Implements #33 - Namespaced Support (#34)

Makefile

@@ -71,11 +71,15 @@ build: generate fmt vet ## Build manager binary.
 
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
-	go run ./main.go -no-leader-elect --config config/manager/controller_manager_config.yaml
+	go run ./main.go -no-leader-elect --config config/manager/bases/controller_manager_config.yaml
 
 .PHONY: rundev
 rundev: manifests generate fmt vet ## Run a controller from your host.
-	go run ./main.go -no-leader-elect --config config/manager/controller_manager_config_dev.yaml
+	go run ./main.go -no-leader-elect --config config/manager/bases/controller_manager_config_dev.yaml
+
+.PHONY: rundev_namespaced
+rundev_namespaced: manifests generate fmt vet ## Run a controller from your host.
+	go run ./main.go -no-leader-elect --config config/manager/bases/controller_manager_config_dev_namespaced.yaml
 
 .PHONY: docker-build-all
 docker-build-all: docker-build docker-build-daemon docker-build-daemon-manager docker-build-onionbalance-manager

README.md

@@ -92,12 +92,14 @@ Full changelog: [CHANGELOG](CHANGELOG.md)
   - Tor instance CRD supporting custom config and Client/Server/Metrics/Control ports
 - **v0.7.x**
   - Onion Service's authorized clients support
+- **v0.8.x**
+  - Namespaced deployments
 
 Roadmap / TODO
 --------------
 
 - Tor daemon management via socket (e.g: config reload)
-- Manage Tor Server fingerpting (ed25519_master_id_secret_key, secret_id_key) and automatic family and nikname management 
+- Manage Tor Server fingerpting (ed25519_master_id_secret_key, secret_id_key) and automatic family and nickname management 
 - Tor relays:
   - Non exit: Bridge, Snowflake, Middle/Guard
   - Exit relay: Tor Exit
@@ -115,9 +117,12 @@ Using helm (recommended):
       --create-namespace --namespace tor-controller \
       tor-controller bugfest/tor-controller
 
-Install tor-controller directly using the manifest:
+For namespaced deployments add `--set namespaced=true` to helm's command when deploying.
+Check [charts/tor-controller/README.md](charts/tor-controller/README.md) for a full set of available options.
 
-    $ kubectl apply -f hack/install.yaml
+Install tor-controller directly using the manifest (cluster-scoped):
+
+    $ kubectl apply -f https://raw.githubusercontent.com/bugfest/tor-controller/master/hack/install.yaml
 
 Resources
 ---------
@@ -599,6 +604,7 @@ Versions
 | 0.1.7              | 0.7.0                  | 0.4.6.10   |
 | 0.1.8              | 0.7.1                  | 0.4.6.10   |
 | 0.1.9              | 0.7.2                  | 0.4.6.10   |
+| 0.1.10             | 0.8.0                  | 0.5.6.10   |
 
 References
 ----------

apis/config/v2/projectconfig_types.go

@@ -47,6 +47,9 @@ type ProjectConfig struct {
 
 	// +optional
 	TorOnionbalanceManager TorOnionbalanceManagerType `json:"torOnionbalanceManager,omitempty"`
+
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
 }
 
 type TorDaemonType struct {

charts/tor-controller/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.9
+version: 0.1.10
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.7.2"
+appVersion: "0.8.0"

charts/tor-controller/README.md

@@ -1,6 +1,6 @@
 # tor-controller
 
-![Version: 0.1.9](https://img.shields.io/badge/Version-0.1.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.2](https://img.shields.io/badge/AppVersion-0.7.2-informational?style=flat-square)
+![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square)
 
 Tor hidden services controller for kubernetes
 
@@ -18,6 +18,7 @@ Tor hidden services controller for kubernetes
 | manager.image | object | `{"pullPolicy":"Always","repository":"quay.io/bugfest/tor-daemon-manager","tag":""}` | tor-daemon-manager image, it runs Tor client with manager |
 | manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | nameOverride | string | `""` |  |
+| namespaced | bool | `false` | If enabled, permissions are restricted to the target Namespace |
 | nodeSelector | object | `{}` |  |
 | onionbalance.image | object | `{"pullPolicy":"Always","repository":"quay.io/bugfest/tor-onionbalance-manager","tag":""}` | tor-onionbalance-manager image, it runs Tor client |
 | onionbalance.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |

