Consolidate RBAC for supply chains (#9)

* Consolidate RBAC for supply chains

* Update tests

* Consolidate RBAC for GitOps

Author: ThomasVitale

.github/workflows/release.yml

@@ -18,6 +18,6 @@ jobs:
       registry-server: ghcr.io
       registry-username: ${{ github.actor }}
       image: ${{ github.repository }}
-      version: 0.2.1
+      version: 0.3.0
     secrets:
       pull-request-token: ${{ secrets.GH_ORG_PAT }}

.github/workflows/test.yml

@@ -14,7 +14,7 @@ jobs:
     name: Integration Tests
     strategy:
       matrix:
-        k8s_version: [v1.25, v1.26, v1.27]
+        k8s_version: [v1.26, v1.27, v1.28]
     permissions:
       contents: read
     uses: kadras-io/github-reusable-workflows/.github/workflows/carvel-package-test-integration.yml@main

Makefile

@@ -1,4 +1,4 @@
-K8S_VERSION=v1.27
+K8S_VERSION=v1.28
 
 # Build package configuration
 build: package

README.md

@@ -12,7 +12,7 @@ A Carvel package for provisioning and configuring workspaces (namespaces or virt
 
 ### Prerequisites
 
-* Kubernetes 1.25+
+* Kubernetes 1.26+
 * Carvel [`kctrl`](https://carvel.dev/kapp-controller/docs/latest/install/#installing-kapp-controller-cli-kctrl) CLI.
 * Carvel [kapp-controller](https://carvel.dev/kapp-controller) deployed in your Kubernetes cluster. You can install it with Carvel [`kapp`](https://carvel.dev/kapp/docs/latest/install) (recommended choice) or `kubectl`.
 
@@ -107,7 +107,7 @@ The Workspace Provisioner package has the following configurable properties.
 | Config | Default | Description |
 |-------|-------------------|-------------|
 | `namespaces` | `[]` | Configuration for the namespaces the platform will provision and manage. |
-| `service_account` | `default` | The `ServiceAccount` to be configured with credentials and roles in each workspace. |
+| `service_account` | `supply-chain` | The `ServiceAccount` to be configured with credentials and roles in each workspace. |
 | `oci_registry.secret.name` | `""` | The name of the Secret holding the credentials to access the OCI registry. |
 | `oci_registry.secret.namespace` | `""` | The namespace of the Secret holding the credentials to access the OCI registry. |
 | `cosign.secret.name` | `""` | The name of the Secret holding the Cosign key pair. |

package/config/setup-namespaces.yml

@@ -126,7 +126,7 @@ metadata:
 spec:
   fromNamespace: #@ data.values.git.secret.namespace
 
-#! RBAC
+#! Supply Chains RBAC
 
 ---
 apiVersion: v1
@@ -152,14 +152,14 @@ imagePullSecrets:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: default-workload
+  name: supply-chain-workload
   namespace: #@ namespace.name
   annotations:
     kapp.k14s.io/create-strategy: fallback-on-update
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: workload
+  name: supply-chain-workload
 subjects:
   - kind: ServiceAccount
     name: #@ data.values.service_account
@@ -168,16 +168,39 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: default-deliverable
+  name: supply-chain-deliverable
   namespace: #@ namespace.name
   annotations:
     kapp.k14s.io/create-strategy: fallback-on-update
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: deliverable
+  name: supply-chain-deliverable
 subjects:
   - kind: ServiceAccount
     name: #@ data.values.service_account
 
+#! GitOps RBAC
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitops-reconciler
+  namespace: #@ namespace.name
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gitops-reconciler
+  namespace: #@ namespace.name
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: gitops-reconciler
+
 #@ end

package/config/values-schema.yml

@@ -7,7 +7,7 @@ namespaces:
   - name: ""
 
 #@schema/desc "The `ServiceAccount` to be configured with credentials and roles in each workspace."
-service_account: default
+service_account: supply-chain
 
 #@schema/desc "Settings for the OCI registry that the workspace will use."
 oci_registry:

test/integration/default/01-assert.yaml

@@ -53,12 +53,12 @@ metadata:
     tekton.dev/git-0: https://github.com
     kapp.k14s.io/create-strategy: fallback-on-update
 
-#! RBAC
+#! Supply Chains RBAC
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: default
+  name: supply-chain
   namespace: test-default
   annotations:
     kapp.k14s.io/create-strategy: fallback-on-update
@@ -74,30 +74,52 @@ imagePullSecrets:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: default-workload
+  name: supply-chain-workload
   namespace: test-default
   annotations:
     kapp.k14s.io/create-strategy: fallback-on-update
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: workload
+  name: supply-chain-workload
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: supply-chain
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: default-deliverable
+  name: supply-chain-deliverable
   namespace: test-default
   annotations:
     kapp.k14s.io/create-strategy: fallback-on-update
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: deliverable
+  name: supply-chain-deliverable
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: supply-chain
+
+#! GitOps RBAC
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitops-reconciler
+  namespace: test-default
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gitops-reconciler
+  namespace: test-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: gitops-reconciler

test/setup/kind/v1.25/kind-config.yml renamed to test/setup/kind/v1.28/kind-config.yml

@@ -3,6 +3,6 @@ kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
 - role: control-plane
-  image: kindest/node:v1.25.11
+  image: kindest/node:v1.28.0
 - role: worker
-  image: kindest/node:v1.25.11
+  image: kindest/node:v1.28.0