This is an automated email from the ASF dual-hosted git repository. astefanutti pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit 4e6a2db1614901a65ad1df9858a957b26e0f91d2 Author: Christoph Deppisch <[email protected]> AuthorDate: Fri Jun 3 21:04:59 2022 +0200 Fix #2177: Introduce integration platform viewer role - Integration platforms need to be visible to authenticated users in order to verify operator ids - Add integration platform viewer role in all namespaces that hold at least one integration platform so users can get and list these platform instances - Automatically add the role during kamel CLI installation and in platform trait --- pkg/cmd/install.go | 4 +++ pkg/install/platform.go | 32 +++++++++++++++++++ pkg/platform/platform.go | 13 +++++++- pkg/resources/resources.go | 16 ++++++++++ pkg/trait/platform.go | 14 +++++++++ .../user-global-platform-viewer-role-binding.yaml | 35 +++++++++++++++++++++ .../viewer/user-global-platform-viewer-role.yaml | 36 ++++++++++++++++++++++ 7 files changed, 149 insertions(+), 1 deletion(-) diff --git a/pkg/cmd/install.go b/pkg/cmd/install.go index 368eaeb31..1efba233e 100644 --- a/pkg/cmd/install.go +++ b/pkg/cmd/install.go @@ -485,6 +485,10 @@ func (o *installCmdOptions) install(cobraCmd *cobra.Command, _ []string) error { return err } + if err := install.IntegrationPlatformViewerRole(o.Context, c, namespace); err != nil && !k8serrors.IsAlreadyExists(err) { + return errors.Wrap(err, "Error while installing global IntegrationPlatform viewer role") + } + if o.ExampleSetup { err = install.ExampleOrCollect(o.Context, c, namespace, collection, o.Force) if err != nil { diff --git a/pkg/install/platform.go b/pkg/install/platform.go new file mode 100644 index 000000000..9a087d077 --- /dev/null +++ b/pkg/install/platform.go @@ -0,0 +1,32 @@ +/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package install + +import ( + "context" + + "github.com/apache/camel-k/pkg/client" +) + +// IntegrationPlatformViewerRole installs the role that allows any user ro access integrationplatforms in the global namespace. +func IntegrationPlatformViewerRole(ctx context.Context, c client.Client, namespace string) error { + if err := Resource(ctx, c, namespace, true, IdentityResourceCustomizer, "/viewer/user-global-platform-viewer-role.yaml"); err != nil { + return err + } + return Resource(ctx, c, namespace, true, IdentityResourceCustomizer, "/viewer/user-global-platform-viewer-role-binding.yaml") +} diff --git a/pkg/platform/platform.go b/pkg/platform/platform.go index 8d27391e4..8b5f5c9c1 100644 --- a/pkg/platform/platform.go +++ b/pkg/platform/platform.go @@ -21,6 +21,7 @@ import ( "context" v1 "github.com/apache/camel-k/pkg/apis/camel/v1" + "github.com/apache/camel-k/pkg/util/defaults" "github.com/apache/camel-k/pkg/util/kubernetes" k8serrors "k8s.io/apimachinery/pkg/api/errors" k8sclient "sigs.k8s.io/controller-runtime/pkg/client" @@ -68,9 +69,19 @@ func getOrFindForResource(ctx context.Context, c k8sclient.Reader, o k8sclient.O if selectedPlatform, ok := o.GetAnnotations()[v1.PlatformSelectorAnnotation]; ok { return get(ctx, c, o.GetNamespace(), selectedPlatform) } + + platformName := defaults.OperatorID() if it, ok := o.(*v1.Integration); ok { - return getOrFind(ctx, c, it.Namespace, it.Status.Platform, active, local) + if it.Status.Platform != "" { + platformName = it.Status.Platform + } + + return getOrFind(ctx, c, it.Namespace, platformName, active, local) } else if ik, ok := o.(*v1.IntegrationKit); ok { + if ik.Status.Platform != "" { + platformName = ik.Status.Platform + } + return getOrFind(ctx, c, ik.Namespace, ik.Status.Platform, active, local) } return find(ctx, c, o.GetNamespace(), active, local) diff --git a/pkg/resources/resources.go b/pkg/resources/resources.go index 2b685329a..ef9cad184 100644 --- a/pkg/resources/resources.go +++ b/pkg/resources/resources.go @@ -580,6 +580,20 @@ var assets = func() http.FileSystem { compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xac\x53\x4d\x8f\xdb\x36\x14\xbc\xf3\x57\x0c\xac\x4b\x02\xac\xe5\xb6\xa7\xc2\x3d\xb9\x9b\xdd\x56\x68\x60\x03\x2b\xa7\x41\x8e\xcf\xd4\xb3\xf4\x60\x8a\x4f\x25\xa9\x55\xb6\xbf\xbe\xa0\x2c\x67\x37\xe8\x35\xbc\xf8\x43\xa3\x79\x33\x6f\x86\x05\xd6\x3f\xee\x98\x02\x1f\xc5\xb2\x8f\xdc\x20\x29\x52\xc7\xd8\x0d\x64\x3b\x46\xad\xe7\x34\x51\x60\x3c\xea\xe8\x1b\x4a\xa2\x1e\xef\x76\xf5\xe3\x7b\x8c\xbe\xe1\x00\xf5\x0c\x0d\xe8\x35\xb0\x [...] }, + "/viewer/user-global-platform-viewer-role-binding.yaml": &vfsgen۰CompressedFileInfo{ + name: "user-global-platform-viewer-role-binding.yaml", + modTime: