Created
January 24, 2022 20:36
-
-
Save zonggen/afd36a046c367485c8063dbef92ac248 to your computer and use it in GitHub Desktop.
Verify RBAC Restriction With Namespace Scoped CRD `ProjectHelmChartRepository`
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
oc delete secret/htpasswd-consoledeveloper-basic-sec1 -n openshift-config | |
oc delete role/helm-crd-role | |
oc delete rolebinding/consoledeveloper-basic-role | |
oc delete user/consoledeveloper-basic | |
# In addition, make sure to manually clean up the testing CR |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: helm.openshift.io/v1beta1 | |
kind: ProjectHelmChartRepository | |
metadata: | |
name: azure-sample-repo | |
spec: | |
name: azure-sample-repo | |
connectionConfig: | |
url: https://raw.githubusercontent.com/Azure-Samples/helm-charts/master/docs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: apiextensions.k8s.io/v1 | |
kind: CustomResourceDefinition | |
metadata: | |
annotations: | |
api-approved.openshift.io: https://github.com/openshift/api/pull/1084 | |
include.release.openshift.io/ibm-cloud-managed: "true" | |
include.release.openshift.io/self-managed-high-availability: "true" | |
include.release.openshift.io/single-node-developer: "true" | |
name: projecthelmchartrepositories.helm.openshift.io | |
spec: | |
group: helm.openshift.io | |
names: | |
kind: ProjectHelmChartRepository | |
listKind: ProjectHelmChartRepositoryList | |
plural: projecthelmchartrepositories | |
singular: projecthelmchartrepository | |
scope: Namespaced | |
versions: | |
- name: v1beta1 | |
served: true | |
storage: true | |
subresources: | |
status: {} | |
schema: | |
openAPIV3Schema: | |
description: "ProjectHelmChartRepository holds namespace-wide configuration for proxied Helm chart repository \n Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer)." | |
type: object | |
required: | |
- spec | |
properties: | |
apiVersion: | |
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | |
type: string | |
kind: | |
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | |
type: string | |
metadata: | |
type: object | |
spec: | |
description: spec holds user settable values for configuration | |
type: object | |
properties: | |
connectionConfig: | |
description: Required configuration for connecting to the chart repo | |
type: object | |
properties: | |
ca: | |
description: ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key "ca-bundle.crt" is used to locate the data. If empty, the default system roots are used. The namespace for this config map is openshift-config. | |
type: object | |
required: | |
- name | |
properties: | |
name: | |
description: name is the metadata.name of the referenced config map | |
type: string | |
tlsClientConfig: | |
description: tlsClientConfig is an optional reference to a secret by name that contains the PEM-encoded TLS client certificate and private key to present when connecting to the server. The key "tls.crt" is used to locate the client certificate. The key "tls.key" is used to locate the private key. The namespace for this secret is openshift-config. | |
type: object | |
required: | |
- name | |
properties: | |
name: | |
description: name is the metadata.name of the referenced secret | |
type: string | |
url: | |
description: Chart repository URL | |
type: string | |
maxLength: 2048 | |
pattern: ^https?:\/\/ | |
description: | |
description: Optional human readable repository description, it can be used by UI for displaying purposes | |
type: string | |
maxLength: 2048 | |
minLength: 1 | |
disabled: | |
description: If set to true, disable the repo usage in the cluster/namespace | |
type: boolean | |
name: | |
description: Optional associated human readable repository name, it can be used by UI for displaying purposes | |
type: string | |
maxLength: 100 | |
minLength: 1 | |
status: | |
description: Observed status of the repository within the namespace.. | |
type: object | |
properties: | |
conditions: | |
description: conditions is a list of conditions and their statuses | |
type: array | |
items: | |
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" | |
type: object | |
required: | |
- lastTransitionTime | |
- message | |
- reason | |
- status | |
- type | |
properties: | |
lastTransitionTime: | |
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. | |
type: string | |
format: date-time | |
message: | |
description: message is a human readable message indicating details about the transition. This may be an empty string. | |
type: string | |
maxLength: 32768 | |
observedGeneration: | |
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. | |
type: integer | |
format: int64 | |
minimum: 0 | |
reason: | |
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. | |
type: string | |
maxLength: 1024 | |
minLength: 1 | |
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ | |
status: | |
description: status of the condition, one of True, False, Unknown. | |
type: string | |
enum: | |
- "True" | |
- "False" | |
- Unknown | |
type: | |
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) | |
type: string | |
maxLength: 316 | |
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
HTPASSWD_FILE="./htpass" | |
USERNAME="consoledeveloper-basic" | |
USERPASS="developer" | |
HTPASSWD_SECRET="htpasswd-consoledeveloper-basic-sec1" | |
OC_USERS_LIST="$(oc get users)" | |
if echo "${OC_USERS_LIST}" | grep -q "${USERNAME}"; then | |
echo -e "\n\033[0;32m \xE2\x9C\x94 User consoledeveloper-basic already exists \033[0m\n" | |
exit; | |
fi | |
htpasswd -cb $HTPASSWD_FILE $USERNAME $USERPASS | |
oc get secret $HTPASSWD_SECRET -n openshift-config &> /dev/null | |
oc create secret generic ${HTPASSWD_SECRET} --from-file=htpasswd=${HTPASSWD_FILE} -n openshift-config | |
oc apply -f - <<EOF | |
apiVersion: config.openshift.io/v1 | |
kind: OAuth | |
metadata: | |
name: cluster | |
spec: | |
identityProviders: | |
- name: consoledeveloper-basic | |
challenge: true | |
login: true | |
mappingMethod: claim | |
type: HTPasswd | |
htpasswd: | |
fileData: | |
name: ${HTPASSWD_SECRET} | |
EOF | |
sleep 10s | |
oc create rolebinding ${USERNAME}-role --role=helm-crd-role --user=${USERNAME} -n default | |
sleep 15s | |
echo -e "\n\e[1;35m User consoledeveloper-basic created with the password developer. Type the below\e[0m \n" | |
echo -e "\n\e[1;32m oc login -u\e[3m \e[1;36mconsoledeveloper-basic\e[0m \e[1;32m-p\e[3m \e[1;36mdeveloper\e[0m \n" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kind: Role | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: helm-crd-role | |
namespace: default | |
annotations: | |
include.release.openshift.io/ibm-cloud-managed: "true" | |
include.release.openshift.io/self-managed-high-availability: "true" | |
include.release.openshift.io/single-node-developer: "true" | |
rules: | |
# TODO: delete is needed for ownerRefs on older clusters | |
# should remove in the future. | |
- apiGroups: | |
- helm.openshift.io | |
resources: | |
- projecthelmchartrepositories | |
verbs: | |
- get | |
- list | |
- watch | |
- create | |
- update | |
- delete |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment