Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #8878 from BlaineEXE/initial-generate-rbac-from-helm
build: start tracking rbac generated from helm chart
- Loading branch information
Showing
7 changed files
with
1,409 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
name: Generate RBAC from Helm charts | ||
on: | ||
push: | ||
tags: | ||
- v* | ||
branches: | ||
- master | ||
- release-* | ||
pull_request: | ||
branches: | ||
- master | ||
- release-* | ||
|
||
defaults: | ||
run: | ||
# reference: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell | ||
shell: bash --noprofile --norc -eo pipefail -x {0} | ||
|
||
jobs: | ||
gen-rbac: | ||
runs-on: ubuntu-18.04 | ||
steps: | ||
- uses: actions/setup-go@v2 | ||
with: | ||
go-version: 1.16 | ||
|
||
- name: checkout | ||
uses: actions/checkout@v2 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: copy working directory to GOPATH | ||
run: sudo mkdir -p /home/runner/go/src/github.com && sudo cp -a /home/runner/work/rook /home/runner/go/src/github.com/ | ||
|
||
- name: Setup python | ||
uses: actions/setup-python@v2 | ||
with: | ||
python-version: "3.9" | ||
|
||
- name: Install pip dependencies | ||
run: | | ||
python -m pip install --upgrade pip | ||
pip install ruamel.yaml==0.17.16 | ||
- name: run gen-rbac | ||
working-directory: /home/runner/go/src/github.com/rook/rook | ||
run: GOPATH=$(go env GOPATH) make gen-rbac | ||
|
||
- name: validate gen-rbac | ||
working-directory: /home/runner/go/src/github.com/rook/rook | ||
run: tests/scripts/validate_modified_files.sh gen-rbac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
#!/usr/bin/env bash | ||
set -eEuox pipefail | ||
|
||
: ${HELM:=helm} | ||
|
||
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" | ||
pushd "$SCRIPT_DIR" | ||
|
||
${HELM} dependency update ../../cluster/charts/rook-ceph | ||
${HELM} template ../../cluster/charts/rook-ceph \ | ||
--namespace rook-ceph \ | ||
--set crds.enabled=false | ./keep-rbac-yaml.py > rbac.yaml | ||
|
||
popd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
#!/usr/bin/env python3 | ||
|
||
# Read any number of YAML documents from stdin, and output RBAC-related documents to stdout sorted | ||
# by Kubernetes Kind then Name. | ||
|
||
import sys | ||
|
||
# ruamel.yaml is a small fork from the python standard yaml library that preserves comments | ||
import ruamel.yaml | ||
|
||
# All the Kubernetes Kinds that we want to keep as RBAC | ||
rbac_kinds = [ | ||
"PodSecurityPolicy", | ||
"ServiceAccount", | ||
"ClusterRole", | ||
"ClusterRoleBinding", | ||
"Role", | ||
"RoleBinding", | ||
] | ||
|
||
# Log to stderr | ||
def log(*values): | ||
print(*values, file=sys.stderr, flush=True) | ||
|
||
# Return <Kind>/<name> for a Kubernetes resource from a yaml doc | ||
def kind_and_name(doc): | ||
return doc["kind"] + "/" + doc["metadata"]["name"] | ||
|
||
|
||
# Set up and configure the yaml parser/dumper | ||
yaml=ruamel.yaml.YAML() | ||
# output lists in the form that is indented from the parent like below | ||
# parent: | ||
# - list | ||
# - items | ||
yaml.indent(sequence=4, offset=2) | ||
|
||
all_docs = yaml.load_all(sys.stdin.read()) | ||
|
||
kept_docs = [] | ||
docs_processed = 0 | ||
for doc in all_docs: | ||
docs_processed += 1 | ||
kind = doc["kind"] | ||
if kind not in rbac_kinds: | ||
# we don't want non-RBAC resources | ||
log("discarding doc:", kind_and_name(doc)) | ||
continue | ||
log("keeping doc:", kind_and_name(doc)) | ||
|
||
# helm adds '# Source: <file>' comments to the top of each yaml doc. Strip these. | ||
if doc.ca is not None and doc.ca.comment is not None: | ||
comments = doc.ca.comment[1] | ||
for comment in comments: | ||
if comment.value.startswith("# Source: ") and comment.value.endswith(".yaml\n"): | ||
log(" dropping comment:", comment.value.strip()) | ||
comments.remove(comment) | ||
|
||
# helm-managed resources have a "chart" label, but we remove those for rendered RBAC | ||
if "labels" in doc["metadata"] and "chart" in doc["metadata"]["labels"]: | ||
log(" dropping 'chart' label") | ||
del doc["metadata"]["labels"]["chart"] | ||
|
||
kept_docs.append(doc) | ||
|
||
|
||
kept_docs.sort(key=kind_and_name) | ||
|
||
# Log to stderr the overall list of docs kept and a summary | ||
for doc in kept_docs: | ||
log(kind_and_name(doc)) | ||
log("docs processed:", docs_processed) | ||
log("docs kept :", len(kept_docs)) | ||
|
||
|
||
# Dump to stdout (this should be the only time this script writes to stdout) | ||
yaml.dump_all(kept_docs, sys.stdout) |
Oops, something went wrong.