Added basic RBAC

Depends-On: https://review.opendev.org/721365
Depends-On: https://review.opendev.org/721369
Change-Id: Id7a01e39d9cd2bbecdb77bd5285b98e92eecf7c2

.zuul.yaml

@@ -0,0 +1,29 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- job:
+    name: rbac-helm-functional
+    parent: apply-helm-charts
+    run: playbooks/functional.yaml
+
+- project:
+    check:
+      jobs:
+        - chart-testing-lint
+        - rbac-helm-functional
+    gate:
+      jobs:
+        - chart-testing-lint
+        - rbac-helm-functional

charts/rbac/Chart.yaml

@@ -0,0 +1,21 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+name: rbac
+description: RBAC for Kubernetes cluster
+version: 0.0.0
+appVersion: 0.0.0
+home: https://opendev.org/vexxhost/rbac-helm

charts/rbac/templates/clusterrole-members.yaml

@@ -0,0 +1,36 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: rbac-members
+rules:
+# List and get nodes
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list"]
+# List all get applications
+- apiGroups: ["apps"]
+  resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
+  verbs: ["get", "list"]
+# List and get pods
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list"]
+# View logs for pods
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get", "list"]

charts/rbac/templates/clusterrolebinding-admins.yaml

@@ -0,0 +1,29 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rbac-admins
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+{{- range .Values.admins }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: {{ . }}
+{{- end }}

charts/rbac/templates/clusterrolebinding-members.yaml

@@ -0,0 +1,29 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rbac-members
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: rbac-members
+subjects:
+{{- range .Values.members }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: {{ . }}
+{{- end }}

charts/rbac/test-values.yaml

@@ -0,0 +1,18 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+admins: []
+members:
+- system:serviceaccount:default:test-member

charts/rbac/values.yaml

@@ -0,0 +1,17 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+admins: []
+members: []

playbooks/functional.yaml

@@ -0,0 +1,50 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- hosts: all
+  roles:
+    - name: helm-template
+      helm_release_name: rbac
+      helm_chart: charts/rbac
+      helm_wait_for_pods: false
+      helm_values_file: charts/rbac/test-values.yaml
+  tasks:
+    - import_tasks: tasks/setup-test-context.yaml
+
+    # List and get nodes
+    - name: Ensure listing nodes works
+      shell: kubectl --context=test get nodes
+    - name: Ensure getting a node works
+      shell: kubectl --context=test get $(kubectl get nodes -oname | head -1)
+
+    # List and get applications
+    - name: Ensure listing applications works
+      shell: kubectl --context=test get {{ item }}
+      loop:
+        - daemonsets
+        - deployments
+        - replicasets
+        - statefulsets
+    # TODO: Get applications
+
+    # List and get pods
+    - name: Ensure listing pods works
+      shell: kubectl --context=test -n kube-system get pods
+    - name: Ensure getting a pod works
+      shell: kubectl --context=test -n kube-system get $(kubectl -n kube-system get pods -oname | head -1)
+
+    # View logs for pods
+    - name: Ensure getting logs for a pod works
+      shell: kubectl --context=test -n kube-system logs $(kubectl -n kube-system get pods -oname | head -1)

playbooks/tasks/setup-test-context.yaml

@@ -0,0 +1,37 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Create ServiceAccount
+  shell: |
+    cat <<EOF | kubectl apply -f-
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: test-member
+    EOF
+
+- name: Get secret name
+  shell: kubectl get sa/test-member -ojsonpath='{.secrets[0].name}'
+  register: _kubectl_get_sa
+
+- name: Get account token
+  shell: kubectl get secret/{{ _kubectl_get_sa.stdout }} -ojsonpath='{.data.token}' | base64 --decode
+  register: _token
+
+- name: Create credentials
+  shell: kubectl config set-credentials test-member --token={{ _token.stdout }}
+
+- name: Create test context
+  shell: kubectl config set-context test --cluster=minikube --user=test-member