Merge pull request #162 from wallrj/161-pilot-privileges

Automatic merge from submit-queue.

Pilot service account and RBAC policy

* Add a service account for Pilots
* and a corresponding RBAC policy which allows pilots to update their pilot resources.

Fixes: #161
**Release note**:
```release-note
NONE
```

Author: jetstack-ci-bot

hack/e2e.sh

@@ -207,12 +207,6 @@ function test_cassandracluster() {
 
     kubectl create namespace "${namespace}"
 
-    # XXX Temporary work around until cassandra controller manages RBAC
-    kubectl create --namespace "${namespace}" \
-            rolebinding "${namespace}-binding" \
-            --clusterrole=cluster-admin \
-            --serviceaccount="${namespace}:default"
-
     if ! kubectl get \
          --namespace "${namespace}" \
          CassandraClusters; then

pkg/controllers/cassandra/cassandra.go

@@ -24,8 +24,12 @@ import (
 	"github.com/jetstack/navigator/pkg/controllers"
 	"github.com/jetstack/navigator/pkg/controllers/cassandra/nodepool"
 	"github.com/jetstack/navigator/pkg/controllers/cassandra/pilot"
+	"github.com/jetstack/navigator/pkg/controllers/cassandra/role"
+	"github.com/jetstack/navigator/pkg/controllers/cassandra/rolebinding"
 	servicecql "github.com/jetstack/navigator/pkg/controllers/cassandra/service/cql"
 	serviceseedprovider "github.com/jetstack/navigator/pkg/controllers/cassandra/service/seedprovider"
+	"github.com/jetstack/navigator/pkg/controllers/cassandra/serviceaccount"
+	rbacinformers "k8s.io/client-go/informers/rbac/v1beta1"
 )
 
 // NewCassandra returns a new CassandraController that can be used
@@ -35,16 +39,19 @@ import (
 // It accepts a list of informers that are then used to monitor the state of the
 // target cluster.
 type CassandraController struct {
-	control                 ControlInterface
-	cassLister              listersv1alpha1.CassandraClusterLister
-	statefulSetLister       appslisters.StatefulSetLister
-	cassListerSynced        cache.InformerSynced
-	serviceListerSynced     cache.InformerSynced
-	statefulSetListerSynced cache.InformerSynced
-	pilotsListerSynced      cache.InformerSynced
-	podsListerSynced        cache.InformerSynced
-	queue                   workqueue.RateLimitingInterface
-	recorder                record.EventRecorder
+	control                     ControlInterface
+	cassLister                  listersv1alpha1.CassandraClusterLister
+	statefulSetLister           appslisters.StatefulSetLister
+	cassListerSynced            cache.InformerSynced
+	serviceListerSynced         cache.InformerSynced
+	statefulSetListerSynced     cache.InformerSynced
+	pilotsListerSynced          cache.InformerSynced
+	podsListerSynced            cache.InformerSynced
+	serviceAccountsListerSynced cache.InformerSynced
+	rolesListerSynced           cache.InformerSynced
+	roleBindingsListerSynced    cache.InformerSynced
+	queue                       workqueue.RateLimitingInterface
+	recorder                    record.EventRecorder
 }
 
 func NewCassandra(
@@ -55,6 +62,9 @@ func NewCassandra(
 	statefulSets appsinformers.StatefulSetInformer,
 	pilots navigatorinformers.PilotInformer,
 	pods coreinformers.PodInformer,
+	serviceAccounts coreinformers.ServiceAccountInformer,
+	roles rbacinformers.RoleInformer,
+	roleBindings rbacinformers.RoleBindingInformer,
 	recorder record.EventRecorder,
 ) *CassandraController {
 	queue := workqueue.NewNamedRateLimitingQueue(
@@ -82,6 +92,9 @@ func NewCassandra(
 	cc.statefulSetListerSynced = statefulSets.Informer().HasSynced
 	cc.pilotsListerSynced = pilots.Informer().HasSynced
 	cc.podsListerSynced = pods.Informer().HasSynced
+	cc.serviceAccountsListerSynced = serviceAccounts.Informer().HasSynced
+	cc.rolesListerSynced = roles.Informer().HasSynced
+	cc.roleBindingsListerSynced = roleBindings.Informer().HasSynced
 	cc.control = NewControl(
 		serviceseedprovider.NewControl(
 			kubeClient,
@@ -105,6 +118,21 @@ func NewCassandra(
 			statefulSets.Lister(),
 			recorder,
 		),
+		serviceaccount.NewControl(
+			kubeClient,
+			serviceAccounts.Lister(),
+			recorder,
+		),
+		role.NewControl(
+			kubeClient,
+			roles.Lister(),
+			recorder,
+		),
+		rolebinding.NewControl(
+			kubeClient,
+			roleBindings.Lister(),
+			recorder,
+		),
 		recorder,
 	)
 	cc.recorder = recorder
@@ -274,6 +302,9 @@ func CassandraControllerFromContext(ctx *controllers.Context) *CassandraControll
 		ctx.KubeSharedInformerFactory.Apps().V1beta1().StatefulSets(),
 		ctx.SharedInformerFactory.Navigator().V1alpha1().Pilots(),
 		ctx.KubeSharedInformerFactory.Core().V1().Pods(),
+		ctx.KubeSharedInformerFactory.Core().V1().ServiceAccounts(),
+		ctx.KubeSharedInformerFactory.Rbac().V1beta1().Roles(),
+		ctx.KubeSharedInformerFactory.Rbac().V1beta1().RoleBindings(),
 		ctx.Recorder,
 	)
 }