charts/tor-controller/templates/_helpers.tpl

@@ -60,3 +60,25 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Helper to dynamically create cluster-wide or namespaced roles & rolebindings
+*/}}
+{{- define "tor-controller.roleKind" -}}
+{{- if .Values.namespaced }}
+{{- "Role" }}
+{{- else }}
+{{- "ClusterRole" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Helper to dynamically create cluster-wide or namespaced roles & rolebindings
+*/}}
+{{- define "tor-controller.roleBindingKind" -}}
+{{- if .Values.namespaced }}
+{{- "RoleBinding" }}
+{{- else }}
+{{- "ClusterRoleBinding" }}
+{{- end }}
+{{- end }}

charts/tor-controller/templates/clusterrole.yaml

@@ -1,5 +1,24 @@
+---
+{{- if .Values.namespaced }}
+# Namespaced deployment requires this minimal ClusterRole to read CRD's
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: {{ include "tor-controller.fullname" . }}-manager-crd-role
+rules:
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ include "tor-controller.roleKind" . }}
 metadata:
   creationTimestamp: null
   name: {{ include "tor-controller.fullname" . }}-manager-role
@@ -60,6 +79,7 @@ rules:
       - patch
       - update
       - watch
+{{- if not .Values.namespaced }}
   - apiGroups:
       - apiextensions.k8s.io
     resources:
@@ -68,6 +88,7 @@ rules:
       - get
       - list
       - watch
+{{- end }}
   - apiGroups:
       - apps
     resources:
@@ -195,18 +216,20 @@ rules:
       - patch
       - update
 ---
+{{- if not .Values.namespaced }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: {{ include "tor-controller.roleKind" . }}
 metadata:
   name: {{ include "tor-controller.fullname" . }}-metrics-reader
 rules:
   - nonResourceURLs:
       - /metrics
     verbs:
       - get
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: {{ include "tor-controller.roleKind" . }}
 metadata:
   name: {{ include "tor-controller.fullname" . }}-proxy-role
 rules:

charts/tor-controller/templates/clusterrolebinding.yaml

@@ -1,23 +1,39 @@
+---
+{{- if .Values.namespaced }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "tor-controller.fullname" . }}-manager-rolebinding
+  name: {{ include "tor-controller.fullname" . }}-manager-crd-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
+  name: {{ include "tor-controller.fullname" . }}-manager-crd-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "tor-controller.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ include "tor-controller.roleBindingKind" . }}
+metadata:
+  name: {{ include "tor-controller.fullname" . }}-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ include "tor-controller.roleKind" . }}
   name: {{ include "tor-controller.fullname" . }}-manager-role
 subjects:
   - kind: ServiceAccount
     name: {{ include "tor-controller.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ include "tor-controller.roleBindingKind" . }}
 metadata:
   name: {{ include "tor-controller.fullname" . }}-proxy-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: {{ include "tor-controller.roleKind" . }}
   name: {{ include "tor-controller.fullname" . }}-proxy-role
 subjects:
   - kind: ServiceAccount

charts/tor-controller/templates/configmap.yaml

@@ -22,3 +22,6 @@ data:
       image: "{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag | default .Chart.AppVersion }}"
     torOnionbalanceManager:
       image: "{{ .Values.onionbalance.image.repository }}:{{ .Values.onionbalance.image.tag | default .Chart.AppVersion }}"
+    {{- if .Values.namespaced }}
+    namespace: {{ .Release.Namespace }}
+    {{- end }}

charts/tor-controller/values.yaml

@@ -2,6 +2,9 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
+# -- If enabled, permissions are restricted to the target Namespace
+namespaced: false
+
 # -- Daemonset replica count
 replicaCount: 1
 

config/manager/controller_manager_config_dev.yaml → config/manager/bases/controller_manager_config_dev.yaml

