
+This is the easy way to allow the operator to create/manage resources in various services.
+However, it should be more desirable to limit the operator to CloudFormation and iam:PassRole (default).
+Using only PassRole enables you to set up OPA rules ensuring `Stack` objects in namespaces always specify `roleArn` in their objects and match any desired assignment conventions you may have.
+
 #### Using kustomize & make to deploy
 
 Deploy and start the CloudFormation operator in your cluster by using the provided manifests and Makefile:

apis/services.k8s.aws/v1alpha1/config_types.go

@@ -26,6 +26,7 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 )
 
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
@@ -37,6 +38,10 @@ type ConfigSpec struct {
 	// +kubebuilder:validation:Optional
 	// +optional
 	Tags map[string]string `json:"tags,omitempty"`
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:pruning:PreserveUnknownFields
+	// +optional
+	AdditionalPermissions *runtime.RawExtension `json:"additionalPermissions,omitempty"`
 }
 
 // ConfigStatus defines the observed state of Config

bundle.Dockerfile

@@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
 LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=aws-cloudformation-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=alpha
-LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.15.0+git
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.14.0+git
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3
 

bundle/manifests/aws-cloudformation-operator.clusterserviceversion.yaml

@@ -53,9 +53,9 @@ metadata:
       ]
     capabilities: Basic Install
     operatorframework.io/suggested-namespace: aws-cloudformation-operator
-    operators.operatorframework.io/builder: operator-sdk-v1.15.0+git
+    operators.operatorframework.io/builder: operator-sdk-v1.14.0+git
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
-  name: aws-cloudformation-operator.v0.0.1
+  name: aws-cloudformation-operator.v0.0.2
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -115,6 +115,8 @@ spec:
           - create
           - get
           - list
+          - patch
+          - update
           - watch
         - apiGroups:
           - cloudformation.services.k8s.aws.cuppett.dev
@@ -201,6 +203,24 @@ spec:
                 control-plane: controller-manager
             spec:
               containers:
+              - args:
+                - --secure-listen-address=0.0.0.0:8443
+                - --upstream=http://127.0.0.1:8080/
+                - --logtostderr=true
+                - --v=0
+                image: quay.io/cuppett/kube-rbac-proxy:v0.11.0
+                name: kube-rbac-proxy
+                ports:
+                - containerPort: 8443
+                  name: https
+                  protocol: TCP
+                resources:
+                  limits:
+                    cpu: 500m
+                    memory: 128Mi
+                  requests:
+                    cpu: 5m
+                    memory: 64Mi
               - args:
                 - --health-probe-bind-address=:8081
                 - --metrics-bind-address=127.0.0.1:8080
@@ -220,7 +240,7 @@ spec:
                   valueFrom:
                     fieldRef:
                       fieldPath: metadata.annotations['olm.targetNamespaces']
-                image: quay.io/cuppett/aws-cloudformation-operator:v0.0.1
+                image: quay.io/cuppett/aws-cloudformation-operator:v0.0.2
                 livenessProbe:
                   httpGet:
                     path: /healthz
@@ -244,24 +264,6 @@ spec:
                     memory: 100Mi
                 securityContext:
                   allowPrivilegeEscalation: false
-              - args:
-                - --secure-listen-address=0.0.0.0:8443
-                - --upstream=http://127.0.0.1:8080/
-                - --logtostderr=true
-                - --v=0
-                image: quay.io/cuppett/kube-rbac-proxy:v0.11.0
-                name: kube-rbac-proxy
-                ports:
-                - containerPort: 8443
-                  name: https
-                  protocol: TCP
-                resources:
-                  limits:
-                    cpu: 500m
-                    memory: 128Mi
-                  requests:
-                    cpu: 5m
-                    memory: 64Mi
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: aws-cloudformation-operator-controller-manager
@@ -327,7 +329,8 @@ spec:
   provider:
     name: Stephen Cuppett
     url: https://github.com/cuppett
-  version: 0.0.1
+  replaces: aws-cloudformation-operator.v0.0.1
+  version: 0.0.2
   webhookdefinitions:
   - admissionReviewVersions:
     - v1

bundle/manifests/cloudformation.services.k8s.aws.cuppett.dev_stacks.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.7.0
+    controller-gen.kubebuilder.io/version: v0.8.0
   creationTimestamp: null
   name: stacks.cloudformation.services.k8s.aws.cuppett.dev
 spec:

bundle/manifests/services.k8s.aws.cuppett.dev_configs.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.7.0
+    controller-gen.kubebuilder.io/version: v0.8.0
   creationTimestamp: null
   name: configs.services.k8s.aws.cuppett.dev
 spec:
@@ -34,6 +34,9 @@ spec:
           spec:
             description: ConfigSpec defines the desired state of Config
             properties:
+              additionalPermissions:
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
               region:
                 type: string
               tags:

bundle/metadata/annotations.yaml

@@ -5,7 +5,7 @@ annotations:
   operators.operatorframework.io.bundle.metadata.v1: metadata/
   operators.operatorframework.io.bundle.package.v1: aws-cloudformation-operator
   operators.operatorframework.io.bundle.channels.v1: alpha
-  operators.operatorframework.io.metrics.builder: operator-sdk-v1.15.0+git
+  operators.operatorframework.io.metrics.builder: operator-sdk-v1.14.0+git
   operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
   operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3
 

config/crd/bases/services.k8s.aws.cuppett.dev_configs.yaml

@@ -35,6 +35,9 @@ spec:
           spec:
             description: ConfigSpec defines the desired state of Config
             properties:
+              additionalPermissions:
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
               region:
                 type: string
               tags:

config/manager/kustomization.yaml

@@ -13,4 +13,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/cuppett/aws-cloudformation-operator
-  newTag: v0.0.1
+  newTag: v0.0.2

config/manifests/bases/aws-cloudformation-operator.clusterserviceversion.yaml

@@ -5,7 +5,7 @@ metadata:
     alm-examples: '[]'
     capabilities: Basic Install
     operatorframework.io/suggested-namespace: aws-cloudformation-operator
-  name: aws-cloudformation-operator.v0.0.1
+  name: aws-cloudformation-operator.v0.0.2
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -56,4 +56,5 @@ spec:
   provider:
     name: Stephen Cuppett
     url: https://github.com/cuppett
-  version: 0.0.1
+  replaces: aws-cloudformation-operator.v0.0.1
+  version: 0.0.2

config/manifests/kustomization.yaml

@@ -18,21 +18,21 @@ patchesJson6902:
     namespace: system
   patch: |-
     - op: remove
-      path: /spec/template/spec/containers/0/env/5
+      path: /spec/template/spec/containers/1/env/5
     - op: remove
-      path: /spec/template/spec/containers/0/env/4
+      path: /spec/template/spec/containers/1/env/4
     - op: remove
-      path: /spec/template/spec/containers/0/env/3
+      path: /spec/template/spec/containers/1/env/3
     - op: remove
-      path: /spec/template/spec/containers/0/env/2
+      path: /spec/template/spec/containers/1/env/2
     - op: remove
-      path: /spec/template/spec/containers/0/env/1
+      path: /spec/template/spec/containers/1/env/1
     - op: remove
-      path: /spec/template/spec/containers/0/env/0
+      path: /spec/template/spec/containers/1/env/0
     # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs.
     # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment.
     - op: remove
-      path: /spec/template/spec/containers/0/volumeMounts/0
+      path: /spec/template/spec/containers/1/volumeMounts/0
     # Remove the "cert" volume, since OLM will create and mount a set of certs.
     # Update the indices in this path if adding or removing volumes in the manager's Deployment.
     - op: remove

config/rbac/role.yaml

@@ -40,6 +40,8 @@ rules:
   - create
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
   - cloudformation.services.k8s.aws.cuppett.dev

controllers/cloudformation.services.k8s.aws/stack_controller.go

@@ -31,6 +31,7 @@ import (
 	"github.com/cuppett/aws-cloudformation-operator/apis/cloudformation.services.k8s.aws/v1alpha1"
 	v1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"strings"
 
@@ -88,7 +89,7 @@ type StackLoop struct {
 // - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
 func (r *StackReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	loop := &StackLoop{ctx, req, &v1alpha1.Stack{}, nil,
-		r.Log.WithValues("Request.Namespace", req.Namespace, "Request.Name", req.Name)}
+		log.FromContext(ctx).WithValues("Request.Namespace", req.Namespace, "Request.Name", req.Name)}
 
 	// Fetch the Stack instance
 	err := r.Client.Get(loop.ctx, loop.req.NamespacedName, loop.instance)