Merge pull request #129 from jacobweinstock/rbac

Standardize RBAC across all services; Update all service versions:

## Description

<!--- Please describe what this PR is going to change -->
All services can have either Role/RoleBinding or ClusterRole/ClusterRoleBinding RBAC objects. The default is Role/RoleBinding. All Tinkerbell services use controller-runtime for Kubernetes interactions. In controller-runtime, if Role/RoleBinding is used, then a Kubernetes namespace is required. If ClusterRole/ClusterRoleBinding is used, then no namespace should be specified. Each service has been updated to toggle its corresponding CLI flag for setting the namespace based on the RBAC type.

This also updates all service versions in the stack. This is needed as some of the services didn't have single namespaces properly.

## Why is this needed

<!--- Link to issue you have raised -->

Fixes: #120
Fixes: #117 

## How Has This Been Tested?
<!--- Please describe in detail how you tested your changes. -->
<!--- Include details of your testing environment, and the tests you ran to -->
<!--- see how your change affects other areas of the code, etc. -->


## How are existing users impacted? What migration steps/scripts do we need?

<!--- Fixes a bug, unblocks installation, removes a component of the stack etc -->
<!--- Requires a DB migration script, etc. -->


## Checklist:

I have:

- [ ] updated the documentation and/or roadmap (if required)
- [ ] added unit or e2e tests
- [ ] provided instructions on how to upgrade

tinkerbell/hegel/Chart.yaml

@@ -1,6 +1,7 @@
 apiVersion: v2
 name: hegel
 description: An instance metadata service
+icon: https://github.com/tinkerbell/artwork/blob/6f07de53d75cb8932dbc7d14201e038cf3a3b230/Tinkerbell-Icon-Dark.png
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -15,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.6
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.12.0"
+appVersion: "0.13.0"

tinkerbell/hegel/templates/deployment.yaml

@@ -32,6 +32,9 @@ spec:
         - args:
           - --backend=kubernetes
           - --http-addr=:{{ .Values.deployment.port }}
+          {{- if eq .Values.rbac.type "Role"}}
+          - --kubernetes-namespace={{ .Release.Namespace }}
+          {{- end }}
           {{- range .Values.args }}
           - {{ . }}
           {{- end }}

tinkerbell/hegel/templates/role.yaml

@@ -1,26 +1,13 @@
 {{- if .Values.deploy }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: {{ .Values.rbac.type }}
 metadata:
-  name: {{ .Values.roleName }}
+  name: {{ .Values.rbac.name }}
+  {{- if eq .Values.rbac.type "Role"  }}
   namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
 rules:
-  - apiGroups:
-      - tinkerbell.org
-    resources:
-      - hardware
-      - hardware/status
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - tinkerbell.org
-    resources:
-      - workflows
-      - workflows/status
-    verbs:
-      - get
-      - list
-      - watch
+  - apiGroups: ["tinkerbell.org"]
+    resources: ["hardware", "hardware/status"]
+    verbs: ["get", "watch", "list"]
 {{- end }}

tinkerbell/hegel/templates/rolebinding.yaml

@@ -1,13 +1,15 @@
 {{- if .Values.deploy }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: {{ printf "%sBinding" .Values.rbac.type }}
 metadata:
-  name: {{ .Values.roleBindingName }}
+  name: {{ .Values.rbac.bindingName }}
+  {{- if eq .Values.rbac.type "Role"  }}
   namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ .Values.roleName }}
+  kind: {{ .Values.rbac.type }}
+  name: {{ .Values.rbac.name }}
 subjects:
   - kind: ServiceAccount
     name: {{ .Values.name }}