@@ -16,4 +16,4 @@ torDaemon:
 torDaemonManager:
   image: onions:5000/tor-daemon-manager:latest
 torOnionbalanceManager:
-  image: onions:5000/tor-onionbalance-manager:latest
+  image: onions:5000/tor-onionbalance-manager:latest

config/manager/bases/controller_manager_config_dev_namespaced.yaml

@@ -0,0 +1,20 @@
+apiVersion: config.k8s.torproject.org/v2
+kind: ProjectConfig
+meta:
+  name: tor-controller-config
+health:
+  healthProbeBindAddress: :8081
+metrics:
+  bindAddress: 127.0.0.1:8080
+webhook:
+  port: 9443
+leaderElection:
+  leaderElect: true
+  resourceName: 59806307.k8s.torproject.org
+torDaemon:
+  image: onions:5000/tor-daemon:latest
+torDaemonManager:
+  image: onions:5000/tor-daemon-manager:latest
+torOnionbalanceManager:
+  image: onions:5000/tor-onionbalance-manager:latest
+namespace: default

config/manager/kustomization.yaml

@@ -1,16 +1,16 @@
 resources:
-- manager.yaml
+- bases/manager.yaml
 
 generatorOptions:
   disableNameSuffixHash: true
 
 configMapGenerator:
 - files:
-  - controller_manager_config.yaml
+  - bases/controller_manager_config.yaml
   name: manager-config
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: tor-controller
+  newName: onions:5000/tor-controller
   newTag: latest

docs/DEVELOP.md

@@ -101,6 +101,58 @@ To deploy in a test cluster
     # Update helm chart README
     docker run --rm --volume "$(pwd)/charts:/helm-docs" -u $(id -u) jnorwood/helm-docs:latest
 
+# Namespaced deployment
+
+1. Use controller's SA to impersonate its permissions
+
+```shell
+cat <<EOF | kubectl apply -f - 
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: tor-controller
+  annotations:
+    kubernetes.io/service-account.name: tor-controller
+EOF
+
+# your server name goes here
+server=$(kubectl config view -o jsonpath='{.clusters[0].cluster.server}')
+# the name of the secret containing the service account token goes here
+name=tor-controller
+
+ca=$(kubectl get secret/$name -o jsonpath='{.data.ca\.crt}')
+token=$(kubectl get secret/$name -o jsonpath='{.data.token}' | base64 --decode)
+namespace=$(kubectl get secret/$name -o jsonpath='{.data.namespace}' | base64 --decode)
+mysa=$(mktemp)
+
+echo "
+apiVersion: v1
+kind: Config
+clusters:
+- name: default-cluster
+  cluster:
+    certificate-authority-data: ${ca}
+    server: ${server}
+contexts:
+- name: default-context
+  context:
+    cluster: default-cluster
+    namespace: default
+    user: default-user
+current-context: default-context
+users:
+- name: default-user
+  user:
+    token: ${token}
+" > $mysa
+
+echo using KUBECONFIG=$mysa
+export KUBECONFIG=$mysa
+```
+
+[Steps' source](https://stackoverflow.com/questions/47770676/how-to-create-a-kubectl-config-file-for-serviceaccount)
+
 # Prometheus/Grafana
 
     helm repo add prometheus-community https://prometheus-community.github.io/helm-charts

docs/QEMU.md

@@ -106,7 +106,7 @@ Docs
 
 - qemu docs: https://qemu.readthedocs.io/en/latest/system/invocation.html#hxtool-1
 - alpine downloads: https://alpinelinux.org/downloads/
-- determine bin architecture: https://exceptionshub.com/determine-target-architecture-of-binary-file-in-linux-library-or-executable.html
+- determine bin architecture: https://exceptionshub.com/determine-target-architecture-of-binary-file-in-linux-li  ary-or-executable.html
 - fix blkio cgroup issue: https://www.programmerall.com/article/5933169238/
 - fix alpine repos: https://github.com/alpinelinux/docker-alpine/issues/98
 - fix alpine time: https://wiki.alpinelinux.org/wiki/Alpine_Linux:FAQ#Time_and_timezones

main.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	"flag"
+	"fmt"
 	"os"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
@@ -92,6 +93,12 @@ func main() {
 		setupLog.Info("Overriding LeaderElection (no-leader-elect)")
 	}
 
+	// Setup namespace if running in namespaced mode
+	if ctrlConfig.Namespace != "" {
+		setupLog.Info(fmt.Sprintf("Namespaced mode. Namespace=%s", ctrlConfig.Namespace))
+		options.Namespace = ctrlConfig.Namespace
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), options)
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")