Roles (#262)

* feat: add role and clusterrole to chart

Signed-off-by: Engin Diri <[email protected]>

* feat: add role and clusterrole to chart

Signed-off-by: Engin Diri <[email protected]>

---------

Signed-off-by: Engin Diri <[email protected]>

charts/node-red/Chart.yaml

@@ -9,7 +9,7 @@ icon: https://nodered.org/about/resources/media/node-red-icon-2.png
 
 type: application
 
-version: 0.24.4
+version: 0.25.0
 appVersion: 3.0.2
 
 keywords:
@@ -29,7 +29,7 @@ maintainers:
 annotations:
   artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/changes: |
-    - add missing quotes to create valid yaml
+    - add role and clusterrole to chart
   artifacthub.io/images: |
     - name: node-red
       image: docker.io/nodered/node-red:3.0.2

charts/node-red/README.md

@@ -1,6 +1,6 @@
 # node-red ⚙
 
-![Version: 0.24.4](https://img.shields.io/badge/Version-0.24.4-informational?style=for-the-badge) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=for-the-badge) ![AppVersion: 3.0.2](https://img.shields.io/badge/AppVersion-3.0.2-informational?style=for-the-badge)
+![Version: 0.25.0](https://img.shields.io/badge/Version-0.25.0-informational?style=for-the-badge) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=for-the-badge) ![AppVersion: 3.0.2](https://img.shields.io/badge/AppVersion-3.0.2-informational?style=for-the-badge)
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/node-red&style=for-the-badge)](https://artifacthub.io/packages/search?repo=node-red)
 [![SIT](https://img.shields.io/badge/SIT-awesome-blueviolet.svg?style=for-the-badge)](https://jobs.schwarz)
@@ -16,7 +16,7 @@ A Helm chart for Node-Red, a low-code programming for event-driven applications
 To install the chart using the OCI artifact, run:
 
 ```bash
-helm install node-red oci://ghcr.io/schwarzit/charts/node-red --version 0.24.4
+helm install node-red oci://ghcr.io/schwarzit/charts/node-red --version 0.25.0
 ```
 
 ## Usage
@@ -32,7 +32,7 @@ helm repo update
 To install the chart with the release name node-red run:
 
 ```bash
-helm install node-red node-red/node-red --version 0.24.4
+helm install node-red node-red/node-red --version 0.25.0
 ```
 
 After a few seconds, node-red should be running.
@@ -61,6 +61,9 @@ The command removes all the Kubernetes components associated with the chart and
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | The affinity constraint |
+| clusterRoleRules.enabled | bool | `false` | Enable custom rules for the application controller's ClusterRole resource default: false |
+| clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource default: [] |
+| createClusterRole | bool | `false` | Create a ClusterRole resource for the node-red pod. default: false |
 | deploymentAnnotations | object | `{}` | Deployment annotations |
 | deploymentStrategy | string | `""` | Specifies the strategy used to replace old Pods by new ones, default: `RollingUpdate` |
 | env | list | `[]` | node-red env, see more environment variables in the [node-red documentation](https://nodered.org/docs/getting-started/docker) |

charts/node-red/scripts/flow_refresh.py

@@ -10,21 +10,25 @@
 import re
 
 # SET VARIABLES FROM CONTAINER ENVIRONMENT
-SLEEP_TIME_SIDECAR = 5 if os.getenv("SLEEP_TIME_SIDECAR") is None else int(re.sub("[A-z]", "", os.getenv("SLEEP_TIME_SIDECAR")))
+SLEEP_TIME_SIDECAR = 5 if os.getenv("SLEEP_TIME_SIDECAR") is None else int(
+    re.sub("[A-z]", "", os.getenv("SLEEP_TIME_SIDECAR")))
 USERNAME = os.getenv("USERNAME")
 PASSWORD = os.getenv("PASSWORD")
 URL = os.getenv("URL")
 # REQUEST CONNECTION PARAMETERS
 FLOW_REQ_RETRY_TOTAL = 20 if os.getenv("REQ_RETRY_TOTAL") is None else int(os.getenv("REQ_RETRY_TOTAL"))
 FLOW_REQ_RETRY_CONNECT = 30 if os.getenv("REQ_RETRY_CONNECT") is None else int(os.getenv("REQ_RETRY_CONNECT"))
 FLOW_REQ_RETRY_READ = 15 if os.getenv("REQ_RETRY_READ") is None else int(os.getenv("REQ_RETRY_READ"))
-FLOW_REQ_RETRY_BACKOFF_FACTOR = 1.1 if os.getenv("REQ_RETRY_BACKOFF_FACTOR") is None else float(os.getenv("REQ_RETRY_BACKOFF_FACTOR"))
+FLOW_REQ_RETRY_BACKOFF_FACTOR = 1.1 if os.getenv("REQ_RETRY_BACKOFF_FACTOR") is None else float(
+    os.getenv("REQ_RETRY_BACKOFF_FACTOR"))
 FLOW_REQ_TIMEOUT = 60 if os.getenv("REQ_TIMEOUT") is None else float(os.getenv("REQ_TIMEOUT"))
 FLOW_REQ_TLS_VERIFY = False if os.getenv("REQ_SKIP_TLS_VERIFY") == "true" else None
 