pkg/controllers/cassandra/cluster_control.go

@@ -5,8 +5,11 @@ import (
 	v1alpha1 "github.com/jetstack/navigator/pkg/apis/navigator/v1alpha1"
 	"github.com/jetstack/navigator/pkg/controllers/cassandra/nodepool"
 	"github.com/jetstack/navigator/pkg/controllers/cassandra/pilot"
+	"github.com/jetstack/navigator/pkg/controllers/cassandra/role"
+	"github.com/jetstack/navigator/pkg/controllers/cassandra/rolebinding"
 	servicecql "github.com/jetstack/navigator/pkg/controllers/cassandra/service/cql"
 	serviceseedprovider "github.com/jetstack/navigator/pkg/controllers/cassandra/service/seedprovider"
+	"github.com/jetstack/navigator/pkg/controllers/cassandra/serviceaccount"
 	apiv1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/tools/record"
 )
@@ -17,6 +20,8 @@ const (
 	SuccessSync = "SuccessSync"
 
 	MessageErrorSyncServiceAccount = "Error syncing service account: %s"
+	MessageErrorSyncRole           = "Error syncing role: %s"
+	MessageErrorSyncRoleBinding    = "Error syncing role binding: %s"
 	MessageErrorSyncConfigMap      = "Error syncing config map: %s"
 	MessageErrorSyncService        = "Error syncing service: %s"
 	MessageErrorSyncNodePools      = "Error syncing node pools: %s"
@@ -35,6 +40,9 @@ type defaultCassandraClusterControl struct {
 	cqlServiceControl          servicecql.Interface
 	nodepoolControl            nodepool.Interface
 	pilotControl               pilot.Interface
+	serviceAccountControl      serviceaccount.Interface
+	roleControl                role.Interface
+	roleBindingControl         rolebinding.Interface
 	recorder                   record.EventRecorder
 }
 
@@ -43,13 +51,19 @@ func NewControl(
 	cqlServiceControl servicecql.Interface,
 	nodepoolControl nodepool.Interface,
 	pilotControl pilot.Interface,
+	serviceAccountControl serviceaccount.Interface,
+	roleControl role.Interface,
+	roleBindingControl rolebinding.Interface,
 	recorder record.EventRecorder,
 ) ControlInterface {
 	return &defaultCassandraClusterControl{
 		seedProviderServiceControl: seedProviderServiceControl,
 		cqlServiceControl:          cqlServiceControl,
 		nodepoolControl:            nodepoolControl,
 		pilotControl:               pilotControl,
+		serviceAccountControl:      serviceAccountControl,
+		roleControl:                roleControl,
+		roleBindingControl:         roleBindingControl,
 		recorder:                   recorder,
 	}
 }
@@ -100,6 +114,39 @@ func (e *defaultCassandraClusterControl) Sync(c *v1alpha1.CassandraCluster) erro
 		)
 		return err
 	}
+	err = e.serviceAccountControl.Sync(c)
+	if err != nil {
+		e.recorder.Eventf(
+			c,
+			apiv1.EventTypeWarning,
+			ErrorSync,
+			MessageErrorSyncServiceAccount,
+			err,
+		)
+		return err
+	}
+	err = e.roleControl.Sync(c)
+	if err != nil {
+		e.recorder.Eventf(
+			c,
+			apiv1.EventTypeWarning,
+			ErrorSync,
+			MessageErrorSyncRole,
+			err,
+		)
+		return err
+	}
+	err = e.roleBindingControl.Sync(c)
+	if err != nil {
+		e.recorder.Eventf(
+			c,
+			apiv1.EventTypeWarning,
+			ErrorSync,
+			MessageErrorSyncRoleBinding,
+			err,
+		)
+		return err
+	}
 	e.recorder.Event(
 		c,
 		apiv1.EventTypeNormal,

