From e16f06f8699f7032e1479648f6907c859edfefd5 Mon Sep 17 00:00:00 2001 From: maler Date: Tue, 20 Apr 2021 19:08:30 +0200 Subject: [PATCH] Adds gitlab2rbac chart and corresponding command in Readme --- README.md | 8 + gitlab2rbac/.helmignore | 23 ++ gitlab2rbac/Chart.yaml | 24 ++ gitlab2rbac/templates/NOTES.txt | 22 ++ gitlab2rbac/templates/_helpers.tpl | 62 ++++ gitlab2rbac/templates/clusterrole.yaml | 11 + gitlab2rbac/templates/clusterrolebinding.yaml | 15 + gitlab2rbac/templates/configmap.yaml | 8 + gitlab2rbac/templates/deployment.yaml | 65 ++++ gitlab2rbac/templates/serviceaccount.yaml | 12 + gitlab2rbac/values.yaml | 292 ++++++++++++++++++ 11 files changed, 542 insertions(+) create mode 100644 gitlab2rbac/.helmignore create mode 100644 gitlab2rbac/Chart.yaml create mode 100644 gitlab2rbac/templates/NOTES.txt create mode 100644 gitlab2rbac/templates/_helpers.tpl create mode 100644 gitlab2rbac/templates/clusterrole.yaml create mode 100644 gitlab2rbac/templates/clusterrolebinding.yaml create mode 100644 gitlab2rbac/templates/configmap.yaml create mode 100644 gitlab2rbac/templates/deployment.yaml create mode 100644 gitlab2rbac/templates/serviceaccount.yaml create mode 100644 gitlab2rbac/values.yaml diff --git a/README.md b/README.md index d03d3cb..e8dae3a 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,14 @@ Before anything else, `gitlab2rbac` requires: * [RBAC enabled on your Kubernetes cluster](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) * [GitLab API with v4 support](https://docs.gitlab.com/ee/api/v3_to_v4.html) +### Deploy with helm + +``` +helm install gitlab2rbac /path/to/chart/gitla2rbac --create-namespace gitlab2rbac --set data.GITLAB_URL=,data.GITLAB_PRIVATE_TOKEN=,data.KUBERNETES_LOAD_INCLUSTER_CONFIG=True +``` + +or + ### Configuration `gitlab2rbac` needs a namespace, cluster roles and cluster role bindings. Create them with: diff --git a/gitlab2rbac/.helmignore b/gitlab2rbac/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/gitlab2rbac/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/gitlab2rbac/Chart.yaml b/gitlab2rbac/Chart.yaml new file mode 100644 index 0000000..303d61d --- /dev/null +++ b/gitlab2rbac/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: gitlab2rbac +description: gitlab2rbac ensures that your Kubernetes cluster users have the same permissions than on GitLab. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.2.3" diff --git a/gitlab2rbac/templates/NOTES.txt b/gitlab2rbac/templates/NOTES.txt new file mode 100644 index 0000000..b0a6be8 --- /dev/null +++ b/gitlab2rbac/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gitlab2rbac.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "gitlab2rbac.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gitlab2rbac.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gitlab2rbac.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/gitlab2rbac/templates/_helpers.tpl b/gitlab2rbac/templates/_helpers.tpl new file mode 100644 index 0000000..4e758a4 --- /dev/null +++ b/gitlab2rbac/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "gitlab2rbac.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gitlab2rbac.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gitlab2rbac.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "gitlab2rbac.labels" -}} +helm.sh/chart: {{ include "gitlab2rbac.chart" . }} +{{ include "gitlab2rbac.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "gitlab2rbac.selectorLabels" -}} +app.kubernetes.io/name: {{ include "gitlab2rbac.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "gitlab2rbac.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "gitlab2rbac.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/gitlab2rbac/templates/clusterrole.yaml b/gitlab2rbac/templates/clusterrole.yaml new file mode 100644 index 0000000..92b563b --- /dev/null +++ b/gitlab2rbac/templates/clusterrole.yaml @@ -0,0 +1,11 @@ +{{- $Values := .Values -}} +{{- range $type := .Values.ClusterRole.type }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ $type.name }} +rules: +{{- toYaml $type.rules | nindent 0 }} + +--- +{{- end }} diff --git a/gitlab2rbac/templates/clusterrolebinding.yaml b/gitlab2rbac/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..460cfba --- /dev/null +++ b/gitlab2rbac/templates/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +{{- $Values := .Values -}} +{{- range $type := .Values.ClusterRoleBinding.type }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ $type.name }} +roleRef: + apiGroup: {{ $type.roleRefapiGroup | default "rbac.authorization.k8s.io"}} + kind: {{ $type.roleRefkind | default "ClusterRole" }} + name: {{ $type.roleRefname | default $type.name }} +subjects: +{{- toYaml $type.subjects | nindent 0 }} + +--- +{{- end }} diff --git a/gitlab2rbac/templates/configmap.yaml b/gitlab2rbac/templates/configmap.yaml new file mode 100644 index 0000000..cdb4572 --- /dev/null +++ b/gitlab2rbac/templates/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitlab2rbac.fullname" . }} + labels: + {{- include "gitlab2rbac.labels" . | nindent 4 }} +data: + {{- toYaml .Values.data | nindent 2 }} diff --git a/gitlab2rbac/templates/deployment.yaml b/gitlab2rbac/templates/deployment.yaml new file mode 100644 index 0000000..14b2d7a --- /dev/null +++ b/gitlab2rbac/templates/deployment.yaml @@ -0,0 +1,65 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "gitlab2rbac.fullname" . }} + labels: + {{- include "gitlab2rbac.