-EXTRA_NODE_MODULES = None if os.path.isfile('/data/extra-node-modules.json') is False else json.load((open('/data/extra-node-modules.json', "r")))
+EXTRA_NODE_MODULES = None if os.path.isfile('/data/extra-node-modules.json') is False else json.load(
+    (open('/data/extra-node-modules.json', "r")))
 script_errors = {}
 
+
 def main():
     print("----START PYTHON SIDECAR SCRIPT----")
     print("node-red node module install and flow refresh api call via k8s-sidecar")
@@ -42,37 +46,55 @@ def main():
     r.mount("http://", HTTPAdapter(max_retries=retries))
     r.mount("https://", HTTPAdapter(max_retries=retries))
 
-    # GET NODE RED BEARER TOKEN
-    print("----TOKEN----")
-    payload_token = {
-        "client_id": "node-red-admin",
-        "grant_type": "password",
-        "scope": "*",
-        "username": USERNAME,
-        "password": PASSWORD,
-    }
-    r_token = r.post(
-        "%s" % URL + "/auth/token",
-        data=payload_token,
-        timeout=FLOW_REQ_TIMEOUT,
-        verify=FLOW_REQ_TLS_VERIFY,
+    # Make the request
+    authenticationScheme = r.get(
+        "%s" % URL + "/auth/login",
     )
-    if r_token.status_code == requests.codes.ok:
-        print(f"node-red bearer token successfully created - {r_token.status_code}")
-        token = json.loads(r_token.text)["access_token"]
+
+    try:
+        data = authenticationScheme.json()
+    except json.JSONDecodeError:
+        print("Received non-JSON response.")
+        sys.exit(1)
+
+    # Check if the data is an empty object
+    if data == {}:
+        print("Empty authentication scheme response.")
+        token = None
     else:
-        print(f"could not create bearer token.... {r_token.status_code}")
-        sys.exit(r_token.status_code)
+        # GET NODE RED BEARER TOKEN
+        print("----TOKEN----")
+        payload_token = {
+            "client_id": "node-red-admin",
+            "grant_type": "password",
+            "scope": "*",
+            "username": USERNAME,
+            "password": PASSWORD,
+        }
+        r_token = r.post(
+            "%s" % URL + "/auth/token",
+            data=payload_token,
+            timeout=FLOW_REQ_TIMEOUT,
+            verify=FLOW_REQ_TLS_VERIFY,
+        )
+        if r_token.status_code == requests.codes.ok:
+            print(f"node-red bearer token successfully created - {r_token.status_code}")
+            token = json.loads(r_token.text)["access_token"]
+        else:
+            print(f"could not create bearer token.... {r_token.status_code}")
+            sys.exit(r_token.status_code)
 
     # NODE MODULE INSTALL VIA HELM SIDECAR EXTRA NODE MODULES CONFIG MAP
     print("----INSTALL EXTRA NODE MODULES----")
     if EXTRA_NODE_MODULES is not None:
         print(f"found extra node modules in configmap - {EXTRA_NODE_MODULES}")
         # GET ISNTALLED NODE MODULES
         headers_node_module = {
-            "Authorization": "Bearer" + " " + token,
             "Accept": "application/json",
         }
+        if token:
+            # If token has a value, add Authorization to headers
+            headers_node_module["Authorization"] = "Bearer" + " " + token
         r_node_modules = r.get(
             "%s" % URL + "/nodes",
             headers=headers_node_module,
@@ -88,9 +110,11 @@ def main():
             if module not in modules_installed:
                 payload_node_module = '{"module": "' + module + '"}'
                 headers_node_module = {
-                    "Authorization": "Bearer" + " " + token,
                     "Content-type": "application/json",
                 }
+                if token:
+                    # If token has a value, add Authorization to headers
+                    headers_node_module["Authorization"] = "Bearer" + " " + token
                 # INSTALL NODE MODULES FROM ITERATION
                 r_node_modules = r.post(
                     "%s" % URL + "/nodes",
@@ -115,11 +139,13 @@ def main():
     print("----RELOAD FLOWS----")
     payload_flow_refresh = '{"flows": [{"type": "tab"}]}'
     headers_flow_refresh = {
-        "Authorization": "Bearer" + " " + token,
         "content-type": "application/json; charset=utf-8",
         "Node-RED-Deployment-Type": "reload",
         "Node-RED-API-Version": "v2",
     }
+    if token:
+        # If token has a value, add Authorization to headers
+        headers_flow_refresh["Authorization"] = "Bearer" + " " + token
 
     r_flow_refresh = r.post(
         "%s" % URL + "/flows",
@@ -140,10 +166,11 @@ def main():
     print("----SCRIPT EXIT----")
     if script_errors:
         print(json.dumps(script_errors, indent=4))
-        sys.exit("script error")
+        sys.exit("script errors found...")
     else:
-        print("yeah right")
+        print("no script errors found...")
         sys.exit(0)
 
