From 04b6dd8d8de52d43d7e21534d7105d678304f5ba Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Wed, 20 Dec 2023 10:42:09 +0100
Subject: [PATCH] OZG-4453 add service account and service roles

---
 .../rbac/elasticsearch_edit_role.yaml         |  3 +-
 .../rbac/elasticsearch_edit_rolebinding.yaml  | 13 ++++++
 .../rbac/elasticsearch_view_role.yaml         |  3 +-
 .../rbac/elasticsearch_view_rolebinding.yaml  | 13 ++++++
 .../helm/templates/rbac/serviceaccount.yaml   | 28 +++++++++++++
 .../rbac/elasticsearch_edit_role_test.yaml    |  7 +---
 .../elasticsearch_edit_rolebinding_test.yaml  | 41 +++++++++++++++++++
 .../rbac/elasticsearch_view_role_test.yaml    |  7 +---
 .../elasticsearch_view_rolebinding_test.yaml  | 41 +++++++++++++++++++
 .../test/helm/rbac/serviceaccount_test.yaml   | 41 +++++++++++++++++++
 10 files changed, 181 insertions(+), 16 deletions(-)
 create mode 100644 ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_edit_rolebinding.yaml
 create mode 100644 ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_view_rolebinding.yaml
 create mode 100644 ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/serviceaccount.yaml
 create mode 100644 ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_edit_rolebinding_test.yaml
 create mode 100644 ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_view_rolebinding_test.yaml
 create mode 100644 ozgcloud-elasticsearch-operator/src/test/helm/rbac/serviceaccount_test.yaml

diff --git a/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_edit_role.yaml b/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_edit_role.yaml
index 8c47d52..10db7d0 100644
--- a/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_edit_role.yaml
+++ b/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_edit_role.yaml
@@ -1,14 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: elasticsearch-edit-role
+  name: ozgcloud-elasticsearch-operator-edit-role
   labels:
     app.kubernetes.io/name: clusterrole
     app.kubernetes.io/instance: elasticsearch-edit-role
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: ozgcloud-operator
     app.kubernetes.io/part-of: ozgcloud-operator
-    app.kubernetes.io/managed-by: kustomize
 rules:
 - apiGroups:
   - api.ozgcloud-stack.de
diff --git a/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_edit_rolebinding.yaml b/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_edit_rolebinding.yaml
new file mode 100644
index 0000000..856aa63
--- /dev/null
+++ b/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_edit_rolebinding.yaml
@@ -0,0 +1,13 @@
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ozgcloud-elasticsearch-operator-edit-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: ozgcloud-elasticsearch-operator-serviceaccount
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: ozgcloud-elasticsearch-operator-edit-role
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_view_role.yaml b/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_view_role.yaml
index 04d9878..be09c64 100644
--- a/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_view_role.yaml
+++ b/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_view_role.yaml
@@ -1,14 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: elasticsearch-view-role
+  name: ozgcloud-elasticsearch-operator-view-role
   labels:
     app.kubernetes.io/name: clusterrole
     app.kubernetes.io/instance: elasticsearch-view-role
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: ozgcloud-operator
     app.kubernetes.io/part-of: ozgcloud-operator
-    app.kubernetes.io/managed-by: kustomize
 rules:
 - apiGroups:
   - api.ozgcloud-stack.de
diff --git a/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_view_rolebinding.yaml b/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_view_rolebinding.yaml
new file mode 100644
index 0000000..150d750
--- /dev/null
+++ b/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/elasticsearch_view_rolebinding.yaml
@@ -0,0 +1,13 @@
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ozgcloud-elasticsearch-operator-view-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: ozgcloud-elasticsearch-operator-serviceaccount
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: ozgcloud-elasticsearch-operator-view-role
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/serviceaccount.yaml b/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/serviceaccount.yaml
new file mode 100644
index 0000000..a144149
--- /dev/null
+++ b/ozgcloud-elasticsearch-operator/src/main/helm/templates/rbac/serviceaccount.yaml
@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2023 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ozgcloud-elasticsearch-operator-serviceaccount
+  namespace: {{ .Release.Namespace }}
\ No newline at end of file
diff --git a/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_edit_role_test.yaml b/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_edit_role_test.yaml
index 6b3bcc3..f1f673e 100644
--- a/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_edit_role_test.yaml
+++ b/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_edit_role_test.yaml
@@ -16,7 +16,7 @@ tests:
     asserts:
       - equal:
           path: metadata.name
-          value: elasticsearch-edit-role
+          value: ozgcloud-elasticsearch-operator-edit-role
   - it: should have metadata labels name
     asserts: 
       - equal:
@@ -42,11 +42,6 @@ tests:
       - equal:
           path: metadata.labels.[app.kubernetes.io/part-of]
           value: ozgcloud-operator
-  - it: should have metadata labels managed-by
-    asserts: 
-      - equal:
-          path: metadata.labels.[app.kubernetes.io/managed-by]
-          value: kustomize
 
   - it: should have rules for ozgcloudelasticsearches resource
     asserts:
diff --git a/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_edit_rolebinding_test.yaml b/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_edit_rolebinding_test.yaml
new file mode 100644
index 0000000..3f81f9c
--- /dev/null
+++ b/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_edit_rolebinding_test.yaml
@@ -0,0 +1,41 @@
+
+
+suite: elasticsearch_view_rolebinding test
+release:
+  namespace: sh-helm-test
+templates:
+  - templates/rbac/elasticsearch_view_rolebinding.yaml
+tests:
+  - it: should have apiVersion
+    asserts: 
+      - equal:
+          path: apiVersion
+          value: rbac.authorization.k8s.io/v1
+  - it: should have isKind of
+    asserts:
+      - isKind:
+          of: ClusterRoleBinding
+
+  - it: should have metadata name
+    asserts:
+      - equal:
+          path: metadata.name
+          value: ozgcloud-elasticsearch-operator-view-role-binding
+
+  - it: should have subjects
+    asserts:
+      - equal:
+          path: subjects
+          value:
+            - kind: ServiceAccount
+              name: ozgcloud-elasticsearch-operator-serviceaccount
+              namespace: sh-helm-test
+
+  - it: should have roleRef
+    asserts:
+      - equal:
+          path: roleRef
+          value:
+            kind: ClusterRole
+            name: ozgcloud-elasticsearch-operator-view-role
+            apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_view_role_test.yaml b/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_view_role_test.yaml
index d584880..b82cdab 100644
--- a/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_view_role_test.yaml
+++ b/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_view_role_test.yaml
@@ -16,7 +16,7 @@ tests:
     asserts:
       - equal:
           path: metadata.name
-          value: elasticsearch-view-role
+          value: ozgcloud-elasticsearch-operator-view-role
   - it: should have metadata labels name
     asserts: 
       - equal:
@@ -42,11 +42,6 @@ tests:
       - equal:
           path: metadata.labels.[app.kubernetes.io/part-of]
           value: ozgcloud-operator
-  - it: should have metadata labels managed-by
-    asserts: 
-      - equal:
-          path: metadata.labels.[app.kubernetes.io/managed-by]
-          value: kustomize
 
   - it: should have rules for ozgcloudelasticsearches resource
     asserts:
diff --git a/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_view_rolebinding_test.yaml b/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_view_rolebinding_test.yaml
new file mode 100644
index 0000000..cb9d61a
--- /dev/null
+++ b/ozgcloud-elasticsearch-operator/src/test/helm/rbac/elasticsearch_view_rolebinding_test.yaml
@@ -0,0 +1,41 @@
+
+
+suite: elasticsearch_edit_rolebinding test
+release:
+  namespace: sh-helm-test
+templates:
+  - templates/rbac/elasticsearch_edit_rolebinding.yaml
+tests:
+  - it: should have apiVersion
+    asserts: 
+      - equal:
+          path: apiVersion
+          value: rbac.authorization.k8s.io/v1
+  - it: should have isKind of
+    asserts:
+      - isKind:
+          of: ClusterRoleBinding
+
+  - it: should have metadata name
+    asserts:
+      - equal:
+          path: metadata.name
+          value: ozgcloud-elasticsearch-operator-edit-role-binding
+
+  - it: should have subjects
+    asserts:
+      - equal:
+          path: subjects
+          value:
+            - kind: ServiceAccount
+              name: ozgcloud-elasticsearch-operator-serviceaccount
+              namespace: sh-helm-test
+
+  - it: should have roleRef
+    asserts:
+      - equal:
+          path: roleRef
+          value:
+            kind: ClusterRole
+            name: ozgcloud-elasticsearch-operator-edit-role
+            apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/ozgcloud-elasticsearch-operator/src/test/helm/rbac/serviceaccount_test.yaml b/ozgcloud-elasticsearch-operator/src/test/helm/rbac/serviceaccount_test.yaml
new file mode 100644
index 0000000..ee12d82
--- /dev/null
+++ b/ozgcloud-elasticsearch-operator/src/test/helm/rbac/serviceaccount_test.yaml
@@ -0,0 +1,41 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+
+suite: ServiceAccount test
+release:
+  name: ozgcloud-elasticsearch-operator
+  namespace: test-namespace
+templates:
+  - templates/rbac/serviceaccount.yaml
+tests:
+  - it: test metadata
+    asserts:
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: metadata.name
+          value: ozgcloud-elasticsearch-operator-serviceaccount
+      - equal:
+          path: metadata.namespace
+          value: test-namespace
\ No newline at end of file
-- 
GitLab