diff --git a/.github/workflows/console-backend-rbac-chart.yaml b/.github/workflows/console-backend-rbac-chart.yaml new file mode 100644 index 000000000..48c54cd50 --- /dev/null +++ b/.github/workflows/console-backend-rbac-chart.yaml @@ -0,0 +1,72 @@ +name: Build and push chart console-backend-rbac +on: + push: + branches: + - main + paths: + - charts/console-backend-rbac/** + - .github/workflows/console-backend-rbac-chart.yaml + +permissions: + contents: read + +env: + NAME: console-backend-rbac + IMAGE_REPOSITORY: oci://europe-north1-docker.pkg.dev/nais-io/nais + +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - uses: jdx/mise-action@v4 + - run: helm lint --strict charts/console-backend-rbac + + build_push: + needs: + - lint + permissions: + contents: read + id-token: write + if: github.triggering_actor != 'dependabot[bot]' + name: Build and push + runs-on: ubuntu-latest + outputs: + version: ${{ steps.version.outputs.version }} + steps: + - uses: actions/checkout@v6 + - uses: jdx/mise-action@v4 + - name: Generate version + id: version + run: echo "version=$(TZ='Europe/Oslo' date +'%Y-%m-%d-%H%M%S')-$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@v3 + with: + workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} + service_account: gh-api@nais-io.iam.gserviceaccount.com + token_format: access_token + - name: Login to Google Artifact Registry + run: echo "${{ steps.auth.outputs.access_token }}" | helm registry login europe-north1-docker.pkg.dev --username oauth2accesstoken --password-stdin + - name: Build Chart + run: |- + sed -i "s/^version: .*/version: ${{ steps.version.outputs.version }}/g" charts/console-backend-rbac/Chart.yaml + cat charts/console-backend-rbac/Chart.yaml + helm package charts/console-backend-rbac + - name: Push Chart + run: helm push ${{ env.NAME }}*.tgz ${{ env.IMAGE_REPOSITORY }} + + rollout: + needs: + - lint + - build_push + runs-on: fasit-deploy + if: github.ref == 'refs/heads/main' + permissions: + id-token: write + steps: + - uses: nais/fasit-deploy@v2 # ratchet:exclude + with: + chart: ${{ env.IMAGE_REPOSITORY }}/${{ env.NAME }} + version: ${{ needs.build_push.outputs.version }} diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index f919cd94e..65e92240f 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -36,7 +36,7 @@ jobs: with: key: lint restore-keys: test - - run: helm lint --strict ./charts + - run: helm lint --strict ./charts/* - run: mise run check:staticcheck - run: mise run check:vulncheck - name: Check code format and run code generators @@ -74,9 +74,9 @@ jobs: push: true - name: Build Chart run: |- - sed -i "s/^version: .*/version: ${{ steps.build-push-sign.outputs.version }}/g" charts/Chart.yaml - cat charts/Chart.yaml - helm package charts + sed -i "s/^version: .*/version: ${{ steps.build-push-sign.outputs.version }}/g" charts/nais-api/Chart.yaml + cat charts/nais-api/Chart.yaml + helm package charts/nais-api - name: Push Chart run: |- helm push ${{ env.NAME }}*.tgz ${{ env.IMAGE_REPOSITORY }} diff --git a/.mise-tasks/check/helm-lint b/.mise-tasks/check/helm-lint index c27c40b32..a56d5123b 100755 --- a/.mise-tasks/check/helm-lint +++ b/.mise-tasks/check/helm-lint @@ -3,4 +3,4 @@ set -e -helm lint --strict ./charts +helm lint --strict ./charts/* diff --git a/charts/console-backend-rbac/.helmignore b/charts/console-backend-rbac/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/console-backend-rbac/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/console-backend-rbac/Chart.yaml b/charts/console-backend-rbac/Chart.yaml new file mode 100644 index 000000000..df7e20b5d --- /dev/null +++ b/charts/console-backend-rbac/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: console-backend-rbac +description: ClusterRole and ClusterRoleBinding for console-backend +type: application +version: 0.1.1 +sources: + - https://github.com/nais/api/tree/main/charts/console-backend-rbac diff --git a/charts/console-backend-rbac/Feature.yaml