Feature/add sso roles

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.5.0
+version: 1.6.0

packages/apps/tenant/templates/keycloakgroups.yaml

@@ -0,0 +1,49 @@
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: {{ include "tenant.name" . }}-view
+  namespace: {{ include "tenant.name" . }}
+spec:
+  name: {{ include "tenant.name" . }}-view
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+
+---
+
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: {{ include "tenant.name" . }}-use
+  namespace: {{ include "tenant.name" . }}
+spec:
+  name: {{ include "tenant.name" . }}-use
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+
+---
+
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: {{ include "tenant.name" . }}-admin
+  namespace: {{ include "tenant.name" . }}
+spec:
+  name: {{ include "tenant.name" . }}-admin
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+
+---
+
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: {{ include "tenant.name" . }}
+spec:
+  name: {{ include "tenant.name" . }}-super-admin
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm

packages/apps/tenant/templates/tenant.yaml

@@ -88,3 +88,143 @@ roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}
   apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-view
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups: ["apps.cozystack.io"]
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["helm.toolkit.fluxcd.io"]
+    resources: ["helmreleases"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods", "pods/log"]
+    verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-view
+  namespace: {{ include "tenant.name" . }}
+subjects:
+  - kind: Group
+    name: {{ include "tenant.name" . }}-view
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-view
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-use
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups: ["apps.cozystack.io"]
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["helm.toolkit.fluxcd.io"]
+    resources: ["helmreleases"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods", "pods/log"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["get", "list"]
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"]
+    verbs: ["get", "list"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-use
+  namespace: {{ include "tenant.name" . }}
+subjects:
+  - kind: Group
+    name: {{ include "tenant.name" . }}-use
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-use
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-admin
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups: ["helm.toolkit.fluxcd.io"]
+    resources: ["helmreleases"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods/log", "pods"]
+    verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["get", "list"]
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"]
+    verbs: ["get", "list"]
+  - apiGroups: ["apps.cozystack.io"]
+    resources: ["buckets", "clickhouses", "ferretdb", "foos", "httpcaches", "kafkas", "kuberneteses", "mysqls", "natses", "postgreses", "rabbitmqs", "redises", "seaweedfses", "tcpbalancers", "virtualmachines", "vmdisks", "vminstances"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-admin
+  namespace: {{ include "tenant.name" . }}
+subjects:
+  - kind: Group
+    name: {{ include "tenant.name" . }}-admin
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups: ["helm.toolkit.fluxcd.io"]
+    resources: ["helmreleases"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods/log", "pods"]
+    verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["get", "list"]
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"]
+    verbs: ["get", "list"]
+  - apiGroups: ["apps.cozystack.io"]
+    resources: ["*"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: {{ include "tenant.name" . }}
+subjects:
+  - kind: Group
+    name: {{ include "tenant.name" . }}-super-admin
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io

packages/apps/versions_map

@@ -86,7 +86,8 @@ tenant 1.2.0 15478a88
 tenant 1.3.0 ceefae03
 tenant 1.3.1 c56e5769
 tenant 1.4.0 94c688f7
-tenant 1.5.0 HEAD
+tenant 1.5.0 48128743
+tenant 1.6.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823

packages/core/platform/bundles/distro-full.yaml

@@ -188,3 +188,10 @@ releases:
   namespace: cozy-keycloak
   optional: true
   dependsOn: [keycloak]
+
+- name: keycloak-configure
+  releaseName: keycloak-configure
+  chart: cozy-keycloak-configure
+  namespace: cozy-keycloak
+  optional: true
+  dependsOn: [keycloak-operator]

packages/core/platform/bundles/distro-hosted.yaml

@@ -138,3 +138,10 @@ releases:
   namespace: cozy-keycloak
   optional: true
   dependsOn: [keycloak]
+
+- name: keycloak-configure
+  releaseName: keycloak-configure
+  chart: cozy-keycloak-configure
+  namespace: cozy-keycloak
+  optional: true
+  dependsOn: [keycloak-operator]

packages/core/platform/bundles/paas-full.yaml

@@ -261,3 +261,9 @@ releases:
   chart: cozy-keycloak-operator
   namespace: cozy-keycloak
   dependsOn: [keycloak]
+
+- name: keycloak-configure
+  releaseName: keycloak-configure
+  chart: cozy-keycloak-configure
+  namespace: cozy-keycloak
+  dependsOn: [keycloak-operator]

packages/core/platform/bundles/paas-hosted.yaml

@@ -157,3 +157,9 @@ releases:
   chart: cozy-keycloak-operator
   namespace: cozy-keycloak
   dependsOn: [keycloak]
+
+- name: keycloak-configure
+  releaseName: keycloak-configure
+  chart: cozy-keycloak-configure
+  namespace: cozy-keycloak
+  dependsOn: [keycloak-operator]

packages/system/keycloak-configure/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-keycloak-configure
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/keycloak-operator/templates/configure-kk.yaml → packages/system/keycloak-configure/templates/configure-kk.yaml

@@ -3,25 +3,25 @@
 {{- $apiServerAdress := index $cozyConfig.data "api-server-adress" }}
 {{- $k8sClient := randAlphaNum 32 -}}
 
-apiVersion: v1.edp.epam.com/v1
-kind: Keycloak
+apiVersion: v1.edp.epam.com/v1alpha1
+kind: ClusterKeycloak
 metadata:
   name: keycloak-cozy
+  namespace: {{ .Release.Namespace }}
 spec:
   secret: keycloak-credentials
   url: https://keycloak.{{ $host }}
 
 ---
 
-apiVersion: v1.edp.epam.com/v1
-kind: KeycloakRealm
+apiVersion: v1.edp.epam.com/v1alpha1
+kind: ClusterKeycloakRealm
 metadata:
   name: keycloakrealm-cozy
+  namespace: {{ .Release.Namespace }}
 spec:
  realmName: cozy
- keycloakRef:
-   name: keycloak-cozy
-   kind: Keycloak
+ clusterKeycloakRef: keycloak-cozy
 
 ---
 
@@ -33,7 +33,7 @@ spec:
   name: groups
   realmRef:
     name: keycloakrealm-cozy
-    kind: KeycloakRealm
+    kind: ClusterKeycloakRealm
   description: "Group Membership"
   protocol: openid-connect
   protocolMappers:
@@ -68,7 +68,7 @@ spec:
     enabled: true
   realmRef:
     name: keycloakrealm-cozy
-    kind: KeycloakRealm
+    kind: ClusterKeycloakRealm
   secret: $k8s-client:client-secret-key
   advancedProtocolMappers: true
   authorizationServicesEnabled: true

packages/system/keycloak-operator/values.yaml

@@ -0,0 +1,2 @@
+keycloak-operator:
+  clusterReconciliationEnabled: true