From 40dcaf115d549016110bfa79c30cfc536945bd81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Fri, 8 Dec 2023 15:15:13 -0500 Subject: [PATCH] Make Secure RBAC configurable This patch adds a new field to the BarbicanAPI spec to configure "Consistent and Secure RBAC" [1]. The API configuration template was modified to use the value in this field instead of being hard-coded to always be on. Jira: OSPRH-2129 [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html --- api/bases/barbican.openstack.org_barbicanapis.yaml | 5 +++++ api/bases/barbican.openstack.org_barbicans.yaml | 5 +++++ api/v1beta1/barbicanapi_types.go | 5 +++++ api/v1beta1/common_types.go | 3 ++- .../bases/barbican.openstack.org_barbicanapis.yaml | 5 +++++ .../crd/bases/barbican.openstack.org_barbicans.yaml | 5 +++++ controllers/barbican_controller.go | 13 +++++++------ controllers/barbicanapi_controller.go | 13 +++++++------ templates/barbican/config/00-default.conf | 4 ++-- 9 files changed, 43 insertions(+), 15 deletions(-) diff --git a/api/bases/barbican.openstack.org_barbicanapis.yaml b/api/bases/barbican.openstack.org_barbicanapis.yaml index 699ca96..4069a53 100644 --- a/api/bases/barbican.openstack.org_barbicanapis.yaml +++ b/api/bases/barbican.openstack.org_barbicanapis.yaml @@ -99,6 +99,11 @@ spec: files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enableSecureRBAC: + default: true + description: EnableSecureRBAC - Enable Consistent and Secure RBAC + policies + type: boolean networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network diff --git a/api/bases/barbican.openstack.org_barbicans.yaml b/api/bases/barbican.openstack.org_barbicans.yaml index d67a273..4d105ee 100644 --- a/api/bases/barbican.openstack.org_barbicans.yaml +++ b/api/bases/barbican.openstack.org_barbicans.yaml @@ -67,6 +67,11 @@ spec: add additional files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enableSecureRBAC: + default: true + description: EnableSecureRBAC - Enable Consistent and Secure RBAC + policies + type: boolean networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network diff --git a/api/v1beta1/barbicanapi_types.go b/api/v1beta1/barbicanapi_types.go index 6471e58..545f331 100644 --- a/api/v1beta1/barbicanapi_types.go +++ b/api/v1beta1/barbicanapi_types.go @@ -27,6 +27,11 @@ type BarbicanAPITemplate struct { // Common input parameters for the Barbican API service BarbicanComponentTemplate `json:",inline"` + // +kubebuilder:validation:Optional + // +kubebuilder:default=true + // EnableSecureRBAC - Enable Consistent and Secure RBAC policies + EnableSecureRBAC bool `json:"enableSecureRBAC"` + // Override, provides the ability to override the generated manifest of several child resources. Override APIOverrideSpec `json:"override,omitempty"` } diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go index 001bbec..877d8da 100644 --- a/api/v1beta1/common_types.go +++ b/api/v1beta1/common_types.go @@ -5,6 +5,7 @@ import ( ) // BarbicanTemplate defines common Spec elements for all Barbican components +// including the top level CR type BarbicanTemplate struct { // +kubebuilder:validation:Optional @@ -61,7 +62,7 @@ type BarbicanTemplate struct { ServiceAccount string `json:"serviceAccount"` } -// BarbicanComponentTemplate - Variables used by every component of Barbican +// BarbicanComponentTemplate - Variables used by every sub-component of Barbican // (e.g. API, Worker, Listener) type BarbicanComponentTemplate struct { diff --git a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml index 699ca96..4069a53 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml @@ -99,6 +99,11 @@ spec: files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enableSecureRBAC: + default: true + description: EnableSecureRBAC - Enable Consistent and Secure RBAC + policies + type: boolean networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network diff --git a/config/crd/bases/barbican.openstack.org_barbicans.yaml b/config/crd/bases/barbican.openstack.org_barbicans.yaml index d67a273..4d105ee 100644 --- a/config/crd/bases/barbican.openstack.org_barbicans.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicans.yaml @@ -67,6 +67,11 @@ spec: add additional files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enableSecureRBAC: + default: true + description: EnableSecureRBAC - Enable Consistent and Secure RBAC + policies + type: boolean networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network diff --git a/controllers/barbican_controller.go b/controllers/barbican_controller.go index 7a7da67..13c14b4 100644 --- a/controllers/barbican_controller.go +++ b/controllers/barbican_controller.go @@ -539,12 +539,13 @@ func (r *BarbicanReconciler) generateServiceConfig( instance.Status.DatabaseHostname, barbican.DatabaseName, ), - "KeystoneAuthURL": keystoneInternalURL, - "ServicePassword": string(ospSecret.Data[instance.Spec.PasswordSelectors.Service]), - "ServiceUser": instance.Spec.ServiceUser, - "ServiceURL": "TODO", - "TransportURL": string(transportURLSecret.Data["transport_url"]), - "LogFile": fmt.Sprintf("%s%s.log", barbican.BarbicanLogPath, instance.Name), + "KeystoneAuthURL": keystoneInternalURL, + "ServicePassword": string(ospSecret.Data[instance.Spec.PasswordSelectors.Service]), + "ServiceUser": instance.Spec.ServiceUser, + "ServiceURL": "TODO", + "TransportURL": string(transportURLSecret.Data["transport_url"]), + "LogFile": fmt.Sprintf("%s%s.log", barbican.BarbicanLogPath, instance.Name), + "enableSecureRBAC": instance.Spec.BarbicanAPI.EnableSecureRBAC, } return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false) diff --git a/controllers/barbicanapi_controller.go b/controllers/barbicanapi_controller.go index 2a08804..fc97a67 100644 --- a/controllers/barbicanapi_controller.go +++ b/controllers/barbicanapi_controller.go @@ -279,12 +279,13 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs( instance.Spec.DatabaseHostname, barbican.DatabaseName, ), - "KeystoneAuthURL": keystoneInternalURL, - "ServicePassword": string(ospSecret.Data[instance.Spec.PasswordSelectors.Service]), - "ServiceUser": instance.Spec.ServiceUser, - "ServiceURL": "https://barbican.openstack.svc:9311", - "TransportURL": string(transportURLSecret.Data["transport_url"]), - "LogFile": fmt.Sprintf("%s%s.log", barbican.BarbicanLogPath, instance.Name), + "KeystoneAuthURL": keystoneInternalURL, + "ServicePassword": string(ospSecret.Data[instance.Spec.PasswordSelectors.Service]), + "ServiceUser": instance.Spec.ServiceUser, + "ServiceURL": "https://barbican.openstack.svc:9311", + "TransportURL": string(transportURLSecret.Data["transport_url"]), + "LogFile": fmt.Sprintf("%s%s.log", barbican.BarbicanLogPath, instance.Name), + "enableSecureRBAC": instance.Spec.EnableSecureRBAC, } return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false) diff --git a/templates/barbican/config/00-default.conf b/templates/barbican/config/00-default.conf index ec21131..16d8cd2 100644 --- a/templates/barbican/config/00-default.conf +++ b/templates/barbican/config/00-default.conf @@ -28,8 +28,8 @@ topic = barbican_notifications driver=messagingv2 [oslo_policy] -enforce_scope = true -enforce_new_defaults = true +enforce_scope = {{ .enableSecureRBAC }} +enforce_new_defaults = {{ .enableSecureRBAC }} [queue] enable = true