From c12998bcc9ee5fa8cee45ecf3d7e256f43ff0789 Mon Sep 17 00:00:00 2001 From: "james.newman@snyk.io" Date: Wed, 13 Oct 2021 14:20:54 +0100 Subject: [PATCH 1/6] add optional value to watchAllNamespaces. Default value is false to maintain backward compatability --- values.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/values.yaml b/values.yaml index 3d199ba..03ca852 100644 --- a/values.yaml +++ b/values.yaml @@ -35,6 +35,10 @@ syncWorkspace: # to the release namespace k8WatchNamespace: null + # If true watchAllNamespaces will configure the operator to watch for workspace + # changes across all kubernetes namespaces. + watchAllNamespaces: false + # terraformVersion describes the version of Terraform to use for each workspace. # If this is not set then it will default to the latest version of Terraform # compiled with the operator. From c8d3b554c24dd0fe00ed2e2ed22dd461d2f730cf Mon Sep 17 00:00:00 2001 From: "james.newman@snyk.io" Date: Wed, 13 Oct 2021 14:42:28 +0100 Subject: [PATCH 2/6] RoleBinding logic Updated logic around RoleBinding vs ClusterRoleBinding based on watchAllNamespaces value --- templates/sync-workspace-rolebinding.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/templates/sync-workspace-rolebinding.yaml b/templates/sync-workspace-rolebinding.yaml index d811b31..eaaa7dc 100644 --- a/templates/sync-workspace-rolebinding.yaml +++ b/templates/sync-workspace-rolebinding.yaml @@ -1,8 +1,12 @@ {{- $syncEnabled := (or (and (ne (.Values.syncWorkspace.enabled | toString) "-") .Values.syncWorkspace.enabled) (and (eq (.Values.syncWorkspace.enabled | toString) "-") .Values.global.enabled)) }} {{- if $syncEnabled }} apiVersion: rbac.authorization.k8s.io/v1 +{{- if not .Values.syncWorkspace.watchAllNamespaces }} {{- $kind := (ternary "Role" "ClusterRole" (or (empty .Values.syncWorkspace.k8WatchNamespace) (eq (.Values.syncWorkspace.k8WatchNamespace | toString) .Release.Namespace))) }} kind: {{ ternary "RoleBinding" "ClusterRoleBinding" (eq $kind "Role") }} +{{- else }} +kind: ClusterRoleBinding +{{- end }} metadata: name: {{ template "terraform.fullname" . }}-sync-workspace labels: From 7207a9b3f7c9b8533cd7df848e35541e273e18a8 Mon Sep 17 00:00:00 2001 From: "james.newman@snyk.io" Date: Wed, 13 Oct 2021 15:23:10 +0100 Subject: [PATCH 3/6] updated role determination logic --- templates/_helpers.tpl | 10 ++++++++++ templates/sync-workspace-deployment.yaml | 2 ++ templates/sync-workspace-rolebinding.yaml | 9 ++------- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 4ae0f90..16f31e3 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -59,3 +59,13 @@ Inject extra environment vars in the format key:value, if populated {{- end -}} {{- end -}} {{- end -}} + +{{/* +Comments +*/}} +{{- define "terraform.getRole" -}} +{{- if .Values.syncWorkspace.watchAllNamespaces -}} +{{- "ClusterRole" -}} +{{- else -}} +{{- (ternary "Role" "ClusterRole" (or (empty .Values.syncWorkspace.k8WatchNamespace) (eq (.Values.syncWorkspace.k8WatchNamespace | toString) .Release.Namespace))) -}} +{{- end -}} diff --git a/templates/sync-workspace-deployment.yaml b/templates/sync-workspace-deployment.yaml index 73557a2..8fe0cea 100644 --- a/templates/sync-workspace-deployment.yaml +++ b/templates/sync-workspace-deployment.yaml @@ -66,7 +66,9 @@ spec: - /bin/terraform-k8s args: - --enable-leader-election + {{- if not .Values.syncWorkspaces.watchAllNamespaces}} - --k8s-watch-namespace={{ default .Release.Namespace .Values.syncWorkspace.k8WatchNamespace}} + {{- end }} {{- if .Values.syncWorkspace.logLevel }} - --zap-log-level={{ .Values.syncWorkspace.logLevel }} {{- end }} diff --git a/templates/sync-workspace-rolebinding.yaml b/templates/sync-workspace-rolebinding.yaml index eaaa7dc..35deb6a 100644 --- a/templates/sync-workspace-rolebinding.yaml +++ b/templates/sync-workspace-rolebinding.yaml @@ -1,12 +1,7 @@ {{- $syncEnabled := (or (and (ne (.Values.syncWorkspace.enabled | toString) "-") .Values.syncWorkspace.enabled) (and (eq (.Values.syncWorkspace.enabled | toString) "-") .Values.global.enabled)) }} {{- if $syncEnabled }} apiVersion: rbac.authorization.k8s.io/v1 -{{- if not .Values.syncWorkspace.watchAllNamespaces }} -{{- $kind := (ternary "Role" "ClusterRole" (or (empty .Values.syncWorkspace.k8WatchNamespace) (eq (.Values.syncWorkspace.k8WatchNamespace | toString) .Release.Namespace))) }} -kind: {{ ternary "RoleBinding" "ClusterRoleBinding" (eq $kind "Role") }} -{{- else }} -kind: ClusterRoleBinding -{{- end }} +kind: {{ template "terraform.getRole" . }}Binding metadata: name: {{ template "terraform.fullname" . }}-sync-workspace labels: @@ -19,7 +14,7 @@ subjects: name: {{ template "terraform.fullname" . }}-sync-workspace namespace: {{ .Release.Namespace }} roleRef: - kind: {{ $kind }} + kind: {{ template "terraform.getRole" . }} name: {{ template "terraform.fullname" . }}-sync-workspace apiGroup: rbac.authorization.k8s.io {{- end }} From a7f76de177f42d78e8918f456857f7e6387ef0f1 Mon Sep 17 00:00:00 2001 From: Lorenzo Orifici Date: Wed, 13 Oct 2021 15:28:31 +0100 Subject: [PATCH 4/6] Added helper role function call to the role yaml --- templates/_helpers.tpl | 2 +- templates/sync-workspace-role.yaml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 16f31e3..fe22f15 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -61,7 +61,7 @@ Inject extra environment vars in the format key:value, if populated {{- end -}} {{/* -Comments +Define the kind of Role to use */}} {{- define "terraform.getRole" -}} {{- if .Values.syncWorkspace.watchAllNamespaces -}} diff --git a/templates/sync-workspace-role.yaml b/templates/sync-workspace-role.yaml index 76e58b4..34d8f50 100644 --- a/templates/sync-workspace-role.yaml +++ b/templates/sync-workspace-role.yaml @@ -1,8 +1,7 @@ {{- $syncEnabled := (or (and (ne (.Values.syncWorkspace.enabled | toString) "-") .Values.syncWorkspace.enabled) (and (eq (.Values.syncWorkspace.enabled | toString) "-") .Values.global.enabled)) }} {{- if $syncEnabled }} apiVersion: rbac.authorization.k8s.io/v1 -{{- $kind := (ternary "Role" "ClusterRole" (or (empty .Values.syncWorkspace.k8WatchNamespace) (eq (.Values.syncWorkspace.k8WatchNamespace | toString) .Release.Namespace))) }} -kind: {{ $kind }} +kind: {{ template "terraform.getRole" . }} metadata: name: {{ template "terraform.fullname" . }}-sync-workspace labels: From 8d20a4af6726fcf0700b9676c5b9d1bda96b0e20 Mon Sep 17 00:00:00 2001 From: Lorenzo Orifici Date: Wed, 13 Oct 2021 15:51:46 +0100 Subject: [PATCH 5/6] Bugfixes --- templates/_helpers.tpl | 1 + templates/sync-workspace-deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index fe22f15..a0778e9 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -69,3 +69,4 @@ Define the kind of Role to use {{- else -}} {{- (ternary "Role" "ClusterRole" (or (empty .Values.syncWorkspace.k8WatchNamespace) (eq (.Values.syncWorkspace.k8WatchNamespace | toString) .Release.Namespace))) -}} {{- end -}} +{{- end -}} diff --git a/templates/sync-workspace-deployment.yaml b/templates/sync-workspace-deployment.yaml index 8fe0cea..70892cf 100644 --- a/templates/sync-workspace-deployment.yaml +++ b/templates/sync-workspace-deployment.yaml @@ -66,7 +66,7 @@ spec: - /bin/terraform-k8s args: - --enable-leader-election - {{- if not .Values.syncWorkspaces.watchAllNamespaces}} + {{- if not .Values.syncWorkspace.watchAllNamespaces }} - --k8s-watch-namespace={{ default .Release.Namespace .Values.syncWorkspace.k8WatchNamespace}} {{- end }} {{- if .Values.syncWorkspace.logLevel }} From d6ed7648efb5137ad9334e2a0496a9ff7d172928 Mon Sep 17 00:00:00 2001 From: Lorenzo Orifici Date: Wed, 13 Oct 2021 15:52:57 +0100 Subject: [PATCH 6/6] README docs update --- README.md | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/README.md b/README.md index 893cb97..d1fb07e 100644 --- a/README.md +++ b/README.md @@ -96,3 +96,53 @@ $ kubectl delete crd workspaces.app.terraform.io ``` If the CRD is not updated correctly, you will not be able to create a Workspace Custom Resource. + + + +### Helm Chart + +The Helm chart consists of several components. The Kubernetes configurations associated with the Helm chart are located under `crds/` and `templates/`. + +#### Custom Resource Definition + +Helm starts by deploying the Custom Resource Definition for the Workspace. Custom Resource Definitions extend the Kubernetes API. It looks for definitions in the `crds/` of the chart. + +The Custom Resource Definition under `crds/app.terraform.io_workspaces_crd.yaml` defines that the Workspace Custom Resource schema. + +#### Role-Based Access Control + +In order to scope the operator to a namespace, Helm assigns a role and service account to the namespace. The role has access to Pods, Secrets, Services, and ConfigMaps. This configuration is located in `templates/`. + +#### Namespace Scope + +To ensure the operator does not have access to secrets or resource beyond the namespace, the Helm chart scopes the operator's deployment to a namespace. + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: terraform-k8s +spec: + # some sections omitted for clarity + template: + metadata: + labels: + name: terraform-k8s + spec: + serviceAccountName: terraform-k8s + containers: + - name: terraform-k8s + command: + - /bin/terraform-k8s + - "--k8s-watch-namespace=$(POD_NAMESPACE)" + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace +``` + +When deploying, if you want to explicitly watch all namespaces, +then you'll need to set `watchAllNamespaces: true`. Otherwise, +the default behaviour will be to watch the Release namespace or +the namespace provided in the `k8WatchNamespace` value.