+
 if __name__ == "__main__":
-    main()
+    main()

charts/node-red/templates/certificates.yaml

@@ -5,6 +5,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ $value.certificate.name | default (printf "%s-%d" $name $index) | trunc 63 | trimSuffix "-" }}
+  namespace: {{ .Release.Namespace | quote }}
 spec:
   commonName: {{ index $value.hosts 0 }}
   dnsNames:
@@ -14,4 +15,4 @@ spec:
   secretName: {{ $value.secretName }}
 ---
 {{- end }}
-{{- end }}
+{{- end }}

charts/node-red/templates/clusterrole.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.createClusterRole }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "node-red.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+      {{- include "node-red.labels" . | nindent 4 }}
+rules:
+  {{- if .Values.clusterRoleRules.enabled }}
+    {{- toYaml .Values.clusterRoleRules.rules | nindent 2 }}
+  {{- else }}
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  {{- end }}
+{{- end }}

charts/node-red/templates/clusterrolebinding.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.createClusterRole }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "node-red.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "node-red.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "node-red.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "node-red.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/node-red/templates/deployment.yaml

@@ -6,6 +6,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   name: {{ include "node-red.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "node-red.labels" . | nindent 4 }}
 spec:
@@ -69,8 +70,10 @@ spec:
           {{- end }}
           - name: URL
             value: {{ printf "http://%s.%s.svc.cluster.local:%d" (include "node-red.fullname" .) .Release.Namespace (.Values.service.port | int) }}
+          {{ if .Values.sidecar.env.username }}
           - name: USERNAME
-            value: {{ required "please set the username for API refresh call" .Values.sidecar.env.username }}
+            value: {{ .Values.sidecar.env.username }}
+          {{- end }}
           {{- if or .Values.sidecar.env.password .Values.sidecar.env.passwordFromExistingSecret }}
           - name: PASSWORD
           {{- if .Values.sidecar.env.password }}

charts/node-red/templates/ingress.yaml

@@ -16,6 +16,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "node-red.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}

charts/node-red/templates/npmrc-cm.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ include "node-red.configMapName" . }}
+  namespace: {{ .Release.Namespace | quote }}
 data:
   npmrc: |
 {{- if .Values.npmrc.registry }}

charts/node-red/templates/pvc.yaml

@@ -3,6 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ template "node-red.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
   labels:
     app.kubernetes.io/name: {{ include "node-red.name" . }}
     helm.sh/chart: {{ include "node-red.chart" . }}

charts/node-red/templates/role.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "node-red.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+      {{- include "node-red.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - configmaps
+      - services
+    verbs:
+      - get
+      - list
+      - watch

charts/node-red/templates/rolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "node-red.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+      {{- include "node-red.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "node-red.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "node-red.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace | quote }}

charts/node-red/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "node-red.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "node-red.labels" . | nindent 4 }}
 spec:

charts/node-red/templates/serviceaccount.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "node-red.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "node-red.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

charts/node-red/templates/servicemonitor.yaml

@@ -5,6 +5,8 @@ metadata:
   name: {{ template "node-red.fullname" . }}
   {{- if .Values.metrics.serviceMonitor.namespace }}
   namespace: {{ .Values.metrics.serviceMonitor.namespace }}
+  {{- else }}
+  namespace: {{ .Release.Namespace | quote }}
   {{- end }}
   labels:
     {{- include "node-red.labels" . | nindent 4 }}
@@ -39,4 +41,4 @@ spec:
   selector:
     matchLabels:
       {{- include "node-red.selectorLabels" . | nindent 6 }}
-{{- end }}
+{{- end }}

charts/node-red/templates/sidecar-cm.yaml

@@ -10,6 +10,7 @@ data:
 kind: ConfigMap
 metadata:
   name: {{ include "node-red.sidecarConfigMapName" . }}
+  namespace: {{ .Release.Namespace | quote }}
   labels:
     {{ .Values.sidecar.env.label}}: {{ .Values.sidecar.env.label_value | quote}}
 {{- end }}

charts/node-red/values.yaml

@@ -232,6 +232,16 @@ extraSidecars: []
 #    image: busybox
 #    command: ["/bin/sh", "-c", "echo hello from sidecar"]
 
+# -- Create a ClusterRole resource for the node-red pod. default: false
+createClusterRole: false
+
+## -- Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource.
+clusterRoleRules:
+  # -- Enable custom rules for the application controller's ClusterRole resource default: false
+  enabled: false
+  # -- List of custom rules for the application controller's ClusterRole resource default: []
+  rules: []
+
 # Sidecar that collect the configmaps with specified label and stores the included files into the given folder
 sidecar:
   # -- Enable the sidecar