From 59d4c5c133b13ea453ca95d7d3f59fc3c1954731 Mon Sep 17 00:00:00 2001
From: Floppy Disk <kklinch0@gmail.com>
Date: Fri, 29 Nov 2024 19:12:37 +0300
Subject: [PATCH] fix roles for dashboard

---
 packages/apps/tenant/templates/tenant.yaml    | 105 +++++++++++-------
 .../templates/configure-kk.yaml               |   4 +-
 2 files changed, 68 insertions(+), 41 deletions(-)

diff --git a/packages/apps/tenant/templates/tenant.yaml b/packages/apps/tenant/templates/tenant.yaml
index ad95c4378..c425c1740 100644
--- a/packages/apps/tenant/templates/tenant.yaml
+++ b/packages/apps/tenant/templates/tenant.yaml
@@ -43,6 +43,9 @@ subjects:
 - kind: ServiceAccount
   name: tenant-root
   namespace: tenant-root
+- kind: Group
+  name: tenant-root-super-admin
+  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
@@ -51,12 +54,18 @@ subjects:
 - kind: ServiceAccount
   name: {{ join "-" (slice $parts 0 (add $i 1)) }}
   namespace: {{ join "-" (slice $parts 0 (add $i 1)) }}
+- kind: Group
+  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}
 {{- end }}
 - kind: ServiceAccount
   name: {{ include "tenant.name" . }}
   namespace: {{ include "tenant.name" . }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}
@@ -84,6 +93,9 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "tenant.name" . }}
   namespace: {{ include "tenant.name" . }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}
@@ -95,6 +107,9 @@ metadata:
   name: {{ include "tenant.name" . }}-view
   namespace: {{ include "tenant.name" . }}
 rules:
+  - apiGroups: [rbac.authorization.k8s.io]
+    resources: [roles]
+    verbs: [get]
   - apiGroups: ["apps.cozystack.io"]
     resources: ["*"]
     verbs: ["get", "list", "watch"]
@@ -102,8 +117,13 @@ rules:
     resources: ["helmreleases"]
     verbs: ["get", "list", "watch"]
   - apiGroups: [""]
-    resources: ["pods", "pods/log"]
+    resources: ["*"]
     verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+
+
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -125,6 +145,9 @@ metadata:
   name: {{ include "tenant.name" . }}-use
   namespace: {{ include "tenant.name" . }}
 rules:
+  - apiGroups: [rbac.authorization.k8s.io]
+    resources: [roles]
+    verbs: [get]
   - apiGroups: ["apps.cozystack.io"]
     resources: ["*"]
     verbs: ["get", "list", "watch"]
@@ -132,11 +155,11 @@ rules:
     resources: ["helmreleases"]
     verbs: ["get", "list", "watch"]
   - apiGroups: [""]
-    resources: ["pods", "pods/log"]
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses"]
     verbs: ["get", "list", "watch"]
-  - apiGroups: ["kubevirt.io"]
-    resources: ["virtualmachines"]
-    verbs: ["get", "list"]
   - apiGroups: ["subresources.kubevirt.io"]
     resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"]
     verbs: ["get", "list"]
@@ -161,12 +184,15 @@ metadata:
   name: {{ include "tenant.name" . }}-admin
   namespace: {{ include "tenant.name" . }}
 rules:
-  - apiGroups: ["helm.toolkit.fluxcd.io"]
-    resources: ["helmreleases"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [rbac.authorization.k8s.io]
+    resources: [roles]
+    verbs: [get]
   - apiGroups: [""]
-    resources: ["pods/log", "pods"]
+    resources: ["*"]
     verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: ["helm.toolkit.fluxcd.io"]
+    resources: ["helmreleases"]
+    verbs: ["get", "list", "watch"]
   - apiGroups: ["kubevirt.io"]
     resources: ["virtualmachines"]
     verbs: ["get", "list"]
@@ -178,53 +204,52 @@ rules:
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
 ---
-kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   name: {{ include "tenant.name" . }}-admin
-  namespace: {{ include "tenant.name" . }}
+  namespace: cozy-public
+rules:
+- apiGroups: ["source.toolkit.fluxcd.io"]
+  resources: ["helmrepositories"]
+  verbs: ["get", "list"]
+- apiGroups:
+  - source.toolkit.fluxcd.io
+  resources:
+  - helmcharts
+  verbs:
+  - get
+  - list
+- apiGroups: ["source.toolkit.fluxcd.io"]
+  resources: ["helmcharts"]
+  verbs: ["*"]
+  resourceNames: ["bucket", "clickhouse", "ferretdb", "foo", "httpcache", "kafka", "kubernetes", "mysql", "nats", "postgres", "rabbitmq", "redis", "seaweedfs", "tcpbalancer", "virtualmachine", "vmdisk", "vminstance"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "tenant.name" . }}-admin
+  namespace: cozy-public
 subjects:
-  - kind: Group
-    name: {{ include "tenant.name" . }}-admin
-    apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: {{ include "tenant.name" . }}-admin
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-admin
   apiGroup: rbac.authorization.k8s.io
 ---
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "tenant.name" . }}-super-admin
-  namespace: {{ include "tenant.name" . }}
-rules:
-  - apiGroups: ["helm.toolkit.fluxcd.io"]
-    resources: ["helmreleases"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["pods/log", "pods"]
-    verbs: ["get", "list", "watch", "delete"]
-  - apiGroups: ["kubevirt.io"]
-    resources: ["virtualmachines"]
-    verbs: ["get", "list"]
-  - apiGroups: ["subresources.kubevirt.io"]
-    resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"]
-    verbs: ["get", "list"]
-  - apiGroups: ["apps.cozystack.io"]
-    resources: ["*"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-
----
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ include "tenant.name" . }}-super-admin
+  name: {{ include "tenant.name" . }}-admin
   namespace: {{ include "tenant.name" . }}
 subjects:
   - kind: Group
-    name: {{ include "tenant.name" . }}-super-admin
+    name: {{ include "tenant.name" . }}-admin
     apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: {{ include "tenant.name" . }}-super-admin
+  name: {{ include "tenant.name" . }}-admin
   apiGroup: rbac.authorization.k8s.io
diff --git a/packages/system/keycloak-configure/templates/configure-kk.yaml b/packages/system/keycloak-configure/templates/configure-kk.yaml
index 6b17f8278..b55306972 100644
--- a/packages/system/keycloak-configure/templates/configure-kk.yaml
+++ b/packages/system/keycloak-configure/templates/configure-kk.yaml
@@ -237,5 +237,7 @@ stringData:
           - get-token
           - --oidc-issuer-url=https://keycloak.{{ $host }}/realms/cozy
           - --oidc-client-id=kubernetes
-          - --oidc-client-secret={{ $k8sClient | quote }}
+          - --oidc-client-secret={{ $k8sClient }}
+          - --skip-open-browser
+          - --grant-type=password
           command: kubectl