Add correct permissions for monitoring service and make its creation …

…optional (#42) * fix monitoring errors and make creation optional * fix role * fix typos * implement changes Co-authored-by: Henning <[email protected]>
mittwald · Jul 28, 2021 · fc4e64e · fc4e64e
1 parent cfd61d1
commit fc4e64e
Show file tree

Hide file tree

Showing 8 changed files with 147 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -11,6 +11,16 @@ install: ## Install all resources (RBAC and Operator)
 	@echo ....... Applying Operator .......
 	kubectl apply -f deploy/operator.yaml -n ${NAMESPACE}
 
+.PHONY: installwithmonitoring
+installwithmonitoring: ## Install all resources (RBAC and Operator) with monitoring role
+	@echo ....... Applying Rules and Service Account .......
+	kubectl apply -f deploy/role_with_service_permissions.yaml -n ${NAMESPACE}
+	kubectl apply -f deploy/role_binding.yaml  -n ${NAMESPACE}
+	kubectl apply -f deploy/service_account.yaml  -n ${NAMESPACE}
+	@echo ....... Applying Operator .......
+	kubectl apply -f deploy/operator.yaml -n ${NAMESPACE}
+
+
 .PHONY: uninstall
 uninstall: ## Uninstall all that all performed in the $ make install
 	@echo ....... Uninstalling .......
@@ -21,6 +31,16 @@ uninstall: ## Uninstall all that all performed in the $ make install
 	@echo ....... Deleting Operator .......
 	kubectl delete -f deploy/operator.yaml -n ${NAMESPACE}
 
+.PHONY: uninstallwithmonitoring
+uninstallwithmonitoring: ## Uninstall all that all performed in the $ make installwithmonitoring
+	@echo ....... Uninstalling .......
+	@echo ....... Deleting Rules and Service Account .......
+	kubectl delete -f deploy/role_with_service_permissions.yaml -n ${NAMESPACE}
+	kubectl delete -f deploy/role_binding.yaml -n ${NAMESPACE}
+	kubectl delete -f deploy/service_account.yaml -n ${NAMESPACE}
+	@echo ....... Deleting Operator .......
+	kubectl delete -f deploy/operator.yaml -n ${NAMESPACE}
+
 .PHONY: test
 test: kind
 	@echo go test

diff --git a/README.md b/README.md
@@ -19,6 +19,8 @@ You might want to take a look a the [values.yaml](deploy/helm-chart/kubernetes-s
 
 - `watchNamespace` defines, which namespaces should be watched for secret objects.
 
+- `useMetricsService` toggles whether the operator should provide a service for metrics monitoring by Prometheus. If this is set to true, the operator will start with additional permissions, namely `get` permissions for `replicasets` and `deployments` in the apiGroup `apps`, as well as `create` permissions for `services` and create the needed services during startup.
+
   To watch a single namespace, set it to the desired namespace name.
 Multiple namespaces are supported and can be set as a comma-separated list: `ns1,ns2`.
 

diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -65,6 +65,7 @@ func main() {
 	pflag.String("secret-length", "40", "Secret length")
 	pflag.Int("ssh-key-length", 2048, "Default length of SSH Keys")
 	pflag.String("secret-encoding", "base64", "Encoding for secrets")
+	pflag.Bool("use-metrics-service", false, "Whether or not to use metrics service")
 	pflag.Parse()
 
 	// Import flags into viper and bind them to env vars
@@ -177,8 +178,10 @@ func main() {
 		os.Exit(1)
 	}
 
-	// Add the Metrics Service
-	addMetrics(ctx, cfg)
+	if viper.GetBool("use-metrics-service") {
+		// Add the Metrics Service
+		addMetrics(ctx, cfg)
+	}
 
 	log.Info("Starting the Cmd.")
 

diff --git a/deploy/helm-chart/kubernetes-secret-generator/templates/deployment.yaml b/deploy/helm-chart/kubernetes-secret-generator/templates/deployment.yaml
@@ -56,6 +56,8 @@ spec:
               value: {{ .Values.regenerateInsecure | quote }}
             - name: SECRET_LENGTH
               value: {{ .Values.secretLength | quote }}
+            - name: USE_METRICS_SERVICE
+              value: {{ .Values.useMetricsService | quote }}
           resources:
       {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

diff --git a/deploy/helm-chart/kubernetes-secret-generator/templates/role.yaml b/deploy/helm-chart/kubernetes-secret-generator/templates/role.yaml
@@ -1,4 +1,61 @@
 {{- if .Values.rbac.create -}}
+{{- if .Values.useMetricsService -}}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "mittwald:{{ include "kubernetes-secret-generator.serviceAccountName" . }}"
+  labels:
+  {{ include "kubernetes-secret-generator.labels" . | nindent 4 }}
+rules:
+  # leader election
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+  - apiGroups:
+      - "apps"
+    resources:
+      - deployments
+      - replicasets
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - delete
+      - get
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - "get"
+      - "create"
+  {{- if and .Values.rbac.create (not .Values.rbac.clusterRole) }}
+  # Permissions to access secrets in this namespace if no cluster role is created.
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+  {{- end -}}
+{{- else -}}
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -42,3 +99,4 @@ rules:
       - update
   {{- end -}}
 {{- end -}}
+{{- end -}}
diff --git a/deploy/helm-chart/kubernetes-secret-generator/values.yaml b/deploy/helm-chart/kubernetes-secret-generator/values.yaml
@@ -55,6 +55,8 @@ secretLength: 40
 # Accessing secrets in namespaces other than the deployed one requires permissions via a cluster role (on by default)
 watchNamespace: ""
 
+useMetricsService: false
+
 # RBAC parameteres
 # https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 rbac:
@@ -64,3 +66,4 @@ rbac:
   # Set to false to restrict access to the deployed namespace only.
   # ClusterRole is deployed by Default
   clusterRole: true
+
diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -50,3 +50,5 @@ spec:
               value: "true"
             - name: SECRET_LENGTH
               value: "40"
+            - name: USE_METRICS_SERVICE
+              value: "false"
diff --git a/deploy/role_with_service_permissions.yaml b/deploy/role_with_service_permissions.yaml
@@ -0,0 +1,55 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubernetes-secret-generator
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+  - apiGroups:
+      - "apps"
+    resources:
+      - deployments
+      - replicasets
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - delete
+      - get
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - "get"
+      - "create"
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubernetes-secret-generator
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - update