Skip to content

fix(e2e): attempt to move rbac conditions from initContainer #4075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PatAKnight wants to merge 1 commit into
base: main
Choose a base branch
from
+68 −123
Open

fix(e2e): attempt to move rbac conditions from initContainer #4075

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .ibm/pipelines/resources/config_map/app-config-rhdh-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ permission:
maxDepth: 1
policyFileReload: true
policies-csv-file: "./rbac/rbac-policy.csv"
conditionalPoliciesFile: "./rbac-conditions/conditional-policies.yaml"
conditionalPoliciesFile: "./rbac/conditional-policies.yaml"
pluginsWithPermission:
- catalog
- permission
Expand Down
122 changes: 0 additions & 122 deletions .ibm/pipelines/value_files/values_showcase-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -604,8 +604,6 @@ upstream:

- name: rbac-policy
mountPath: /opt/app-root/src/rbac
- name: rbac-conditions
mountPath: /opt/app-root/src/rbac-conditions
- mountPath: /opt/app-root/src/postgres-crt.pem
name: postgress-external-db-cluster-cert
subPath: tls.crt
Expand Down Expand Up @@ -658,126 +656,6 @@ upstream:
configMap:
defaultMode: 420
name: rbac-policy
- name: rbac-conditions
emptyDir: {}
initContainers:
# NOTE: Lists will not be merged with the default values file. So need to append all the defaults if you want to add a new item here
# See https://issues.redhat.com/browse/RHDHPLAN-869
- name: install-dynamic-plugins
# -- Image used by the initContainer to install dynamic plugins into the `dynamic-plugins-root` volume mount.
# It could be replaced by a custom image based on this one.
# @default -- `quay.io/rhdh-community/rhdh:latest`
image: '{{ include "backstage.image" . }}'
command:
- sh
- "-c"
- |
cat > /rbac-conditions/conditional-policies.yaml <<EOF
---
result: CONDITIONAL
roleEntityRef: 'role:default/test2-role'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
- update
conditions:
rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims:
- 'group:janus-qe/rhdh-qe-2-team'
- \$currentUser
---
result: CONDITIONAL
roleEntityRef: 'role:default/test2-role'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- delete
conditions:
rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims:
- \$currentUser
---
result: CONDITIONAL
roleEntityRef: 'role:default/transitive-owner'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
conditions:
rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims:
- \$ownerRefs
---
result: CONDITIONAL
roleEntityRef: 'role:default/owned_resource_reader'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
conditions:
rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims:
- \$currentUser
---
result: CONDITIONAL
roleEntityRef: 'role:default/conditional_denier'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
conditions:
rule: HAS_LABEL
resourceType: catalog-entity
params:
label: test-label
EOF

./install-dynamic-plugins.sh /dynamic-plugins-root
env:
- name: NPM_CONFIG_USERCONFIG
value: /opt/app-root/src/.npmrc.dynamic-plugins
- name: MAX_ENTRY_SIZE
value: "30000000"
- name: CATALOG_INDEX_IMAGE
value: "{{ .Values.global.catalogIndex.image.registry }}/{{ .Values.global.catalogIndex.image.repository }}:{{ .Values.global.catalogIndex.image.tag }}"
- name: CATALOG_ENTITIES_EXTRACT_DIR
value: "/extensions"
imagePullPolicy: Always
volumeMounts:
- mountPath: /dynamic-plugins-root
name: dynamic-plugins-root
- mountPath: /opt/app-root/src/dynamic-plugins.yaml
name: dynamic-plugins
readOnly: true
subPath: dynamic-plugins.yaml
- mountPath: /opt/app-root/src/.npmrc.dynamic-plugins
name: dynamic-plugins-npmrc
readOnly: true
subPath: .npmrc
- mountPath: /opt/app-root/src/.config/containers
name: dynamic-plugins-registry-auth
readOnly: true
- mountPath: /opt/app-root/src/.npm/_cacache
name: npmcacache
- name: extensions-catalog
mountPath: /extensions
- name: temp
mountPath: /tmp

- mountPath: /rbac
name: rbac-policy
- mountPath: /rbac-conditions
name: rbac-conditions
workingDir: /opt/app-root/src
installDir: /opt/app-root/src
extraAppConfig:
- configMapRef: app-config-rhdh
Expand Down
67 changes: 67 additions & 0 deletions scripts/rhdh-openshift-setup/resources/rbac-policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,70 @@ data:
p, role:default/admin, policy.entity.create, create, allow

g, user:development/guest, role:default/admin
conditional-policies.yaml: |
---
result: CONDITIONAL
roleEntityRef: 'role:default/test2-role'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
- update
conditions:
rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims:
- 'group:janus-qe/rhdh-qe-2-team'
- \$currentUser
---
result: CONDITIONAL
roleEntityRef: 'role:default/test2-role'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- delete
conditions:
rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims:
- \$currentUser
---
result: CONDITIONAL
roleEntityRef: 'role:default/transitive-owner'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
conditions:
rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims:
- \$ownerRefs
---
result: CONDITIONAL
roleEntityRef: 'role:default/owned_resource_reader'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
conditions:
rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims:
- \$currentUser
---
result: CONDITIONAL
roleEntityRef: 'role:default/conditional_denier'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
conditions:
rule: HAS_LABEL
resourceType: catalog-entity
params:
label: test-label
Loading