Merge pull request #8878 from BlaineEXE/initial-generate-rbac-from-helm

build: start tracking rbac generated from helm chart

.github/workflows/build.yml

@@ -54,6 +54,25 @@ jobs:
       working-directory: /Users/runner/go/src/github.com/rook/rook
       run: tests/scripts/validate_modified_files.sh crd
 
+    # needed for gen-rbac
+    - name: Setup python
+      uses: actions/setup-python@v2
+      with:
+        python-version: "3.9"
+
+    - name: Install pip dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install ruamel.yaml==0.17.16
+
+    - name: run gen-rbac
+      working-directory: /Users/runner/go/src/github.com/rook/rook
+      run: GOPATH=$(go env GOPATH) make gen-rbac
+
+    - name: validate gen-rbac
+      working-directory: /Users/runner/go/src/github.com/rook/rook
+      run: tests/scripts/validate_modified_files.sh gen-rbac
+
     - name: setup tmate session for debugging
       if: failure()
       uses: mxschmitt/action-tmate@v3

.github/workflows/rbac-gen.yaml

@@ -0,0 +1,51 @@
+name: Generate RBAC from Helm charts
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - master
+      - release-*
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+defaults:
+  run:
+    # reference: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell
+    shell: bash --noprofile --norc -eo pipefail -x {0}
+
+jobs:
+  gen-rbac:
+    runs-on: ubuntu-18.04
+    steps:
+    - uses: actions/setup-go@v2
+      with:
+        go-version: 1.16
+
+    - name: checkout
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+
+    - name: copy working directory to GOPATH
+      run: sudo mkdir -p /home/runner/go/src/github.com && sudo cp -a /home/runner/work/rook /home/runner/go/src/github.com/
+
+    - name: Setup python
+      uses: actions/setup-python@v2
+      with:
+        python-version: "3.9"
+
+    - name: Install pip dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install ruamel.yaml==0.17.16
+
+    - name: run gen-rbac
+      working-directory: /home/runner/go/src/github.com/rook/rook
+      run: GOPATH=$(go env GOPATH) make gen-rbac
+
+    - name: validate gen-rbac
+      working-directory: /home/runner/go/src/github.com/rook/rook
+      run: tests/scripts/validate_modified_files.sh gen-rbac

Makefile

@@ -13,6 +13,7 @@
 # limitations under the License.
 
 include build/makelib/common.mk
+include build/makelib/helm.mk
 
 .PHONY: all
 all: build
@@ -177,6 +178,9 @@ crds: $(CONTROLLER_GEN) $(YQ)
 	@echo Updating CRD manifests
 	@build/crds/build-crds.sh $(CONTROLLER_GEN) $(YQ)
 
+gen-rbac: $(HELM) ## generate RBAC from Helm charts
+	HELM=$(HELM) ./build/rbac/get-helm-rbac.sh
+
 .PHONY: all build.common cross.build.parallel
 .PHONY: build build.all install test check vet fmt codegen mod.check clean distclean prune
 

build/rbac/get-helm-rbac.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -eEuox pipefail
+
+: ${HELM:=helm}
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+pushd "$SCRIPT_DIR"
+
+${HELM} dependency update ../../cluster/charts/rook-ceph
+${HELM} template ../../cluster/charts/rook-ceph \
+                  --namespace rook-ceph \
+                  --set crds.enabled=false | ./keep-rbac-yaml.py > rbac.yaml
+
+popd

build/rbac/keep-rbac-yaml.py

@@ -0,0 +1,77 @@
+#!/usr/bin/env python3
+
+# Read any number of YAML documents from stdin, and output RBAC-related documents to stdout sorted
+# by Kubernetes Kind then Name.
+
+import sys
+
+# ruamel.yaml is a small fork from the python standard yaml library that preserves comments
+import ruamel.yaml
+
+# All the Kubernetes Kinds that we want to keep as RBAC
+rbac_kinds = [
+    "PodSecurityPolicy",
+    "ServiceAccount",
+    "ClusterRole",
+    "ClusterRoleBinding",
+    "Role",
+    "RoleBinding",
+]
+
+# Log to stderr
+def log(*values):
+    print(*values, file=sys.stderr, flush=True)
+
+# Return <Kind>/<name> for a Kubernetes resource from a yaml doc
+def kind_and_name(doc):
+    return doc["kind"] + "/" + doc["metadata"]["name"]
+
+
+# Set up and configure the yaml parser/dumper
+yaml=ruamel.yaml.YAML()
+# output lists in the form that is indented from the parent like below
+# parent:
+#   - list
+#   - items
+yaml.indent(sequence=4, offset=2)
+
+all_docs = yaml.load_all(sys.stdin.read())
+
+kept_docs = []
+docs_processed = 0
+for doc in all_docs:
+    docs_processed += 1
+    kind = doc["kind"]
+    if kind not in rbac_kinds:
+        # we don't want non-RBAC resources
+        log("discarding doc:", kind_and_name(doc))
+        continue
+    log("keeping doc:", kind_and_name(doc))
+
+    # helm adds '# Source: <file>' comments to the top of each yaml doc. Strip these.
+    if doc.ca is not None and doc.ca.comment is not None:
+        comments = doc.ca.comment[1]
+        for comment in comments:
+            if comment.value.startswith("# Source: ") and comment.value.endswith(".yaml\n"):
+                log("  dropping comment:", comment.value.strip())
+                comments.remove(comment)
+
+    # helm-managed resources have a "chart" label, but we remove those for rendered RBAC
+    if "labels" in doc["metadata"] and "chart" in doc["metadata"]["labels"]:
+        log("  dropping 'chart' label")
+        del doc["metadata"]["labels"]["chart"]
+
+    kept_docs.append(doc)
+
+
+kept_docs.sort(key=kind_and_name)
+
+# Log to stderr the overall list of docs kept and a summary
+for doc in kept_docs:
+    log(kind_and_name(doc))
+log("docs processed:", docs_processed)
+log("docs kept     :", len(kept_docs))
+
+
+# Dump to stdout (this should be the only time this script writes to stdout)
+yaml.dump_all(kept_docs, sys.stdout)