time.Time{}, + uncompressedSize: 1348, + + compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xac\x53\x4d\x8f\xdb\x36\x10\xbd\xf3\x57\x3c\x58\x97\x04\x58\xcb\x6d\x4f\x85\x7b\x72\x36\xbb\xad\xd0\xc0\x06\x2c\xa7\x41\x8e\x63\x6a\x2c\x4d\x97\x22\x59\x92\x5a\xc5\xfd\xf5\x05\xb9\x76\x76\x83\x02\x2d\x02\xac\x6e\x02\x87\xef\x63\xde\x63\x85\xe5\xeb\x7d\xaa\xc2\x07\xd1\x6c\x23\x77\x48\x0e\x69\x60\x6c\x3c\xe9\x81\xd1\xba\x53\x9a\x29\x30\xee\xdd\x64\x3b\x4a\xe2\x2c\xde\x6c\xda\xfb\xb7\x98\x6c\xc7\x01\xce\x32\x5c\xc0\xe8\x [...] + }, + "/viewer/user-global-platform-viewer-role.yaml": &vfsgen۰CompressedFileInfo{ + name: "user-global-platform-viewer-role.yaml", + modTime: time.Time{}, + uncompressedSize: 1287, + + compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xac\x53\xc1\x8e\xdb\x36\x14\xbc\xf3\x2b\x06\xd6\x25\x01\xd6\x72\xdb\x53\xe1\x9e\xdc\xcd\x6e\x2b\x34\xb0\x81\x95\xd3\x20\xc7\x67\xe9\x59\x7a\x58\x8a\x54\x1f\xa9\x55\xb6\x5f\x5f\x90\x96\xbb\x0e\xda\x63\x78\xb1\x05\x8d\xe6\xcd\xbc\x19\x16\x58\x7f\xbf\x63\x0a\x7c\x94\x86\x5d\xe0\x16\xd1\x23\xf6\x8c\xdd\x48\x4d\xcf\xa8\xfd\x39\xce\xa4\x8c\x47\x3f\xb9\x96\xa2\x78\x87\x77\xbb\xfa\xf1\x3d\x26\xd7\xb2\xc2\x3b\x86\x57\x0c\x5e\x [...] + }, "/camel-catalog-1.13.0.yaml": &vfsgen۰CompressedFileInfo{ name: "camel-catalog-1.13.0.yaml", modTime: time.Time{}, @@ -707,6 +721,8 @@ var assets = func() http.FileSystem { fs["/viewer"].(*vfsgen۰DirInfo).entries = []os.FileInfo{ fs["/viewer/user-global-kamelet-viewer-role-binding.yaml"].(os.FileInfo), fs["/viewer/user-global-kamelet-viewer-role.yaml"].(os.FileInfo), + fs["/viewer/user-global-platform-viewer-role-binding.yaml"].(os.FileInfo), + fs["/viewer/user-global-platform-viewer-role.yaml"].(os.FileInfo), } return fs diff --git a/pkg/trait/platform.go b/pkg/trait/platform.go index 263b76add..5ee3759db 100644 --- a/pkg/trait/platform.go +++ b/pkg/trait/platform.go @@ -18,12 +18,16 @@ limitations under the License. package trait import ( + "fmt" + k8serrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/utils/pointer" v1 "github.com/apache/camel-k/pkg/apis/camel/v1" traitv1 "github.com/apache/camel-k/pkg/apis/camel/v1/trait" + "github.com/apache/camel-k/pkg/install" "github.com/apache/camel-k/pkg/platform" + "github.com/apache/camel-k/pkg/util/defaults" "github.com/apache/camel-k/pkg/util/openshift" ) @@ -95,6 +99,10 @@ func (t *platformTrait) getOrCreatePlatform(e *Environment) (*v1.IntegrationPlat if err != nil && k8serrors.IsNotFound(err) { if pointer.BoolDeref(t.CreateDefault, false) { platformName := e.Integration.Status.Platform + if platformName == "" { + platformName = defaults.OperatorID() + } + if platformName == "" { platformName = platform.DefaultPlatformName } @@ -119,6 +127,12 @@ func (t *platformTrait) getOrCreatePlatform(e *Environment) (*v1.IntegrationPlat } pl = &defaultPlatform e.Resources.Add(pl) + + // Make sure that IntegrationPlatform installed in operator namespace can be seen by others + if err := install.IntegrationPlatformViewerRole(e.Ctx, t.Client, namespace); err != nil && !k8serrors.IsAlreadyExists(err) { + t.L.Info(fmt.Sprintf("Cannot install global IntegrationPlatform viewer role in namespace '%s': skipping.", namespace)) + } + return pl, nil } } diff --git a/resources/viewer/user-global-platform-viewer-role-binding.yaml b/resources/viewer/user-global-platform-viewer-role-binding.yaml new file mode 100644 index 000000000..6d13f8a6b --- /dev/null +++ b/resources/viewer/user-global-platform-viewer-role-binding.yaml @@ -0,0 +1,35 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +# +# RoleBinding installed in the operator namespace +# to allow access to integrationplatforms +# +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: camel-k-platform-viewer + labels: + app: "camel-k" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: camel-k-platform-viewer +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated diff --git a/resources/viewer/user-global-platform-viewer-role.yaml b/resources/viewer/user-global-platform-viewer-role.yaml new file mode 100644 index 000000000..d5a1b8e18 --- /dev/null +++ b/resources/viewer/user-global-platform-viewer-role.yaml @@ -0,0 +1,36 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +# +# Role installed in the operator namespace +# to allow access to operator installed integrationplatforms +# +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: camel-k-platform-viewer + labels: + app: "camel-k" +rules: +- apiGroups: + - "camel.apache.org" + resources: + - integrationplatforms + verbs: + - get + - list + - watch
