feat: add complete ui-operator addon with RBAC

Author: hervedombya

buildchain/buildchain/salt_tree.py

@@ -412,6 +412,7 @@ def task(self) -> types.TaskDict:
     Path("salt/metalk8s/addons/ui-operator/deployed/init.sls"),
     Path("salt/metalk8s/addons/ui-operator/deployed/manifests.sls"),
     Path("salt/metalk8s/addons/ui-operator/deployed/namespace.sls"),
+    Path("salt/metalk8s/addons/ui-operator/deployed/rbac.sls"),
     Path("salt/metalk8s/addons/ui-operator/post-upgrade.sls"),
     Path("salt/metalk8s/addons/solutions/deployed/configmap.sls"),
     Path("salt/metalk8s/addons/solutions/deployed/init.sls"),

salt/metalk8s/addons/ui-operator/deployed/init.sls

@@ -1,4 +1,5 @@
 include:
+  - .rbac
   - .manifests
 
 Wait for the UI Operator to be Ready:

salt/metalk8s/addons/ui-operator/deployed/manifests.sls

@@ -30,6 +30,7 @@ Deploy UI Operator:
               labels:
                 app.kubernetes.io/name: ui-operator
             spec:
+              serviceAccountName: ui-operator
               containers:
               - name: ui-operator
                 image: {{ ui_operator_image }}
@@ -64,4 +65,5 @@ Deploy UI Operator:
                 runAsNonRoot: true
               terminationGracePeriodSeconds: 10
     - require:
-      - sls: metalk8s.addons.ui-operator.deployed.namespace 
+      - sls: metalk8s.addons.ui-operator.deployed.namespace
+      - sls: metalk8s.addons.ui-operator.deployed.rbac 

salt/metalk8s/addons/ui-operator/deployed/rbac.sls

@@ -0,0 +1,73 @@
+#! metalk8s_kubernetes
+
+# ServiceAccount for ui-operator
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ui-operator
+  namespace: metalk8s-ui
+  labels:
+    app.kubernetes.io/name: ui-operator
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/part-of: metalk8s
+    heritage: metalk8s
+automountServiceAccountToken: true
+
+---
+# ClusterRole for ui-operator
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ui-operator
+  labels:
+    app.kubernetes.io/name: ui-operator
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/part-of: metalk8s
+    heritage: metalk8s
+rules:
+# Core API permissions
+- apiGroups: [""]
+  resources: ["configmaps", "secrets", "services", "endpoints"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]
+# Apps API permissions
+- apiGroups: ["apps"]
+  resources: ["deployments", "replicasets"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Extensions for UI-specific resources
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Custom resources for UI operator
+- apiGroups: ["ui.scality.com"]
+  resources: ["*"]
+  verbs: ["*"]
+# Leader election
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+---
+# ClusterRoleBinding for ui-operator
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ui-operator
+  labels:
+    app.kubernetes.io/name: ui-operator
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/part-of: metalk8s
+    heritage: metalk8s
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ui-operator
+subjects:
+- kind: ServiceAccount
+  name: ui-operator
+  namespace: metalk8s-ui