From 8c2869ca47e8101b6c6a6263c7a89b21f81bea3d Mon Sep 17 00:00:00 2001
From: Brandon Dunne <brandondunne@hotmail.com>
Date: Mon, 25 Sep 2023 18:13:06 -0400
Subject: [PATCH] Add RBAC for the workflow worker

---
 .../v1alpha1/helpers/miq-components/rbac.go   | 82 +++++++++++++++++++
 .../controller/manageiq_controller.go         | 23 ++++++
 2 files changed, 105 insertions(+)

diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/rbac.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/rbac.go
index 74e88a70d..9c43be380 100644
--- a/manageiq-operator/api/v1alpha1/helpers/miq-components/rbac.go
+++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/rbac.go
@@ -5,6 +5,7 @@ import (
 
 	miqv1alpha1 "github.com/ManageIQ/manageiq-pods/manageiq-operator/api/v1alpha1"
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -52,3 +53,84 @@ func DefaultServiceAccount(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*c
 
 	return sa, f
 }
+
+func WorkflowRole(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*rbacv1.Role, controllerutil.MutateFn) {
+	role := &rbacv1.Role{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "manageiq-workflow",
+			Namespace: cr.ObjectMeta.Namespace,
+		},
+	}
+
+	f := func() error {
+		if err := controllerutil.SetControllerReference(cr, role, scheme); err != nil {
+			return err
+		}
+
+		role.Rules = []rbacv1.PolicyRule{
+			rbacv1.PolicyRule{
+				APIGroups: []string{""},
+				Resources: []string{"pods", "secrets"},
+				Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+			},
+		}
+
+		return nil
+	}
+
+	return role, f
+}
+
+func WorkflowRoleBinding(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*rbacv1.RoleBinding, controllerutil.MutateFn) {
+	rb := &rbacv1.RoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "manageiq-workflow",
+			Namespace: cr.ObjectMeta.Namespace,
+		},
+	}
+
+	f := func() error {
+		if err := controllerutil.SetControllerReference(cr, rb, scheme); err != nil {
+			return err
+		}
+
+		rb.RoleRef = rbacv1.RoleRef{
+			Kind:     "Role",
+			Name:     "manageiq-workflow",
+			APIGroup: "rbac.authorization.k8s.io",
+		}
+		rb.Subjects = []rbacv1.Subject{
+			rbacv1.Subject{
+				Kind: "ServiceAccount",
+				Name: "manageiq-workflow",
+			},
+		}
+
+		return nil
+	}
+
+	return rb, f
+}
+
+func WorkflowServiceAccount(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*corev1.ServiceAccount, controllerutil.MutateFn) {
+	sa := &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "manageiq-workflow",
+			Namespace: cr.ObjectMeta.Namespace,
+		},
+	}
+
+	f := func() error {
+		if err := controllerutil.SetControllerReference(cr, sa, scheme); err != nil {
+			return err
+		}
+
+		if cr.Spec.ImagePullSecret != "" {
+			addSAPullSecret(sa, cr.Spec.ImagePullSecret)
+		}
+
+		return nil
+	}
+
+	return sa, f
+}
diff --git a/manageiq-operator/internal/controller/manageiq_controller.go b/manageiq-operator/internal/controller/manageiq_controller.go
index f860cfc9d..e45defa0e 100644
--- a/manageiq-operator/internal/controller/manageiq_controller.go
+++ b/manageiq-operator/internal/controller/manageiq_controller.go
@@ -149,11 +149,13 @@ func (r *ManageIQReconciler) Reconcile(ctx context.Context, request ctrl.Request
 	if e := r.manageApplicationResources(miqInstance); e != nil {
 		return reconcile.Result{}, e
 	}
+	logger.Info("Reconciling the CR status...")
 	if err := r.updateManageIQStatus(miqInstance); err != nil {
 		reqLogger.Error(err, "Failed setting ManageIQ status")
 		return reconcile.Result{}, err
 	}
 
+	logger.Info("Reconcile complete.")
 	return reconcile.Result{}, nil
 }
 
@@ -832,5 +834,26 @@ func (r *ManageIQReconciler) manageApplicationResources(cr *miqv1alpha1.ManageIQ
 		logger.Info("ConfigMap has been reconciled", "component", "application remote console", "result", result)
 	}
 
+	role, mutateFunc := miqtool.WorkflowRole(cr, r.Scheme)
+	if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, role, mutateFunc); err != nil {
+		return err
+	} else if result != controllerutil.OperationResultNone {
+		logger.Info("Role has been reconciled", "component", "workflow", "result", result)
+	}
+
+	roleBinding, mutateFunc := miqtool.WorkflowRoleBinding(cr, r.Scheme)
+	if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, roleBinding, mutateFunc); err != nil {
+		return err
+	} else if result != controllerutil.OperationResultNone {
+		logger.Info("RoleBinding has been reconciled", "component", "workflow", "result", result)
+	}
+
+	serviceAccount, mutateFunc := miqtool.WorkflowServiceAccount(cr, r.Scheme)
+	if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, serviceAccount, mutateFunc); err != nil {
+		return err
+	} else if result != controllerutil.OperationResultNone {
+		logger.Info("ServiceAccount has been reconciled", "component", "workflow", "result", result)
+	}
+
 	return nil
 }