From faf0a9d3b4098636f7dd2713add71c49733c3d8d Mon Sep 17 00:00:00 2001
From: Simon Gerber <simon.gerber@vshn.ch>
Date: Tue, 25 Jan 2022 15:50:10 +0100
Subject: [PATCH] Change namespace-owner config to use a ClusterRole

---
 class/defaults.yml                            |  2 +-
 component/generated-rolebindings.jsonnet      | 74 ++++++++++---------
 .../ROOT/pages/references/parameters.adoc     |  4 +-
 ...10_generate_default_rolebinding_in_ns.yaml | 29 +-------
 .../10_namespace_editor_clusterrole.yaml      | 21 ++++++
 5 files changed, 66 insertions(+), 64 deletions(-)
 create mode 100644 tests/golden/defaults/appuio-cloud/appuio-cloud/10_namespace_editor_clusterrole.yaml

diff --git a/class/defaults.yml b/class/defaults.yml
index ac06750..15d4ac8 100644
--- a/class/defaults.yml
+++ b/class/defaults.yml
@@ -61,7 +61,7 @@ parameters:
       bindingName: admin
       clusterRoleName: admin
 
-    generatedNamespaceOwnerRole:
+    generatedNamespaceOwnerClusterRole:
       name: namespace-owner
 
     maxNamespaceQuota: 25
diff --git a/component/generated-rolebindings.jsonnet b/component/generated-rolebindings.jsonnet
index 11eb834..0b1c00b 100644
--- a/component/generated-rolebindings.jsonnet
+++ b/component/generated-rolebindings.jsonnet
@@ -1,10 +1,44 @@
 local common = import 'common.libsonnet';
 local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
 local kyverno = import 'lib/kyverno.libsonnet';
 local inv = kap.inventory();
 // The hiera parameters for the component
 local params = inv.parameters.appuio_cloud;
 
+local roleName =
+  if std.objectHas(params, 'generatedNamespaceOwnerRole') then
+    std.trace(
+      (
+        '\nParameter `generatedNamespaceOwnerRole` is deprecated.\n' +
+        'Please update your config to use `generatedNamespaceOwnerClusterRole` instead.'
+      ),
+      params.generatedNamespaceOwnerRole.name
+    )
+  else
+    params.generatedNamespaceOwnerClusterRole.name;
+
+local namespaceEditorClusterRole =
+  kube.ClusterRole(roleName) {
+    rules: [
+      {
+        apiGroups: [
+          '',
+        ],
+        resources: [
+          'namespaces',
+        ],
+        verbs: [
+          'get',
+          'watch',
+          'edit',
+          'patch',
+          'delete',
+        ],
+      },
+    ],
+  };
+
 /**
   * This policy will:
   * - Generate a RoleBinding to ClusterRole 'admin' for the organization defined in a label of a namespace.
@@ -92,48 +126,19 @@ local generateDefaultRolebindingInNsPolicy = kyverno.ClusterPolicy('default-role
         },
 
       },
-      {
-        name: 'namespace-edit-role',
-        match: common.MatchOrgNamespaces,
-        generate: {
-          kind: 'Role',
-          synchronize: false,
-          name: params.generatedNamespaceOwnerRole.name,
-          namespace: '{{request.object.metadata.name}}',
-          data: {
-            rules: [
-              {
-                apiGroups: [
-                  '',
-                ],
-                resources: [
-                  'namespaces',
-                ],
-                verbs: [
-                  'get',
-                  'watch',
-                  'edit',
-                  'patch',
-                  'delete',
-                ],
-              },
-            ],
-          },
-        },
-      },
       {
         name: 'namespace-edit-rolebinding',
         match: common.MatchOrgNamespaces,
         generate: {
           kind: 'RoleBinding',
           synchronize: false,
-          name: params.generatedNamespaceOwnerRole.name,
+          name: namespaceEditorClusterRole.metadata.name,
           namespace: '{{request.object.metadata.name}}',
           data: {
             roleRef: {
               apiGroup: 'rbac.authorization.k8s.io',
-              kind: 'Role',
-              name: params.generatedNamespaceOwnerRole.name,
+              kind: 'ClusterRole',
+              name: namespaceEditorClusterRole.metadata.name,
             },
             subjects: [
               {
@@ -150,5 +155,8 @@ local generateDefaultRolebindingInNsPolicy = kyverno.ClusterPolicy('default-role
 
 // Define outputs below
 {
-  '10_generate_default_rolebinding_in_ns': generateDefaultRolebindingInNsPolicy + common.DefaultLabels,
+  '10_namespace_editor_clusterrole':
+    namespaceEditorClusterRole + common.DefaultLabels,
+  '10_generate_default_rolebinding_in_ns':
+    generateDefaultRolebindingInNsPolicy + common.DefaultLabels,
 }
diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
index 2c259b7..2737d43 100644
--- a/docs/modules/ROOT/pages/references/parameters.adoc
+++ b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -128,13 +128,13 @@ default:: `organization-admin`
 The `metadata.name` of the `RoleBinding` that gets generated in the new `Namespace` created by the user.
 The role binding is only created upon Namespace creation, it doesn't get synchronized.
 
-== `generatedNamespaceOwnerRole.name`
+== `generatedNamespaceOwnerClusterRole.name`
 
 [horizontal]
 type:: string
 default:: `namespace-owner`
 
-The `Role` and `RoleBinding` name for the role that allows users to edit the new `Namespace`
+The `ClusterRole` and `RoleBinding` name for the cluster role that allows users to edit the new `Namespace`
 
 == `generatedResourceQuota`
 
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/10_generate_default_rolebinding_in_ns.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/10_generate_default_rolebinding_in_ns.yaml
index 9d1c53b..90e5499 100644
--- a/tests/golden/defaults/appuio-cloud/appuio-cloud/10_generate_default_rolebinding_in_ns.yaml
+++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/10_generate_default_rolebinding_in_ns.yaml
@@ -55,38 +55,11 @@ spec:
           \n    \"kind\": \"Group\"\n    \"name\": \"{{organization}}\"\n- \"op\"\
           : \"remove\"\n  \"path\": \"/metadata/labels/appuio.io~1uninitialized\""
       name: patch-uninitialized-default-rolebinding
-    - generate:
-        data:
-          rules:
-            - apiGroups:
-                - ''
-              resources:
-                - namespaces
-              verbs:
-                - get
-                - watch
-                - edit
-                - patch
-                - delete
-        kind: Role
-        name: namespace-owner
-        namespace: '{{request.object.metadata.name}}'
-        synchronize: false
-      match:
-        all:
-          - resources:
-              kinds:
-                - Namespace
-              selector:
-                matchExpressions:
-                  - key: appuio.io/organization
-                    operator: Exists
-      name: namespace-edit-role
     - generate:
         data:
           roleRef:
             apiGroup: rbac.authorization.k8s.io
-            kind: Role
+            kind: ClusterRole
             name: namespace-owner
           subjects:
             - kind: Group
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/10_namespace_editor_clusterrole.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/10_namespace_editor_clusterrole.yaml
new file mode 100644
index 0000000..a83fa29
--- /dev/null
+++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/10_namespace_editor_clusterrole.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/component: appuio-cloud
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: appuio-cloud
+    name: namespace-owner
+  name: namespace-owner
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - watch
+      - edit
+      - patch
+      - delete