Merge pull request #117 from projectsyn/fix/olm-bgp-control-plane-rbac

Create RBAC to grant the OLM operator read-only access to Secrets in `kube-system`
projectsyn · Jun 20, 2024 · 2600c62 · 2600c62
2 parents bc2a6c6 + 76af66a
commit 2600c62
Show file tree

Hide file tree

Showing 4 changed files with 110 additions and 12 deletions.
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -15,6 +15,14 @@ parameters:
       "False": true
 
     cilium_helm_values:
+      bgpControlPlane:
+        secretNamespace:
+          # Ensure that Cilium's BGP control plane is configured to look for
+          # peering secrets in the same namespace where Cilium is installed.
+          # Without this, it's not possible to enable the BGP control plane
+          # when installing Cilium with OLM without patching the OLM RBAC.
+          # See also https://github.com/projectsyn/component-cilium/pull/117.
+          name: ${cilium:_namespace}
       cni:
         binPath: /var/lib/cni/bin
         confPath: /var/run/multus/cni/net.d

diff --git a/component/olm.jsonnet b/component/olm.jsonnet
@@ -63,21 +63,22 @@ local olmFiles = std.foldl(
   }
 );
 
+local metadata_name_map = {
+  opensource: {
+    CiliumConfig: 'cilium',
+    Deployment: 'cilium-olm',
+    OlmRole: 'cilium-olm',
+  },
+  enterprise: {
+    CiliumConfig: 'cilium-enterprise',
+    Deployment: 'cilium-ee-olm',
+    OlmRole: 'cilium-ee-olm',
+  },
+};
+
 local patchManifests = function(file, has_csv)
   local hasK8sHost = std.objectHas(helm.cilium_values, 'k8sServiceHost');
   local hasK8sPort = std.objectHas(helm.cilium_values, 'k8sServicePort');
-  local metadata_name_map = {
-    opensource: {
-      CiliumConfig: 'cilium',
-      Deployment: 'cilium-olm',
-      OlmRole: 'cilium-olm',
-    },
-    enterprise: {
-      CiliumConfig: 'cilium-enterprise',
-      Deployment: 'cilium-ee-olm',
-      OlmRole: 'cilium-ee-olm',
-    },
-  };
   local deploymentPatch = {
     spec+: {
       template+: {
@@ -211,13 +212,65 @@ local patchManifests = function(file, has_csv)
   else
     file;
 
+local olm_version =
+  local ver = params.olm.full_version;
+  local verparts = std.split(ver, '.');
+  local parseOrError(val, typ) =
+    local parsed = std.parseJson(val);
+    if std.isNumber(parsed) then
+      parsed
+    else
+      error
+        'Failed to parse %s version "%s" as number' % [
+          typ,
+          val,
+        ];
+  {
+    major: parseOrError(verparts[0], 'major'),
+    minor: parseOrError(verparts[1], 'minor'),
+  };
+
+local kubeSystemSecretRO = [
+  kube.Role(metadata_name_map[params.release].OlmRole) {
+    metadata+: {
+      namespace: 'kube-system',
+    },
+    rules: [
+      {
+        apiGroups: [ '' ],
+        resources: [ 'secrets' ],
+        verbs: [ 'get', 'list', 'watch' ],
+      },
+    ],
+  },
+  kube.RoleBinding(metadata_name_map[params.release].OlmRole) {
+    metadata+: {
+      namespace: 'kube-system',
+    },
+    roleRef: {
+      apiGroup: 'rbac.authorization.k8s.io',
+      kind: 'Role',
+      name: metadata_name_map[params.release].OlmRole,
+    },
+    subjects: [
+      {
+        kind: 'ServiceAccount',
+        namespace: 'cilium',
+        name: metadata_name_map[params.release].OlmRole,
+      },
+    ],
+  },
+];
+
+
 std.foldl(
   function(files, file) files { [std.strReplace(file.filename, '.yaml', '')]: file.contents },
   std.filter(
     function(obj) obj != null,
     std.map(function(obj) patchManifests(obj, olmFiles.has_csv), olmFiles.files),
   ),
   {
+    [if olm_version.minor <= 14 then '98_fixup_bgp_controlpane_rbac']: kubeSystemSecretRO,
     '99_cleanup': (import 'cleanup.libsonnet'),
   }
 )
diff --git a/tests/golden/olm-opensource/cilium/cilium/olm/98_fixup_bgp_controlpane_rbac.yaml b/tests/golden/olm-opensource/cilium/cilium/olm/98_fixup_bgp_controlpane_rbac.yaml
@@ -0,0 +1,34 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations: {}
+  labels:
+    name: cilium-olm
+  name: cilium-olm
+  namespace: kube-system
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: cilium-olm
+  name: cilium-olm
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-olm
+subjects:
+  - kind: ServiceAccount
+    name: cilium-olm
+    namespace: cilium
diff --git a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-07-cilium-ciliumconfig.yaml
@@ -4,6 +4,9 @@ metadata:
   name: cilium
   namespace: cilium
 spec:
+  bgpControlPlane:
+    secretNamespace:
+      name: cilium
   bpf:
     masquerade: false
   cni: