feat: add complete ui-operator addon with RBAC

fix: remove trailing whitespace in manifests.sls for ui-operator addon

fix: remove trailing whitespace in rbac.sls for ui-operator addon

refactor: update RBAC configuration for ui-operator addon to streamline permissions and remove unnecessary rules

feat: add service account to ui-operator deployment for enhanced security

feat: include namespace in ui-operator init.sls for improved deployment structure

Author: hervedombya

buildchain/buildchain/salt_tree.py

@@ -450,6 +450,7 @@ def _download_ui_operator_crds() -> str:
         ),
         context={"CRDs": _download_ui_operator_crds()},
     ),
+    Path("salt/metalk8s/addons/ui-operator/deployed/rbac.sls"),
     Path("salt/metalk8s/addons/ui-operator/post-upgrade.sls"),
     Path("salt/metalk8s/addons/solutions/deployed/configmap.sls"),
     Path("salt/metalk8s/addons/solutions/deployed/init.sls"),

salt/metalk8s/addons/ui-operator/deployed/init.sls

@@ -1,4 +1,5 @@
 include:
+  - .namespace
   - .manifests
 
 Wait for the UI Operator to be Ready:

salt/metalk8s/addons/ui-operator/deployed/manifests.sls

@@ -27,6 +27,7 @@ Deploy UI Operator:
               labels:
                 app.kubernetes.io/name: ui-operator
             spec:
+              serviceAccountName: ui-operator
               containers:
               - name: ui-operator
                 image: {{ ui_operator_image }}

salt/metalk8s/addons/ui-operator/deployed/rbac.sls

@@ -0,0 +1,68 @@
+#! metalk8s_kubernetes
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ui-operator
+  namespace: metalk8s-ui
+  labels:
+    app.kubernetes.io/name: ui-operator
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/part-of: metalk8s
+    heritage: metalk8s
+automountServiceAccountToken: true
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ui-operator
+  labels:
+    app.kubernetes.io/name: ui-operator
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/part-of: metalk8s
+    heritage: metalk8s
+rules:
+- apiGroups: [""]
+  resources: ["configmaps", "services"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+- apiGroups: ["ui.scality.com"]
+  resources: ["scalityuicomponentexposers", "scalityuicomponents", "scalityuis"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+- apiGroups: ["ui.scality.com"]
+  resources: ["scalityuicomponentexposers/finalizers", "scalityuicomponents/finalizers", "scalityuis/finalizers"]
+  verbs: ["update"]
+- apiGroups: ["ui.scality.com"]
+  resources: ["scalityuicomponentexposers/status", "scalityuicomponents/status", "scalityuis/status"]
+  verbs: ["get", "patch", "update"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ui-operator
+  labels:
+    app.kubernetes.io/name: ui-operator
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/part-of: metalk8s
+    heritage: metalk8s
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ui-operator
+subjects:
+- kind: ServiceAccount
+  name: ui-operator
+  namespace: metalk8s-ui