Remove clusterrole creation, move ldap to permissionables

DiamondLightSource · Jun 4, 2024 · c6b4009 · c6b4009
1 parent 1d507c7
commit c6b4009
Show file tree

Hide file tree

Showing 11 changed files with 86 additions and 209 deletions.
diff --git a/charts/sessionspaces/templates/clusterrole-argo-workflows.yaml b/charts/sessionspaces/templates/clusterrole-argo-workflows.yaml
@@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-workflows
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "watch", "patch"]
+- apiGroups: [""]
+  resources: ["pods/logs"]
+  verbs: ["get", "watch"]
+- apiGroups: [""]
+  resources: ["pods/exec"]
+  verbs: ["create"]
+- apiGroups: ["argoproj.io"]
+  resources: [
+    "workflowtaskresults",
+    ]
+  verbs: ["create","patch"] 
+- apiGroups: ["argoproj.io"]
+  resources: [
+    "workflowtasksets",
+    "workflowartifactgctasks",
+    ]
+  verbs: ["list", "watch"] 
+- apiGroups: ["argoproj.io"]
+  resources: [
+    "workflowtasksets/status",
+    "workflowartifactgctasks/status",
+    ]
+  verbs: ["patch"] 
diff --git a/charts/sessionspaces/templates/clusterrole-visit-member.yaml b/charts/sessionspaces/templates/clusterrole-visit-member.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: visit-member
+rules:
+- apiGroups: ["argoproj.io"]
+  resources: [
+    "eventsources",
+    "sensors",
+    "workflows",
+    "workfloweventbindings",
+    "workflowtemplates",
+    "clusterworkflowtemplates",
+    "cronworkflows",
+    "workflowtaskresults",
+    ]
+  verbs: ["get", "watch", "list"] 
+- apiGroups: ["argoproj.io"]
+  resources: ["workflows"]
+  verbs: ["create"]
diff --git a/charts/sessionspaces/templates/clusterrole.yaml b/charts/sessionspaces/templates/clusterrole.yaml
@@ -4,37 +4,10 @@ kind: ClusterRole
 metadata:
   name: {{ include "sessionspaces.serviceAccountName" . }}
 rules:
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "watch", "patch"] 
 - apiGroups: [""]
   resources: ["namespaces"]
   verbs: ["create", "delete", "get", "list"]
-- apiGroups: [""]
-  resources: ["pods/exec"]
-  verbs: ["create"]
-- apiGroups: [""]
-  resources: ["pods/logs"]
-  verbs: ["get", "watch"]
-- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["clusterroles"]
-  verbs: ["create", "patch"]
 - apiGroups: [""]
   resources: ["configmaps"]
   verbs: ["create", "patch"]
-- apiGroups: ["argoproj.io"]
-  resources: [
-    "workflowartifactgctasks",
-    "workflowartifactgctasks/status",
-    "workflowtaskresults",
-    "workflowtasksets",
-    "workflowtasksets/status",
-    "clusterworkflowtemplates",
-    "cronworkflows",
-    "eventsources",
-    "sensors",
-    "workfloweventbindings",
-    "workflows",
-    "workflowtemplates"
-  ]
-  verbs: ["get", "list", "watch", "patch", "create"]
+{{- end }}
diff --git a/charts/sessionspaces/templates/clusterrolebinding.yaml b/charts/sessionspaces/templates/clusterrolebinding.yaml
@@ -12,3 +12,4 @@ roleRef:
   kind: ClusterRole
   name: {{ include "sessionspaces.fullname" . }}
   apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/sessionspaces/src/main.rs b/sessionspaces/src/main.rs
@@ -10,10 +10,7 @@ mod resources;
 
 use crate::{
     permissionables::{Session, SubjectSession},
-    resources::{
-        create_argo_workflows_role, create_configmap, create_namespace, create_visit_member_role,
-        delete_namespace,
-    },
+    resources::{create_configmap, create_namespace, delete_namespace},
 };
 use clap::Parser;
 use sqlx::{mysql::MySqlPoolOptions, MySqlPool};
@@ -54,13 +51,6 @@ async fn main() {
         .unwrap();
 
     let k8s_client = kube::Client::try_default().await.unwrap();
-    info!("Creating argo-workflows Role");
-    create_argo_workflows_role(k8s_client.clone())
-        .await
-        .unwrap();
-    info!("Creating visit-member Role");
-    create_visit_member_role(k8s_client.clone()).await.unwrap();
-
     let mut current_sessions = SessionSpaces::default();
     let mut request_at = Instant::now();
     loop {

