fixup! fix: Add contribution documenation to project

Signed-off-by: Mateus Oliveira <[email protected]>
migtools · Apr 11, 2024 · 2c38ca8 · 2c38ca8
1 parent 99e20c9
commit 2c38ca8
Show file tree

Hide file tree

Showing 9 changed files with 335 additions and 91 deletions.
diff --git a/README.md b/README.md
@@ -17,23 +17,36 @@ This open source controller adds the non admin feature to [OADP operator](https:
 ### Prerequisites
 - oc
 - Access to a OpenShift cluster
-- [OADP operator](https://github.com/openshift/oadp-operator) installed in the cluster
+- [OADP operator](https://github.com/openshift/oadp-operator) version `1.4+` installed in the cluster
 
 > **NOTE:** Before OADP operator version 1.4.0 is released, you need to [install OADP operator from source](docs/CONTRIBUTING.md#install-from-source) to use NAC.
 
 ### Using NAC
 
 To use NAC functionality:
 - **as admin user**:
-    - create non admin user (to create a non admin user to test NAC, check [non admin user documentation](docs/non_admin_user.md)) and its namespace
+    - create non admin user and its namespace, and apply required permissions to it (to create a non admin user to test NAC, you can check [non admin user documentation](docs/non_admin_user.md))
     - create/update DPA and configure non admin feature as needed, setting it to enabled
 - **as non admin user**:
     - create sample application
 
-        For example, use one of the sample applications available in `hack/samples/apps/` folder, by running `oc apply -f ./hack/samples/apps/<name>`. If the template contains `-csi` suffix, it is meant for CSI or DataMover backup/restore; otherwise, it is meant for a filesystem (Restic or Kopia) backup/restore.
+        For example, use one of the sample applications available in `hack/samples/apps/` folder, by running
+        ```sh
+        oc process -f ./hack/samples/apps/<name> \
+            -p NAMESPACE=<non-admin-user-namespace> \
+            | oc create -f -
+        ```
+
+        Check the application was successful deployed by accessing its route.
     - create NonAdminBackup
 
-        For example, if you used one of the sample applications available in `samples/` folder, create an appropriate NonAdminBackup.
+        For example, use one of the sample NonAdminBackup available in `hack/samples/backups/` folder, by running
+        ```sh
+        oc process -f ./hack/samples/backups/<type> \
+            -p NAMESPACE=<non-admin-user-namespace> \
+            | oc create -f -
+        ```
+        <!-- TODO how to track status -->
     - TODO NonAdminRestore
 
 ## Contributing

diff --git a/cmd/main.go b/cmd/main.go
@@ -20,6 +20,7 @@ package main
 import (
 	"crypto/tls"
 	"flag"
+	"fmt"
 	"os"
 
 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
@@ -36,6 +37,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	nacv1alpha1 "github.com/migtools/oadp-non-admin/api/v1alpha1"
+	"github.com/migtools/oadp-non-admin/internal/common/constant"
 	"github.com/migtools/oadp-non-admin/internal/controller"
 )
 
@@ -96,6 +98,11 @@ func main() {
 		TLSOpts: tlsOpts,
 	})
 
+	if len(constant.OadpNamespace) == 0 {
+		setupLog.Error(fmt.Errorf("%v environment variable is empty", constant.NamespaceEnvVar), "environment variable must be set")
+		os.Exit(1)
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme: scheme,
 		Metrics: metricsserver.Options{

