fix(kgo): fix RBAC policy rules (#1148)

Kong · Oct 17, 2024 · 571b6b4 · 571b6b4
1 parent f499e19
commit 571b6b4
Show file tree

Hide file tree

Showing 4 changed files with 623 additions and 609 deletions.
diff --git a/charts/gateway-operator/CHANGELOG.md b/charts/gateway-operator/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## 0.2.3
+
+### Fixes
+
+- Fixed manager's policy rules
+  [#1148](https://github.com/Kong/charts/pull/1148)
+
 ## 0.2.2
 
 ### Changes

diff --git a/charts/gateway-operator/Chart.yaml b/charts/gateway-operator/Chart.yaml
@@ -8,7 +8,7 @@ maintainers:
 name: gateway-operator
 sources:
   - https://github.com/Kong/charts/tree/main/charts/gateway-operator
-version: 0.2.2
+version: 0.2.3
 appVersion: "1.3"
 annotations:
   artifacthub.io/prerelease: "false"

diff --git a/charts/gateway-operator/scripts/update-rbac-resources.sh b/charts/gateway-operator/scripts/update-rbac-resources.sh
@@ -1,44 +1,23 @@
 #!/usr/bin/env bash
-# ------------------------------------------------------------------------------
-# 
-# cd kong/gateway-operator/config 
-# kustomize build rbac > /tmp/rbac-resources.yaml
-# sed -i 's/namespace: kong-system/namespace: {{ template "kong.namespace" . }}/g' /tmp/rbac-resources.yaml
-# sed -i 's/name: controller-manager$/name: {{ template "kong.serviceAccountName" . }}/g' /tmp/rbac-resources.yaml
-# sed -i 's/name: gateway-operator-manager-role/name: {{ template "kong.fullname" . }}-manager-role/g' /tmp/rbac-resources.yaml
-# sed -i 's/name: controller-manager-metrics-service/name: {{ template "kong.fullname" . }}-metrics-service/g' /tmp/rbac-resources.yaml
-# Then copy the contents of this file except for the Service Account resource using the following command
-# (head -n 11 PATH_OF_YOUR_CHARTS_REPO/charts/gateway-operator/templates/rbac-resources.yaml && tail -n +6 /tmp/rbac-resources.yaml) > /tmp/new-rbac-resources.yaml
-# mv /tmp/new-rbac-resources.yaml YOUR-PATH-OF-CHARTS/charts/gateway-operator/templates/rbac-resources.yaml
-# ------------------------------------------------------------------------------
-
-# this script will receive two arguments:
+
+# This script generates RBAC resource templates based on KGO and KGO EE manifests.
+# It accepts the following arguments:
 # $1: the path to the kgo repository
-# $2: the path to the kong/charts repository
+# $2: the path to the kgo ee repository
+# $3: the path to the kong/charts repository
 
 set -euo pipefail
 
-if [ "$#" -ne 2 ]; then
-  echo "Error: You must provide exactly two arguments."
-  exit 1
-fi
+ARGS_N=3
 
-KGO_REPO_PATH=$1
-CHARTS_REPO_PATH=$2
-
-# check if the kgo repository path is empty
-if [ -z "$KGO_REPO_PATH" ]
-then
-  echo "The path to the kgo repository is required"
+if [ "$#" -ne ${ARGS_N} ]; then
+  echo "Error: You must provide exactly ${ARGS_N} arguments."
   exit 1
 fi
 
-# check if the kong/charts repository path is empty
-if [ -z "$CHARTS_REPO_PATH" ]
-then
-  echo "The path to the kong/charts repository is required"
-  exit 1
-fi
+KGO_REPO_PATH="${1}"
+KGOEE_REPO_PATH="${2}"
+CHARTS_REPO_PATH="${3}"
 
 SED=sed
 if [[ $(uname -s) == "Darwin" ]]; then
@@ -50,33 +29,53 @@ if [[ $(uname -s) == "Darwin" ]]; then
   fi
 fi
 
-# create a function named update_rbac_resources
+function require_var_dir() {
+  if [[ -z "${!1}" ]]
+  then
+    echo "\$${1} is required"
+    exit 1
+  fi
+
+  if [[ ! -d "${!1}" ]]
+  then
+    echo "\$${1} (current value: ${!1}) needs to be a directory"
+    exit 1
+  fi
+}
+
 function update_rbac_resources {
+  local TMPFILE=$(mktemp).yaml
+
   # build the kustomize resources
-  kustomize build $KGO_REPO_PATH/config/rbac > /tmp/rbac-resources.yaml
+  kustomize build $KGOEE_REPO_PATH/config/rbac > "${TMPFILE}"
+  echo "---" >> "${TMPFILE}"
+  kustomize build $KGO_REPO_PATH/config/rbac/base >> "${TMPFILE}"
+
+  # copy the contents of the file except for the Service Account resource
+  yq --inplace e ". | select(.kind != \"ServiceAccount\")" "${TMPFILE}"
 
   # replace the namespace
-  ${SED} -i 's/namespace: kong-system/namespace: {{ template "kong.namespace" . }}/g' /tmp/rbac-resources.yaml
+  ${SED} -i 's/namespace: kong-system/namespace: {{ template "kong.namespace" . }}/g' "${TMPFILE}"
 
   # replace the service account name
-  ${SED} -i 's/name: controller-manager$/name: {{ template "kong.serviceAccountName" . }}/g' /tmp/rbac-resources.yaml
+  ${SED} -i 's/name: controller-manager$/name: {{ template "kong.serviceAccountName" . }}/g' "${TMPFILE}"
 
   # replace the role name
-  ${SED} -i 's/name: gateway-operator-manager-role/name: {{ template "kong.fullname" . }}-manager-role/g' /tmp/rbac-resources.yaml
+  ${SED} -i 's/name: gateway-operator-manager-role/name: {{ template "kong.fullname" . }}-manager-role/g' "${TMPFILE}"
 
   # replace the metrics service name
-  ${SED} -i 's/name: controller-manager-metrics-service/name: {{ template "kong.fullname" . }}-metrics-service/g' /tmp/rbac-resources.yaml
+  ${SED} -i 's/name: controller-manager-metrics-service/name: {{ template "kong.fullname" . }}-metrics-service/g' "${TMPFILE}"
 
   # replace the name of the resources
-  ${SED} -i '/name: {{\|name: https/!s/name: /name: {{ template "kong.fullname" . }}-/g' /tmp/rbac-resources.yaml
-
-  # copy the contents of the file except for the Service Account resource
-  (head -n 4 $CHARTS_REPO_PATH/charts/gateway-operator/templates/rbac-resources.yaml && tail -n +6 /tmp/rbac-resources.yaml) > /tmp/new-rbac-resources.yaml
+  ${SED} -i '/name: {{\|name: https/!s/name: /name: {{ template "kong.fullname" . }}-/g' "${TMPFILE}"
 
   # move the new file to the charts directory
-  mv /tmp/new-rbac-resources.yaml $CHARTS_REPO_PATH/charts/gateway-operator/templates/rbac-resources.yaml
+  mv "${TMPFILE}" $CHARTS_REPO_PATH/charts/gateway-operator/templates/rbac-resources.yaml
 }
 
+require_var_dir KGOEE_REPO_PATH
+require_var_dir KGO_REPO_PATH
+require_var_dir CHARTS_REPO_PATH
 # call the update_rbac_resources function
 update_rbac_resources