tinkerbell/hegel/values.schema.json

@@ -0,0 +1,142 @@
+{
+    "$schema": "http://json-schema.org/draft-04/schema#",
+    "type": "object",
+    "properties": {
+      "deploy": {
+        "type": "boolean"
+      },
+      "name": {
+        "type": "string"
+      },
+      "image": {
+        "type": "string"
+      },
+      "imagePullPolicy": {
+        "type": "string"
+      },
+      "replicas": {
+        "type": "integer"
+      },
+      "service": {
+        "type": "object",
+        "properties": {
+          "port": {
+            "type": "integer"
+          }
+        },
+        "required": [
+          "port"
+        ]
+      },
+      "deployment": {
+        "type": "object",
+        "properties": {
+          "port": {
+            "type": "integer"
+          },
+          "portName": {
+            "type": "string"
+          }
+        },
+        "required": [
+          "port",
+          "portName"
+        ]
+      },
+      "resources": {
+        "type": "object",
+        "properties": {
+          "limits": {
+            "type": "object",
+            "properties": {
+              "cpu": {
+                "type": "string"
+              },
+              "memory": {
+                "type": "string"
+              }
+            },
+            "required": [
+              "cpu",
+              "memory"
+            ]
+          },
+          "requests": {
+            "type": "object",
+            "properties": {
+              "cpu": {
+                "type": "string"
+              },
+              "memory": {
+                "type": "string"
+              }
+            },
+            "required": [
+              "cpu",
+              "memory"
+            ]
+          }
+        },
+        "required": [
+          "limits",
+          "requests"
+        ]
+      },
+      "rbac": {
+        "type": "object",
+        "properties": {
+          "type": {
+            "type": "string",
+            "enum": ["Role", "ClusterRole"]
+          },
+          "name": {
+            "type": "string"
+          },
+          "bindingName": {
+            "type": "string"
+          }
+        },
+        "required": [
+          "type",
+          "name",
+          "bindingName"
+        ]
+      },
+      "nodeSelector": {
+        "type": "object"
+      },
+      "trustedProxies": {
+        "type": "array",
+        "items": {}
+      },
+      "singleNodeClusterConfig": {
+        "type": "object",
+        "properties": {
+          "controlPlaneTolerationsEnabled": {
+            "type": "boolean"
+          },
+          "nodeAffinityWeight": {
+            "type": "integer"
+          }
+        },
+        "required": [
+          "controlPlaneTolerationsEnabled",
+          "nodeAffinityWeight"
+        ]
+      }
+    },
+    "required": [
+      "deploy",
+      "name",
+      "image",
+      "imagePullPolicy",
+      "replicas",
+      "service",
+      "deployment",
+      "resources",
+      "rbac",
+      "nodeSelector",
+      "trustedProxies",
+      "singleNodeClusterConfig"
+    ]
+  }

tinkerbell/hegel/values.yaml

@@ -1,6 +1,6 @@
 deploy: true
 name: hegel
-image: quay.io/tinkerbell/hegel:v0.12.0
+image: quay.io/tinkerbell/hegel:v0.13.0
 imagePullPolicy: IfNotPresent
 replicas: 1
 service:
@@ -15,8 +15,10 @@ resources:
   requests:
     cpu: 10m
     memory: 64Mi
-roleName: hegel-role
-roleBindingName: hegel-rolebinding
+rbac:
+  type: Role # or ClusterRole
+  name: hegel-role # or hegel-cluster-role
+  bindingName: hegel-rolebinding # or hegel-cluster-rolebinding
 nodeSelector: {}
 
 # Trusted proxies defines a list of IP or CIDR ranges that are allowed to set the X-Forwarded-For

tinkerbell/rufio/Chart.yaml

@@ -1,6 +1,7 @@
 apiVersion: v2
 name: rufio
-description: A Helm chart for Kubernetes
+description: Rufio handles BMC interactions for Tinkerbell
+icon: https://github.com/tinkerbell/artwork/blob/6f07de53d75cb8932dbc7d14201e038cf3a3b230/Tinkerbell-Icon-Dark.png
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -15,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.10
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.3.3"
+appVersion: "0.4.1"

tinkerbell/rufio/templates/deployment.yaml

@@ -41,6 +41,9 @@ spec:
         - /manager
         args:
         - --leader-elect
+        {{- if eq .Values.rbac.type "Role" }}
+        - -kube-namespace={{ .Release.Namespace }}
+        {{- end }}
         {{- range .Values.additionalArgs }}
         - {{ . }}
         {{- end }}

tinkerbell/rufio/templates/cluster-role-binding.yaml → tinkerbell/rufio/templates/role-binding.yaml

@@ -1,12 +1,15 @@
 {{- if .Values.deploy }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ printf "%sBinding" .Values.rbac.type }}
 metadata:
-  name: {{ .Values.managerRoleBindingName }}
+  name: {{ .Values.rbac.bindingName }}
+  {{- if eq .Values.rbac.type "Role"  }}
+  namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ .Values.managerRoleName }}
+  kind: {{ .Values.rbac.type }}
+  name: {{ .Values.rbac.name }}
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.serviceAccountName }}