diff --git a/config/default/manager_oadp_patch.yaml b/config/default/manager_oadp_patch.yaml
@@ -17,6 +17,11 @@ spec:
         readinessProbe:
         resources:
         securityContext:
+        env:
+          - name: WATCH_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
       restartPolicy: Always
       securityContext:
       terminationGracePeriodSeconds:
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
@@ -28,8 +28,6 @@ cd oadp-operator
 NON_ADMIN_CONTROLLER_PATH=$NAC_PATH NON_ADMIN_CONTROLLER_IMG=$DEV_IMG make update-non-admin-manifests deploy-olm
 ```
 
-> **TODO:** If `OADP_TEST_NAMESPACE` is set to a value different than `openshift-adp`, you also need to change the value here https://github.com/migtools/oadp-non-admin/blob/master/internal/controller/nonadminbackup_controller.go#L51
-
 To create a non admin user to test NAC, check [non admin user documentation](non_admin_user.md).
 
 To uninstall the previously installed OADP operator in your cluster, run

diff --git a/docs/non_admin_user.md b/docs/non_admin_user.md
@@ -4,87 +4,67 @@ Check your cloud provider documentation for more detailed information.
 
 ## AWS
 
-**Create sample identity file:**
-```sh
-# Using user nacuser with sample pass
-$ htpasswd -c -B -b ./users_file.htpasswd nacuser Mypassw0rd
-```
+### Authentication
 
-**Create secret from the previously created htpasswd file in OpenShift**
-```sh
-$ oc create secret generic htpass-secret --from-file=htpasswd=./users_file.htpasswd -n openshift-config
-```
+Choose one of the authentication method sections to follow.
 
-**Create OAuth file**
-```sh
-$ cat > oauth-nacuser.yaml <<EOF
-apiVersion: config.openshift.io/v1
-kind: OAuth
-metadata:
-  name: cluster
-spec:
-  identityProviders:
-  - name: oadp_nac_test_provider
-    mappingMethod: claim
-    type: HTPasswd
-    htpasswd:
-      fileData:
-        name: htpass-secret
-EOF
-```
-**Apply the OAuth file to the cluster:**
-```sh
-$ oc apply -f oauth-nacuser.yaml
-```
+#### OAuth
 
-### Assigning NAC permissions to a user
+- Create sample identity file
+  ```sh
+  htpasswd -c -B -b ./non_admin_user.htpasswd <non-admin-user> <password>
+  ```
+- Create secret from the previously created identity file in your cluster
+  ```sh
+  oc create secret generic non-admin-user --from-file=htpasswd=./non_admin_user.htpasswd -n openshift-config
+  ```
+- Add new entry to `spec.identityProviders` field from OAuth cluster (`oc get OAuth cluster`)
+  ```yaml
+  ...
+  spec:
+    identityProviders:
+    - name: # non-admin-user
+      mappingMethod: claim
+      type: HTPasswd
+      htpasswd:
+        fileData:
+          name: # non-admin-user
+  ```
+- [Apply permissions to your non admin user](#permissions)
 
-Ensure you have appropriate Cluster Role available in your cluster:
-```shell
-$ oc apply -f config/rbac/nonadminbackup_editor_role.yaml
-```
+## Permissions
 
-**Create Role Binding for our test user within oadp-nac-system namespace:**
-**NOTE:** There could be also a ClusterRoleBinding for the nacuser or one of the groups
-to which nacuser belongs to easy administrative tasks and allow use of NAC for wider audience. Please see next paragraph.
-```sh
-$ cat > nacuser-rolebinding.yaml <<EOF
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: nacuser-nonadminbackup
-  namespace: oadp-nac-system
-subjects:
-- kind: User
-  name: nacuser
-roleRef:
-  kind: ClusterRole
-  name: nonadminbackup-editor-role
-  apiGroup: rbac.authorization.k8s.io
-EOF
-```
-**Apply the Role Binding file to the cluster:**
-```sh
-$ oc apply -f nacuser-rolebinding.yaml
-```
+- Create non admin user namespace
+  ```sh
+  oc create namespace <non-admin-user-namespace>
+  ```
+- Ensure non admin user have appropriate permissions in its namespace, i.e., non admin user have editor roles for the following objects
+  - `nonadminbackups.nac.oadp.openshift.io`
 
-**Alternatively Create Cluster Role Binding for our test user:**
-```sh
-$ cat > nacuser-clusterrolebinding.yaml <<EOF
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: nacuser-nonadminbackup-cluster
-subjects:
-- kind: User
-  name: nacuser
-roleRef:
-  kind: ClusterRole
-  name: nonadminbackup-editor-role
-  apiGroup: rbac.authorization.k8s.io
-EOF
-```
-**Apply the Cluster Role Binding file to the cluster:**
-```sh
-$ oc apply -f nacuser-clusterrolebinding.yaml
-```
+  For example
+  ```yaml
+    # config/rbac/nonadminbackup_editor_role.yaml
+    - apiGroups:
+        - nac.oadp.openshift.io
+      resources:
+        - nonadminbackups
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+    - apiGroups:
+        - nac.oadp.openshift.io
+      resources:
+        - nonadminbackups/status
+      verbs:
+        - get
+  ```
+  For example, make non admin user have `admin` ClusterRole permissions on its namespace
+  ```sh
+  oc create rolebinding <non-admin-user>-namespace-admin --clusterrole=admin --user=<non-admin-user> --namespace=<non-admin-user-namespace>
+  ```
+  <!-- TODO  check what restrictions non admin user permissions must have, for example can not create project or velero/oadp objects -->