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "gitlab2rbac.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gitlab2rbac.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gitlab2rbac.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + {{- with .Values.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.envFrom }} + envFrom: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/gitlab2rbac/templates/serviceaccount.yaml b/gitlab2rbac/templates/serviceaccount.yaml new file mode 100644 index 0000000..55baff7 --- /dev/null +++ b/gitlab2rbac/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gitlab2rbac.serviceAccountName" . }} + labels: + {{- include "gitlab2rbac.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/gitlab2rbac/values.yaml b/gitlab2rbac/values.yaml new file mode 100644 index 0000000..0a55586 --- /dev/null +++ b/gitlab2rbac/values.yaml @@ -0,0 +1,292 @@ +replicaCount: 1 + +image: + repository: numberly/gitlab2rbac + pullPolicy: IfNotPresent + # tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: + runAsUser: 0 # nobody + # runAsUser: 65534 # nobody + +securityContext: {} + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + + +resources: {} + +envFrom: +- configMapRef: + name: gitlab2rbac + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +ClusterRole: + type: + - name: gitlab2rbac:authenticated + rules: + - apiGroups: ["*"] + resources: + - apiservices + - componentstatuses + - namespaces + - nodes + verbs: + - get + - list + - watch + - name: gitlab2rbac:guest + rules: + - apiGroups: ["*"] + resources: + # workload + - cronjobs + - daemonsets + - deployments + - horizontalpodautoscalers + - ingresses + - jobs + - pods + - replicasets + - replicationcontrollers + - services + - statefulsets + - verticalpodautoscalers + # setup + - configmaps + - endpoints + - networkpolicies + - persistentvolumeclaims + - persistentvolumeclaims/status + - serviceaccounts + verbs: + - get + - list + - watch + - name: gitlab2rbac:reporter + rules: + - apiGroups: ["*"] + resources: + # actions + - pods/log + - pods/portforward + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: ["*"] + resources: + # workload + - cronjobs + - daemonsets + - deployments + - events + - horizontalpodautoscalers + - ingresses + - jobs + - pods + - replicasets + - replicationcontrollers + - services + - statefulsets + - verticalpodautoscalers + # setup + - configmaps + - endpoints + - networkpolicies + - persistentvolumeclaims + - persistentvolumeclaims/status + - serviceaccounts + verbs: + - get + - list + - watch + - name: gitlab2rbac:developer + rules: + - apiGroups: ["*"] + resources: + # workload + - cronjobs + - daemonsets + - deployments + - deployments/scale + - horizontalpodautoscalers + - ingresses + - jobs + - pods + - replicasets + - replicationcontrollers + - services + - statefulsets + - verticalpodautoscalers + # actions + - deployments/rollback + - deployments/scale + - pods/attach + - pods/exec + - pods/log + - pods/portforward + - replicasets/scale + - replicationcontrollers/scale + - statefulsets/scale + # setup + - certificates + - configmaps + - endpoints + - networkpolicies + - persistentvolumeclaims + - persistentvolumeclaims/status + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: ["*"] + resources: + # workload + - events + # setup + - limitranges + - resourcequotas + - rolebindings + - roles + verbs: + - get + - list + - watch + - name: gitlab2rbac:maintainer + rules: + - apiGroups: ["*"] + resources: + # workload + - cronjobs + - daemonsets + - deployments + - deployments/scale + - events + - horizontalpodautoscalers + - ingresses + - jobs + - pods + - replicasets + - replicationcontrollers + - services + - statefulsets + - verticalpodautoscalers + # actions + - deployments/rollback + - deployments/scale + - pods/attach + - pods/exec + - pods/log + - pods/portforward + - replicasets/scale + - replicationcontrollers/scale + - statefulsets/scale + # setup + - certificates + - configmaps + - endpoints + - limitranges + - networkpolicies + - persistentvolumeclaims + - persistentvolumeclaims/status + - resourcequotas + - rolebindings + - roles + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - name: gitlab2rbac:admin + rules: + - apiGroups: ['*'] + resources: ['*'] + verbs: ['*'] + - nonResourceURLs: ['*'] + verbs: ['*'] + +ClusterRoleBinding: + type: + - name: gitlab2rbac:authenticated + subjects: + - kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io + - name: gitlab2rbac:guest + subjects: + - kind: ServiceAccount + name: gitlab2rbac + namespace: gitlab2rbac + - name: gitlab2rbac:reporter + subjects: + - kind: ServiceAccount + name: gitlab2rbac + namespace: gitlab2rbac + - name: gitlab2rbac:developer + subjects: + - kind: ServiceAccount + name: gitlab2rbac + namespace: gitlab2rbac + - name: gitlab2rbac:maintainer + subjects: + - kind: ServiceAccount + name: gitlab2rbac + namespace: gitlab2rbac + - name: gitlab2rbac:admin + subjects: + - kind: ServiceAccount + name: gitlab2rbac + namespace: gitlab2rbac + - name: gitlab2rbac + roleRefname: cluster-admin + subjects: + - kind: ServiceAccount + name: gitlab-admin + namespace: kube-system