pkg/controllers/cassandra/nodepool/resource.go

@@ -47,6 +47,7 @@ func StatefulSetForCluster(
 					Labels: nodePoolLabels,
 				},
 				Spec: apiv1.PodSpec{
+					ServiceAccountName: util.ServiceAccountName(cluster),
 					Volumes: []apiv1.Volume{
 						apiv1.Volume{
 							Name: sharedVolumeName,

pkg/controllers/cassandra/role/control.go

@@ -0,0 +1,90 @@
+package role
+
+import (
+	"github.com/jetstack/navigator/pkg/apis/navigator"
+	"github.com/jetstack/navigator/pkg/apis/navigator/v1alpha1"
+	"github.com/jetstack/navigator/pkg/controllers/cassandra/util"
+	rbacv1 "k8s.io/api/rbac/v1beta1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	rbaclisters "k8s.io/client-go/listers/rbac/v1beta1"
+
+	"k8s.io/client-go/tools/record"
+)
+
+type Interface interface {
+	Sync(*v1alpha1.CassandraCluster) error
+}
+
+type control struct {
+	kubeClient kubernetes.Interface
+	roleLister rbaclisters.RoleLister
+	recorder   record.EventRecorder
+}
+
+var _ Interface = &control{}
+
+func NewControl(
+	kubeClient kubernetes.Interface,
+	roleLister rbaclisters.RoleLister,
+	recorder record.EventRecorder,
+) *control {
+	return &control{
+		kubeClient: kubeClient,
+		roleLister: roleLister,
+		recorder:   recorder,
+	}
+}
+
+func (c *control) Sync(cluster *v1alpha1.CassandraCluster) error {
+	newRole := RoleForCluster(cluster)
+	client := c.kubeClient.RbacV1beta1().Roles(newRole.Namespace)
+	_, err := c.roleLister.
+		Roles(newRole.Namespace).
+		Get(newRole.Name)
+	if k8sErrors.IsNotFound(err) {
+		_, err = client.Create(newRole)
+	}
+	return err
+}
+
+func RoleForCluster(cluster *v1alpha1.CassandraCluster) *rbacv1.Role {
+	return &rbacv1.Role{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      util.PilotRBACRoleName(cluster),
+			Namespace: cluster.Namespace,
+			OwnerReferences: []metav1.OwnerReference{
+				util.NewControllerRef(cluster),
+			},
+			Labels: util.ClusterLabels(cluster),
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Verbs:     []string{"create", "update", "patch"},
+				Resources: []string{"events"},
+			},
+			{
+				APIGroups: []string{""},
+				Verbs:     []string{"create", "update", "patch", "get", "list", "watch"},
+				Resources: []string{"configmaps"},
+			},
+			{
+				APIGroups: []string{navigator.GroupName},
+				Verbs:     []string{"get", "list", "watch"},
+				Resources: []string{
+					"pilots",
+					"cassandraclusters",
+				},
+			},
+			{
+				APIGroups: []string{navigator.GroupName},
+				Verbs:     []string{"update", "patch"},
+				Resources: []string{
+					"pilots/status",
+				},
+			},
+		},
+	}
+}

pkg/controllers/cassandra/role/control_test.go

@@ -0,0 +1,40 @@
+package role_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/jetstack/navigator/pkg/controllers/cassandra/role"
+	casstesting "github.com/jetstack/navigator/pkg/controllers/cassandra/testing"
+)
+
+func TestRoleSync(t *testing.T) {
+	t.Run(
+		"role missing",
+		func(t *testing.T) {
+			f := casstesting.NewFixture(t)
+			f.Run()
+			f.AssertRolesLength(1)
+		},
+	)
+	t.Run(
+		"role exists",
+		func(t *testing.T) {
+			f := casstesting.NewFixture(t)
+			existingRole := role.RoleForCluster(f.Cluster)
+			f.AddObjectK(existingRole)
+			f.Run()
+			f.AssertRolesLength(1)
+		},
+	)
+	t.Run(
+		"sync fails",
+		func(t *testing.T) {
+			f := casstesting.NewFixture(t)
+			f.RoleControl = &casstesting.FakeControl{
+				SyncError: fmt.Errorf("simulated sync error"),
+			}
+			f.RunExpectError()
+		},
+	)
+}