diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 2ff5ad4bf..9060b4dc5 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -21,16 +21,26 @@ che-operator Development Guide: https://github.com/eclipse-che/che-operator/#dev - steps to reproduce --> +1. Prepare a patch file if needed: ```bash -cat > /tmp/patch.yaml < +cat > /tmp/cr-patch.yaml < \ - --che-operator-image \ - --che-operator-cr-patch-yaml /tmp/patch.yaml +```bash +./build/scripts/minikube-tests/test-operator-from-sources.sh --cr-patch-yaml /tmp/cr-patch.yaml ``` ### PR Checklist diff --git a/api/v2/checluster_types.go b/api/v2/checluster_types.go index 9f7545e0a..252e2899e 100644 --- a/api/v2/checluster_types.go +++ b/api/v2/checluster_types.go @@ -524,6 +524,28 @@ type Auth struct { // +optional // +kubebuilder:default:={configLabels: {app: che, component: che-gateway-config}} Gateway Gateway `json:"gateway,omitempty"` + // Advance authorization settings. Determines which users and groups are allowed to access Che. + // User is allowed to access Che if he/she is either in the `allowUsers` list or is member of group from `allowGroups` list + // and not in neither the `denyUsers` list nor is member of group from `denyGroups` list. + // If `allowUsers` and `allowGroups` are empty, then all users are allowed to access Che. + // if `denyUsers` and `denyGroups` are empty, then no users are denied to access Che. + // +optional + AdvancedAuthorization *AdvancedAuthorization `json:"advancedAuthorization,omitempty"` +} + +type AdvancedAuthorization struct { + // List of users allowed to access Che. + // +optional + AllowUsers []string `json:"allowUsers,omitempty"` + // List of groups allowed to access Che (currently supported in OpenShift only). + // +optional + AllowGroups []string `json:"allowGroups,omitempty"` + // List of users denied to access Che. + // +optional + DenyUsers []string `json:"denyUsers,omitempty"` + // List of groups denied to access Che (currently supported in OpenShift only). + // +optional + DenyGroups []string `json:"denyGroups,omitempty"` } // Gateway settings. diff --git a/api/v2/zz_generated.deepcopy.go b/api/v2/zz_generated.deepcopy.go index 55b08c205..981740202 100644 --- a/api/v2/zz_generated.deepcopy.go +++ b/api/v2/zz_generated.deepcopy.go @@ -24,6 +24,41 @@ import ( "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AdvancedAuthorization) DeepCopyInto(out *AdvancedAuthorization) { + *out = *in + if in.AllowUsers != nil { + in, out := &in.AllowUsers, &out.AllowUsers + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowGroups != nil { + in, out := &in.AllowGroups, &out.AllowGroups + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.DenyUsers != nil { + in, out := &in.DenyUsers, &out.DenyUsers + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.DenyGroups != nil { + in, out := &in.DenyGroups, &out.DenyGroups + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdvancedAuthorization. +func (in *AdvancedAuthorization) DeepCopy() *AdvancedAuthorization { + if in == nil { + return nil + } + out := new(AdvancedAuthorization) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Auth) DeepCopyInto(out *Auth) { *out = *in @@ -38,6 +73,11 @@ func (in *Auth) DeepCopyInto(out *Auth) { **out = **in } in.Gateway.DeepCopyInto(&out.Gateway) + if in.AdvancedAuthorization != nil { + in, out := &in.AdvancedAuthorization, &out.AdvancedAuthorization + *out = new(AdvancedAuthorization) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Auth. diff --git a/build/scripts/minikube-tests/test-operator-from-sources.sh b/build/scripts/minikube-tests/test-operator-from-sources.sh new file mode 100755 index 000000000..8072233bf --- /dev/null +++ b/build/scripts/minikube-tests/test-operator-from-sources.sh @@ -0,0 +1,64 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2019-2023 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +set -e + +OPERATOR_REPO=$(dirname "$(dirname "$(dirname "$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")")")") +source "${OPERATOR_REPO}/build/scripts/minikube-tests/common.sh" + +init() { + unset CR_PATCH_YAML + + while [[ "$#" -gt 0 ]]; do + case $1 in + '--help'|'-h') usage; exit;; + '--cr-patch-yaml') CR_PATCH_YAML=$2; shift 1;; + esac + shift 1 + done +} + +usage () { + echo "Deploy Eclipse Che from sources" + echo + echo "Usage:" + echo -e "\t$0 [--cr-patch-yaml ]" + echo + echo "OPTIONS:" + echo -e "\t--cr-patch-yaml CheCluster CR patch yaml file" + echo + echo "Example:" + echo -e "\t$0" +} + +runTest() { + buildAndCopyCheOperatorImageToMinikube + yq -riSY '.spec.template.spec.containers[0].image = "'${OPERATOR_IMAGE}'"' "${CURRENT_OPERATOR_VERSION_TEMPLATE_PATH}/che-operator/kubernetes/operator.yaml" + yq -riSY '.spec.template.spec.containers[0].imagePullPolicy = "IfNotPresent"' "${CURRENT_OPERATOR_VERSION_TEMPLATE_PATH}/che-operator/kubernetes/operator.yaml" + + if [[ -n "${CR_PATCH_YAML}" ]]; then + chectl server:deploy --batch --platform minikube \ + --templates "${CURRENT_OPERATOR_VERSION_TEMPLATE_PATH}" \ + --che-operator-cr-patch-yaml "${CR_PATCH_YAML}" + else + chectl server:deploy --batch --platform minikube \ + --templates "${CURRENT_OPERATOR_VERSION_TEMPLATE_PATH}" + fi +} + +pushd ${OPERATOR_REPO} >/dev/null +initDefaults +init "$@" +initTemplates +runTest +popd >/dev/null diff --git a/build/scripts/olm/test-catalog-from-sources.sh b/build/scripts/olm/test-catalog-from-sources.sh index c7727e824..997aaa12b 100755 --- a/build/scripts/olm/test-catalog-from-sources.sh +++ b/build/scripts/olm/test-catalog-from-sources.sh @@ -34,11 +34,13 @@ unset CATALOG_IMAGE init() { unset VERBOSE + unset CR_PATCH_YAML while [[ "$#" -gt 0 ]]; do case $1 in '--help'|'-h') usage; exit;; '--verbose'|'-v') VERBOSE=1;; + '--cr-patch-yaml') CR_PATCH_YAML=$2; shift 1;; esac shift 1 done @@ -53,10 +55,11 @@ usage () { echo "Deploy Eclipse Che from sources" echo echo "Usage:" - echo -e "\t$0 [--verbose]" + echo -e "\t$0 [--verbose] [--cr-patch-yaml ]" echo echo "OPTIONS:" echo -e "\t-v,--verbose Verbose mode" + echo -e "\t--cr-patch-yaml CheCluster CR patch yaml file" echo echo "Example:" echo -e "\t$0" @@ -163,8 +166,12 @@ run() { VERBOSE=${VERBOSE} make wait-pod-running NAMESPACE="${NAMESPACE}" SELECTOR="app.kubernetes.io/component=che-operator" - if [[ $(oc get checluster -n eclipse-che --no-headers | wc -l) == 0 ]]; then + if [[ $(oc get checluster -n "${NAMESPACE}" --no-headers | wc -l) == 0 ]]; then getCheClusterCRFromInstalledCSV | oc apply -n "${NAMESPACE}" -f - + if [[ -n ${CR_PATCH_YAML} ]]; then + patch=$(yq -r "." "${CR_PATCH_YAML}" | tr -d "\n" ) + oc patch checluster eclipse-che -n "${NAMESPACE}" --type='merge' -p "${patch}" + fi fi make wait-eclipseche-version VERSION="$(getCheVersionFromInstalledCSV)" NAMESPACE="${NAMESPACE}" VERBOSE=${VERBOSE} } diff --git a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml index c54528640..d712a7676 100644 --- a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml @@ -77,7 +77,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che.v7.78.0-817.next + name: eclipse-che.v7.78.0-826.next namespace: placeholder spec: apiservicedefinitions: {} @@ -527,6 +527,12 @@ spec: verbs: - list - delete + - apiGroups: + - user.openshift.io + resources: + - groups + verbs: + - get - apiGroups: - user.openshift.io resources: @@ -1234,7 +1240,7 @@ spec: minKubeVersion: 1.19.0 provider: name: Eclipse Foundation - version: 7.78.0-817.next + version: 7.78.0-826.next webhookdefinitions: - admissionReviewVersions: - v1 diff --git a/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml b/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml index c8e1e6ba5..9896fc0ad 100644 --- a/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml +++ b/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml @@ -7917,6 +7917,40 @@ spec: component: che-gateway-config description: Authentication settings. properties: + advancedAuthorization: + description: Advance authorization settings. Determines + which users and groups are allowed to access Che. User + is