diff --git a/sessionspaces/src/permissionables/ldap.rs b/sessionspaces/src/permissionables/ldap.rs
@@ -0,0 +1,27 @@
+use ldap3::{LdapConnAsync, Scope, SearchEntry};
+use tracing::info;
+
+pub async fn ldap_search(namespace: String) -> Result<String, Box<dyn std::error::Error>> {
+    let (conn, mut ldap) = LdapConnAsync::new("ldap://ldap.diamond.ac.uk").await?;
+    ldap3::drive!(conn);
+    let common_name = namespace.replace("-", "_");
+    let filter = format!("(&(objectClass=posixgroup)(cn={common_name}))",);
+    let (rs, _res) = ldap
+        .search(
+            "ou=Group,dc=diamond,dc=ac,dc=uk",
+            Scope::Subtree,
+            &filter,
+            vec!["gidnumber"],
+        )
+        .await
+        .unwrap()
+        .success()
+        .unwrap();
+    for entry in rs {
+        if let Some(res) = SearchEntry::construct(entry).attrs.get("gidNumber") {
+            return Ok(res.concat());
+        }
+    }
+    info!("gidNumber not found for session {}", common_name);
+    Err("gidNumber not found".into())
+}
diff --git a/sessionspaces/src/permissionables/mod.rs b/sessionspaces/src/permissionables/mod.rs
@@ -1,6 +1,8 @@
+/// gidNumber for sessions
+mod ldap;
 /// Beamline sessions
 mod session;
 /// Associations between subjects and sessions
 mod subject_session;
 
-pub use self::{session::Session, subject_session::SubjectSession};
+pub use self::{ldap::ldap_search, session::Session, subject_session::SubjectSession};
diff --git a/sessionspaces/src/resources/config_maps.rs b/sessionspaces/src/resources/config_maps.rs
@@ -1,42 +1,14 @@
+use crate::permissionables::ldap_search;
 use k8s_openapi::api::core::v1::ConfigMap;
 use kube::{
     api::{ObjectMeta, Patch, PatchParams},
     Api, Client,
 };
-use ldap3::{LdapConnAsync, Scope, SearchEntry};
-use std::{
-    collections::{BTreeMap, BTreeSet},
-    error::Error,
-};
+use std::collections::{BTreeMap, BTreeSet};
 use tracing::{info, instrument};
 
 const POLICY_CONFIG: &str = "policy-config";
 
-pub async fn ldap_search(namespace: String) -> Result<String, Box<dyn Error>> {
-    let (conn, mut ldap) = LdapConnAsync::new("ldap://ldap.diamond.ac.uk").await?;
-    ldap3::drive!(conn);
-    let common_name = namespace.replace("-", "_");
-    let filter = format!("(&(objectClass=posixgroup)(cn={common_name}))",);
-    let (rs, _res) = ldap
-        .search(
-            "ou=Group,dc=diamond,dc=ac,dc=uk",
-            Scope::Subtree,
-            &filter,
-            vec!["gidnumber"],
-        )
-        .await
-        .unwrap()
-        .success()
-        .unwrap();
-    for entry in rs {
-        if let Some(res) = SearchEntry::construct(entry).attrs.get("gidNumber") {
-            return Ok(res.concat());
-        }
-    }
-    info!("gidNumber not found for session {}", common_name);
-    Err("gidNumber not found".into())
-}
-
 #[instrument(skip(k8s_client))]
 pub async fn create_configmap(
     namespace: String,

diff --git a/sessionspaces/src/resources/member_sa.rs b/sessionspaces/src/resources/member_sa.rs
diff --git a/sessionspaces/src/resources/mod.rs b/sessionspaces/src/resources/mod.rs
@@ -1,15 +1,9 @@
 /// The config map for kyverno policy
 mod config_maps;
-/// The visit-member ServiceAccount and corresponding Role
-mod member_sa;
 /// The Namespace for a beamline session
 mod namespace;
-/// The argo-workflows ServiceAccount and corresponding Role
-mod workflows_sa;
 
 pub use self::{
     config_maps::create_configmap,
-    member_sa::create_visit_member_role,
     namespace::{create_namespace, delete_namespace},
-    workflows_sa::create_argo_workflows_role,
 };
diff --git a/sessionspaces/src/resources/workflows_sa.rs b/sessionspaces/src/resources/workflows_sa.rs