b/charts/console-backend-rbac/Feature.yaml new file mode 100644 index 000000000..1896e6f7d --- /dev/null +++ b/charts/console-backend-rbac/Feature.yaml @@ -0,0 +1,8 @@ +environmentKinds: + - tenant + - onprem +values: + managementProjectID: + displayName: Management Project ID + computed: + template: "{{ .Management.project_id }}" diff --git a/charts/console-backend-rbac/templates/rbac.yaml b/charts/console-backend-rbac/templates/rbac.yaml new file mode 100644 index 000000000..36d734bf2 --- /dev/null +++ b/charts/console-backend-rbac/templates/rbac.yaml @@ -0,0 +1,292 @@ +{{- if eq .Values.fasit.env.kind "tenant" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "{{ .Release.Name }}" +rules: + - apiGroups: + - "" + resources: + - pods + - pods/log + - configmaps + verbs: + - list + - get + - watch + - apiGroups: + - "apps" + resources: + - replicasets + verbs: + - list + - get + - watch + - apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - sql.cnrm.cloud.google.com + resources: + - sqlinstances + - sqldatabases + verbs: + - list + - watch + # These (and most other resources) are already granted through the GKE IAM roles (roles/container.viewer) + - apiGroups: + - aiven.io + resources: + - opensearches + - valkeys + verbs: + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - watch + - update + - patch + - create + # Elevation: nais-api must hold the permissions it grants to users + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - pods/exec + - pods/portforward + verbs: + - create + - apiGroups: + - "" + resources: + - pods/ephemeralcontainers + verbs: + - patch + - apiGroups: + - "nais.io" + resources: + - valkeys + - opensearches + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "aiven.nais.io" + resources: + - aivenapplications + verbs: + - get + - create + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: "{{ .Release.Name }}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "{{ .Release.Name }}" +subjects: + - kind: User + name: "console-backend@{{ .Values.managementProjectID }}.iam.gserviceaccount.com" + - kind: User + name: "nais-api@{{ .Values.managementProjectID }}.iam.gserviceaccount.com" +{{- end }} + +{{- if eq .Values.fasit.env.kind "onprem" }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: console-backend + namespace: nais-system +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nais-api + namespace: nais-system +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: "{{ .Release.Name }}" +rules: + - apiGroups: + - "" + resources: + - namespaces + - configmaps + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - "apps" + resources: + - replicasets + verbs: + - list + - get + - watch + - apiGroups: + - "batch" + resources: + - jobs + verbs: + - get + - list + - watch + - apiGroups: + - "kafka.nais.io" + resources: + - topics + - streams + verbs: + - get + - list + - watch + - apiGroups: + - "nais.io" + resources: + - naisjobs + - applications + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - unleash.nais.io + resources: + - remoteunleashes + verbs: + - "*" + - apiGroups: + - "networking.k8s.io" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "google.nais.io" + resources: + - bigquerydatasets + verbs: + - get + - list + - watch + - apiGroups: + - "events.k8s.io" + resources: + - events + verbs: + - get + - list + - watch + - apiGroups: + - "data.nais.io" + resources: + - postgres + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - watch + - create + - update + - delete +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }} +subjects: + - kind: ServiceAccount + name: console-backend + namespace: nais-system + - kind: ServiceAccount + name: nais-api + namespace: nais-system +--- +kind: Secret +apiVersion: v1 +metadata: + name: console-backend + namespace: nais-system + annotations: + "kubernetes.io/service-account.name": console-backend +type: kubernetes.io/service-account-token +--- +kind: Secret +apiVersion: v1 +metadata: + name: nais-api + namespace: nais-system + annotations: + "kubernetes.io/service-account.name": nais-api +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/console-backend-rbac/values.yaml b/charts/console-backend-rbac/values.yaml new file mode 100644 index 000000000..30b57aa27 --- /dev/null +++ b/charts/console-backend-rbac/values.yaml @@ -0,0 +1,5 @@ +fasit: + env: + kind: "" + +managementProjectID: "" diff --git a/charts/Chart.yaml b/charts/nais-api/Chart.yaml similarity index 65% rename from charts/Chart.yaml rename to charts/nais-api/Chart.yaml index 7707b162a..e1c47930e 100644 --- a/charts/Chart.yaml +++ b/charts/nais-api/Chart.yaml @@ -4,4 +4,4 @@ description: The all mighty Nais API type: application version: 1.0.0 sources: - - https://github.com/nais/api/tree/main/charts + - https://github.com/nais/api/tree/main/charts/nais-api diff --git a/charts/Feature.yaml b/charts/nais-api/Feature.yaml similarity index 100% rename from charts/Feature.yaml rename to charts/nais-api/Feature.yaml diff --git a/charts/templates/deployment.yaml b/charts/nais-api/templates/deployment.yaml similarity index 100% rename from charts/templates/deployment.yaml rename to charts/nais-api/templates/deployment.yaml diff --git a/charts/templates/fqdnnetpol.yaml b/charts/nais-api/templates/fqdnnetpol.yaml similarity index 100% rename from charts/templates/fqdnnetpol.yaml rename to charts/nais-api/templates/fqdnnetpol.yaml diff --git a/charts/templates/ingress.yaml b/charts/nais-api/templates/ingress.yaml similarity index 100% rename from charts/templates/ingress.yaml rename to charts/nais-api/templates/ingress.yaml diff --git a/charts/templates/lease-role.yaml b/charts/nais-api/templates/lease-role.yaml similarity index 100% rename from charts/templates/lease-role.yaml rename to charts/nais-api/templates/lease-role.yaml diff --git a/charts/templates/lease-rolebinding.yaml b/charts/nais-api/templates/lease-rolebinding.yaml similarity index 100% rename from charts/templates/lease-rolebinding.yaml rename to charts/nais-api/templates/lease-rolebinding.yaml diff --git a/charts/templates/networkpolicy.yaml b/charts/nais-api/templates/networkpolicy.yaml similarity index 100% rename from charts/templates/networkpolicy.yaml rename to charts/nais-api/templates/networkpolicy.yaml diff --git a/charts/templates/podmonitor.yaml b/charts/nais-api/templates/podmonitor.yaml similarity index 100% rename from charts/templates/podmonitor.yaml rename to charts/nais-api/templates/podmonitor.yaml diff --git a/charts/templates/prometheusrule.yaml b/charts/nais-api/templates/prometheusrule.yaml similarity index 100% rename from charts/templates/prometheusrule.yaml rename to charts/nais-api/templates/prometheusrule.yaml diff --git a/charts/templates/secret.yaml b/charts/nais-api/templates/secret.yaml similarity index 100% rename from charts/templates/secret.yaml rename to charts/nais-api/templates/secret.yaml diff --git a/charts/templates/service.yaml b/charts/nais-api/templates/service.yaml similarity index 100% rename from charts/templates/service.yaml rename to charts/nais-api/templates/service.yaml diff --git a/charts/templates/serviceaccount.yaml b/charts/nais-api/templates/serviceaccount.yaml similarity index 100% rename from charts/templates/serviceaccount.yaml rename to charts/nais-api/templates/serviceaccount.yaml diff --git a/charts/templates/unleash-clusterrole.yaml b/charts/nais-api/templates/unleash-clusterrole.yaml similarity index 100% rename from charts/templates/unleash-clusterrole.yaml rename to charts/nais-api/templates/unleash-clusterrole.yaml diff --git a/charts/templates/unleash-clusterrolebinding.yaml b/charts/nais-api/templates/unleash-clusterrolebinding.yaml similarity index 100% rename from charts/templates/unleash-clusterrolebinding.yaml rename to charts/nais-api/templates/unleash-clusterrolebinding.yaml diff --git a/charts/values.yaml b/charts/nais-api/values.yaml similarity index 100% rename from charts/values.yaml rename to charts/nais-api/values.yaml