allowed to access Che if he/she is either in the `allowUsers` + list or is member of group from `allowGroups` list and + not in neither the `denyUsers` list nor is member of group + from `denyGroups` list. If `allowUsers` and `allowGroups` + are empty, then all users are allowed to access Che. if + `denyUsers` and `denyGroups` are empty, then no users + are denied to access Che. + properties: + allowGroups: + description: List of groups allowed to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + allowUsers: + description: List of users allowed to access Che. + items: + type: string + type: array + denyGroups: + description: List of groups denied to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + denyUsers: + description: List of users denied to access Che. + items: + type: string + type: array + type: object gateway: default: configLabels: diff --git a/config/crd/bases/org.eclipse.che_checlusters.yaml b/config/crd/bases/org.eclipse.che_checlusters.yaml index 432e0ef5d..890ea4dcc 100644 --- a/config/crd/bases/org.eclipse.che_checlusters.yaml +++ b/config/crd/bases/org.eclipse.che_checlusters.yaml @@ -7709,6 +7709,40 @@ spec: component: che-gateway-config description: Authentication settings. properties: + advancedAuthorization: + description: Advance authorization settings. Determines which + users and groups are allowed to access Che. User is allowed + to access Che if he/she is either in the `allowUsers` list + or is member of group from `allowGroups` list and not in + neither the `denyUsers` list nor is member of group from + `denyGroups` list. If `allowUsers` and `allowGroups` are + empty, then all users are allowed to access Che. if `denyUsers` + and `denyGroups` are empty, then no users are denied to + access Che. + properties: + allowGroups: + description: List of groups allowed to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + allowUsers: + description: List of users allowed to access Che. + items: + type: string + type: array + denyGroups: + description: List of groups denied to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + denyUsers: + description: List of users denied to access Che. + items: + type: string + type: array + type: object gateway: default: configLabels: diff --git a/config/rbac/cluster_role.yaml b/config/rbac/cluster_role.yaml index dc1505060..49b1305d5 100644 --- a/config/rbac/cluster_role.yaml +++ b/config/rbac/cluster_role.yaml @@ -64,6 +64,12 @@ rules: verbs: - list - delete + - apiGroups: + - user.openshift.io + resources: + - groups + verbs: + - get - apiGroups: - user.openshift.io resources: diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml index bbde5e297..e340636b9 100644 --- a/deploy/deployment/kubernetes/combined.yaml +++ b/deploy/deployment/kubernetes/combined.yaml @@ -7728,6 +7728,40 @@ spec: component: che-gateway-config description: Authentication settings. properties: + advancedAuthorization: + description: Advance authorization settings. Determines which + users and groups are allowed to access Che. User is allowed + to access Che if he/she is either in the `allowUsers` list + or is member of group from `allowGroups` list and not in + neither the `denyUsers` list nor is member of group from + `denyGroups` list. If `allowUsers` and `allowGroups` are + empty, then all users are allowed to access Che. if `denyUsers` + and `denyGroups` are empty, then no users are denied to + access Che. + properties: + allowGroups: + description: List of groups allowed to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + allowUsers: + description: List of users allowed to access Che. + items: + type: string + type: array + denyGroups: + description: List of groups denied to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + denyUsers: + description: List of users denied to access Che. + items: + type: string + type: array + type: object gateway: default: configLabels: @@ -8432,6 +8466,12 @@ rules: verbs: - list - delete +- apiGroups: + - user.openshift.io + resources: + - groups + verbs: + - get - apiGroups: - user.openshift.io resources: diff --git a/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml b/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml index cb65dde2d..5ddd32c30 100644 --- a/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml +++ b/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml @@ -64,6 +64,12 @@ rules: verbs: - list - delete +- apiGroups: + - user.openshift.io + resources: + - groups + verbs: + - get - apiGroups: - user.openshift.io resources: diff --git a/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index 132a7c4ed..9593fdfed 100644 --- a/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -7723,6 +7723,40 @@ spec: component: che-gateway-config description: Authentication settings. properties: + advancedAuthorization: + description: Advance authorization settings. Determines which + users and groups are allowed to access Che. User is allowed + to access Che if he/she is either in the `allowUsers` list + or is member of group from `allowGroups` list and not in + neither the `denyUsers` list nor is member of group from + `denyGroups` list. If `allowUsers` and `allowGroups` are + empty, then all users are allowed to access Che. if `denyUsers` + and `denyGroups` are empty, then no users are denied to + access Che. + properties: + allowGroups: + description: List of groups allowed to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + allowUsers: + description: List of users allowed to access Che. + items: + type: string + type: array + denyGroups: + description: List of groups denied to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + denyUsers: + description: List of users denied to access Che. + items: + type: string + type: array + type: object gateway: default: configLabels: diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml index da5100682..874f547b8 100644 --- a/deploy/deployment/openshift/combined.yaml +++ b/deploy/deployment/openshift/combined.yaml @@ -7728,6 +7728,40 @@ spec: component: che-gateway-config description: Authentication settings. properties: + advancedAuthorization: + description: Advance authorization settings. Determines which + users and groups are allowed to access Che. User is allowed + to access Che if he/she is either in the `allowUsers` list + or is member of group from `allowGroups` list and not in + neither the `denyUsers` list nor is member of group from + `denyGroups` list. If `allowUsers` and `allowGroups` are + empty, then all users are allowed to access Che. if `denyUsers` + and `denyGroups` are empty, then no users are denied to + access Che. + properties: + allowGroups: + description: List of groups allowed to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + allowUsers: + description: List of users allowed to access Che. + items: + type: string + type: array + denyGroups: + description: List of groups denied to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + denyUsers: + description: List of users denied to access Che. + items: + type: string + type: array + type: object gateway: default: configLabels: @@ -8432,6 +8466,12 @@ rules: verbs: - list - delete +- apiGroups: + - user.openshift.io + resources: + - groups + verbs: + - get - apiGroups: - user.openshift.io resources: diff --git a/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml b/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml index cb65dde2d..5ddd32c30 100644 --- a/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml +++ b/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml @@ -64,6 +64,12 @@ rules: verbs: - list - delete +- apiGroups: + - user.openshift.io + resources: + - groups + verbs: + - get - apiGroups: - user.openshift.io resources: diff --git a/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index eedd16afe..a54284384 100644 --- a/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -7723,6 +7723,40 @@ spec: component: che-gateway-config description: Authentication settings. properties: + advancedAuthorization: + description: Advance authorization settings. Determines which + users and groups are allowed to access Che. User is allowed + to access Che if he/she is either in the `allowUsers` list + or is member of group from `allowGroups` list and not in + neither the `denyUsers` list nor is member of group from + `denyGroups` list. If `allowUsers` and `allowGroups` are + empty, then all users are allowed to access Che. if `denyUsers` + and `denyGroups` are empty, then no users are denied to + access Che. + properties: + allowGroups: + description: List of groups allowed to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + allowUsers: + description: List of users allowed to access Che. + items: + type: string + type: array + denyGroups: + description: List of groups denied to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + denyUsers: + description: List of users denied to access Che. + items: + type: string + type: array + type: object gateway: default: configLabels: diff --git a/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index 132a7c4ed..9593fdfed 100644 --- a/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -7723,6 +7723,40 @@ spec: component: che-gateway-config description: Authentication settings. properties: + advancedAuthorization: + description: Advance authorization settings. Determines which + users and groups are allowed to access Che. User is allowed + to access Che if he/she is either in the `allowUsers` list + or is member of group from `allowGroups` list and not in + neither the `denyUsers` list nor is member of group from + `denyGroups` list. If `allowUsers` and `allowGroups` are + empty, then all users are allowed to access Che. if `denyUsers` + and `denyGroups` are empty, then no users are denied to + access Che. + properties: + allowGroups: + description: List of groups allowed to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + allowUsers: + description: List of users allowed to access Che. + items: + type: string + type: array + denyGroups: + description: List of groups denied to access Che (currently + supported in OpenShift only). + items: + type: string + type: array + denyUsers: + description: List of users denied to access Che. + items: + type: string + type: array + type: object gateway: default: configLabels: diff --git a/helmcharts/next/templates/che-operator.ClusterRole.yaml b/helmcharts/next/templates/che-operator.ClusterRole.yaml index cb65dde2d..5ddd32c30 100644 --- a/helmcharts/next/templates/che-operator.ClusterRole.yaml +++ b/helmcharts/next/templates/che-operator.ClusterRole.yaml @@ -64,6 +64,12 @@ rules: verbs: - list - delete +- apiGroups: + - user.openshift.io + resources: + - groups + verbs: + - get - apiGroups: - user.openshift.io resources: diff --git a/pkg/deploy/server/rbac.go b/pkg/deploy/server/rbac.go index 97ee46c24..5445557dc 100644 --- a/pkg/deploy/server/rbac.go +++ b/pkg/deploy/server/rbac.go @@ -28,18 +28,18 @@ import ( ) const ( - commonPermissionsTemplateName = "%s-cheworkspaces-clusterrole" - namespacePermissionsTemplateName = "%s-cheworkspaces-namespaces-clusterrole" - devWorkspacePermissionsTemplateName = "%s-cheworkspaces-devworkspace-clusterrole" + userCommonPermissionsTemplateName = "%s-cheworkspaces-clusterrole" + userDevWorkspacePermissionsTemplateName = "%s-cheworkspaces-devworkspace-clusterrole" + cheSASpecificPermissionsTemplateName = "%s-cheworkspaces-namespaces-clusterrole" ) // Create ClusterRole and ClusterRoleBinding for "che" service account. // che-server uses "che" service account for creation RBAC for a user in his namespace. func (s *CheServerReconciler) syncPermissions(ctx *chetypes.DeployContext) (bool, error) { policies := map[string][]rbacv1.PolicyRule{ - fmt.Sprintf(commonPermissionsTemplateName, ctx.CheCluster.Namespace): s.getCommonPolicies(), - fmt.Sprintf(namespacePermissionsTemplateName, ctx.CheCluster.Namespace): s.getNamespaceEditorPolicies(), - fmt.Sprintf(devWorkspacePermissionsTemplateName, ctx.CheCluster.Namespace): s.getDevWorkspacePolicies(), + fmt.Sprintf(userCommonPermissionsTemplateName, ctx.CheCluster.Namespace): s.getUserCommonPolicies(), + fmt.Sprintf(cheSASpecificPermissionsTemplateName, ctx.CheCluster.Namespace): s.getCheSASpecificPolicies(), + fmt.Sprintf(userDevWorkspacePermissionsTemplateName, ctx.CheCluster.Namespace): s.getUserDevWorkspacePolicies(), } for name, policy := range policies { @@ -87,9 +87,9 @@ func (s *CheServerReconciler) syncPermissions(ctx *chetypes.DeployContext) (bool func (s *CheServerReconciler) deletePermissions(ctx *chetypes.DeployContext) bool { names := []string{ - fmt.Sprintf(commonPermissionsTemplateName, ctx.CheCluster.Namespace), - fmt.Sprintf(namespacePermissionsTemplateName, ctx.CheCluster.Namespace), - fmt.Sprintf(devWorkspacePermissionsTemplateName, ctx.CheCluster.Namespace), + fmt.Sprintf(userCommonPermissionsTemplateName, ctx.CheCluster.Namespace), + fmt.Sprintf(cheSASpecificPermissionsTemplateName, ctx.CheCluster.Namespace), + fmt.Sprintf(userDevWorkspacePermissionsTemplateName, ctx.CheCluster.Namespace), } done := true @@ -126,7 +126,7 @@ func (s *CheServerReconciler) deletePermissions(ctx *chetypes.DeployContext) boo return done } -func (s *CheServerReconciler) getDevWorkspacePolicies() []rbacv1.PolicyRule { +func (s *CheServerReconciler) getUserDevWorkspacePolicies() []rbacv1.PolicyRule { k8sPolicies := []rbacv1.PolicyRule{ { APIGroups: []string{"workspace.devfile.io"}, @@ -138,13 +138,28 @@ func (s *CheServerReconciler) getDevWorkspacePolicies() []rbacv1.PolicyRule { return k8sPolicies } -func (s *CheServerReconciler) getNamespaceEditorPolicies() []rbacv1.PolicyRule { +func (s *CheServerReconciler) getCheSASpecificPolicies() []rbacv1.PolicyRule { k8sPolicies := []rbacv1.PolicyRule{ { APIGroups: []string{""}, Resources: []string{"namespaces"}, Verbs: []string{"get", "create", "update", "list"}, }, + { + APIGroups: []string{""}, + Resources: []string{"serviceaccounts"}, + Verbs: []string{"get", "watch", "create"}, + }, + { + APIGroups: []string{"rbac.authorization.k8s.io"}, + Resources: []string{"roles"}, + Verbs: []string{"get", "create", "update"}, + }, + { + APIGroups: []string{"rbac.authorization.k8s.io"}, + Resources: []string{"rolebindings"}, + Verbs: []string{"get", "create", "update", "delete"}, + }, } openshiftPolicies := []rbacv1.PolicyRule{ @@ -158,6 +173,21 @@ func (s *CheServerReconciler) getNamespaceEditorPolicies() []rbacv1.PolicyRule { Resources: []string{"projects"}, Verbs: []string{"get", "list"}, }, + { + APIGroups: []string{"user.openshift.io"}, + Resources: []string{"groups"}, + Verbs: []string{"get"}, + }, + { + APIGroups: []string{"authorization.openshift.io"}, + Resources: []string{"roles"}, + Verbs: []string{"get", "create", "update"}, + }, + { + APIGroups: []string{"authorization.openshift.io"}, + Resources: []string{"rolebindings"}, + Verbs: []string{"get", "create", "update", "delete"}, + }, } if infrastructure.IsOpenShift() { @@ -166,13 +196,8 @@ func (s *CheServerReconciler) getNamespaceEditorPolicies() []rbacv1.PolicyRule { return k8sPolicies } -func (s *CheServerReconciler) getCommonPolicies() []rbacv1.PolicyRule { +func (s *CheServerReconciler) getUserCommonPolicies() []rbacv1.PolicyRule { k8sPolicies := []rbacv1.PolicyRule{ - { - APIGroups: []string{""}, - Resources: []string{"serviceaccounts"}, - Verbs: []string{"get", "watch", "create"}, - }, { APIGroups: []string{""}, Resources: []string{"pods/exec"}, @@ -238,16 +263,6 @@ func (s *CheServerReconciler) getCommonPolicies() []rbacv1.PolicyRule { Resources: []string{"ingresses"}, Verbs: []string{"get", "list", "watch", "create", "delete"}, }, - { - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles"}, - Verbs: []string{"get", "create", "update"}, - }, - { - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"rolebindings"}, - Verbs: []string{"get", "create", "update"}, - }, { APIGroups: []string{"metrics.k8s.io"}, Resources: []string{"pods", "nodes"}, @@ -270,16 +285,6 @@ func (s *CheServerReconciler) getCommonPolicies() []rbacv1.PolicyRule { Resources: []string{"routes"}, Verbs: []string{"get", "list", "create", "delete"}, }, - { - APIGroups: []string{"authorization.openshift.io"}, - Resources: []string{"roles"}, - Verbs: []string{"get", "create", "update"}, - }, - { - APIGroups: []string{"authorization.openshift.io"}, - Resources: []string{"rolebindings"}, - Verbs: []string{"get", "create", "update"}, - }, { APIGroups: []string{"project.openshift.io"}, Resources: []string{"projects"}, @@ -293,9 +298,9 @@ func (s *CheServerReconciler) getCommonPolicies() []rbacv1.PolicyRule { return k8sPolicies } -func (s *CheServerReconciler) getUserClusterRoles(ctx *chetypes.DeployContext) []string { +func (s *CheServerReconciler) getDefaultUserClusterRoles(ctx *chetypes.DeployContext) []string { return []string{ - fmt.Sprintf(commonPermissionsTemplateName, ctx.CheCluster.Namespace), - fmt.Sprintf(devWorkspacePermissionsTemplateName, ctx.CheCluster.Namespace), + fmt.Sprintf(userCommonPermissionsTemplateName, ctx.CheCluster.Namespace), + fmt.Sprintf(userDevWorkspacePermissionsTemplateName, ctx.CheCluster.Namespace), } } diff --git a/pkg/deploy/server/rbac_test.go b/pkg/deploy/server/rbac_test.go index d50f5badd..65bddc464 100644 --- a/pkg/deploy/server/rbac_test.go +++ b/pkg/deploy/server/rbac_test.go @@ -68,9 +68,9 @@ func TestSyncPermissions(t *testing.T) { assert.Nil(t, err) names := []string{ - fmt.Sprintf(commonPermissionsTemplateName, ctx.CheCluster.Namespace), - fmt.Sprintf(namespacePermissionsTemplateName, ctx.CheCluster.Namespace), - fmt.Sprintf(devWorkspacePermissionsTemplateName, ctx.CheCluster.Namespace), + fmt.Sprintf(userCommonPermissionsTemplateName, ctx.CheCluster.Namespace), + fmt.Sprintf(cheSASpecificPermissionsTemplateName, ctx.CheCluster.Namespace), + fmt.Sprintf(userDevWorkspacePermissionsTemplateName, ctx.CheCluster.Namespace), } for _, name := range names { diff --git a/pkg/deploy/server/server_configmap.go b/pkg/deploy/server/server_configmap.go index eaf834975..e7145aee8 100644 --- a/pkg/deploy/server/server_configmap.go +++ b/pkg/deploy/server/server_configmap.go @@ -219,6 +219,14 @@ func (s *CheServerReconciler) getCheConfigMapData(ctx *chetypes.DeployContext) ( } err = json.Unmarshal(out, &cheEnv) + // Advanced authorization + if ctx.CheCluster.Spec.Networking.Auth.AdvancedAuthorization != nil { + cheEnv["CHE_INFRA_KUBERNETES_ADVANCED__AUTHORIZATION_ALLOW__USERS"] = strings.Join(ctx.CheCluster.Spec.Networking.Auth.AdvancedAuthorization.AllowUsers, ",") + cheEnv["CHE_INFRA_KUBERNETES_ADVANCED__AUTHORIZATION_ALLOW__GROUPS"] = strings.Join(ctx.CheCluster.Spec.Networking.Auth.AdvancedAuthorization.AllowGroups, ",") + cheEnv["CHE_INFRA_KUBERNETES_ADVANCED__AUTHORIZATION_DENY__USERS"] = strings.Join(ctx.CheCluster.Spec.Networking.Auth.AdvancedAuthorization.DenyUsers, ",") + cheEnv["CHE_INFRA_KUBERNETES_ADVANCED__AUTHORIZATION_DENY__GROUPS"] = strings.Join(ctx.CheCluster.Spec.Networking.Auth.AdvancedAuthorization.DenyGroups, ",") + } + // k8s specific envs if !infrastructure.IsOpenShift() { k8sCheEnv := map[string]string{ @@ -298,7 +306,7 @@ func GetCheConfigMapVersion(deployContext *chetypes.DeployContext) string { } func (s *CheServerReconciler) updateUserClusterRoles(ctx *chetypes.DeployContext, cheEnv map[string]string) { - userClusterRoles := strings.Join(s.getUserClusterRoles(ctx), ", ") + userClusterRoles := strings.Join(s.getDefaultUserClusterRoles(ctx), ", ") for _, role := range strings.Split(cheEnv["CHE_INFRA_KUBERNETES_USER__CLUSTER__ROLES"], ",") { role := strings.TrimSpace(role) diff --git a/pkg/deploy/server/server_reconciler.go b/pkg/deploy/server/server_reconciler.go index c67da4b4d..8ea908c3c 100644 --- a/pkg/deploy/server/server_reconciler.go +++ b/pkg/deploy/server/server_reconciler.go @@ -55,7 +55,7 @@ func (s *CheServerReconciler) Reconcile(ctx *chetypes.DeployContext) (reconcile. } if done, err := s.syncPermissions(ctx); !done { - return reconcile.Result{}, false, err + return reconcile.Result{Requeue: true}, false, err } done, err = s.syncDeployment(ctx)