Adds default role-bindings for the admin user (#685)

* Adds default role-bindings for the admin user

- Can be disabled if need be
- Improves the UX a lot, user doesn't have to fiddle with rolebindings
  during setup

* Clean up apparently unused bindings

Author: foot

charts/mccp/templates/rbac/admin_role_bindings.yaml

@@ -0,0 +1,69 @@
+{{- if .Values.rbac.adminUserRoleBindings.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: wego-admin-read-apps
+  namespace: flux-system
+subjects:
+- kind: User
+  name: "wego-admin"
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: gitops-apps-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: wego-admin-read-templates
+  namespace: {{ .Values.config.capi.templates.namespace }}
+subjects:
+- kind: User
+  name: "wego-admin"
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: gitops-templates-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: wego-admin-read-secrets
+  namespace: {{ .Values.config.capi.clusters.namespace }}
+subjects:
+- kind: User
+  name: "wego-admin"
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: gitops-secrets-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: wego-admin-read-identities
+subjects:
+- kind: User
+  name: "wego-admin"
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: gitops-identities-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: wego-admin-read-policies
+subjects:
+- kind: User
+  name: "wego-admin"
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: gitops-policies-reader
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/mccp/values.yaml

@@ -84,6 +84,8 @@ clusterBootstrapController:
 rbac:
   userRoles:
     create: true
+  adminUserRoleBindings:
+    create: true
 
 service:
   type: ClusterIP
@@ -104,4 +106,4 @@ service:
   healthCheckNodePort: 0
 
 cluster-controller:
-  enabled: false
+  enabled: false

test/utils/data/rbac-auth.yaml

@@ -5,9 +5,6 @@ metadata:
   name: read-templates
   namespace: default
 subjects:
-- kind: User
-  name: "wego-admin"
-  apiGroup: rbac.authorization.k8s.io
 - kind: User
   name: "[email protected]"
   apiGroup: rbac.authorization.k8s.io
@@ -22,9 +19,6 @@ metadata:
   name: read-sources
   namespace: flux-system
 subjects:
-- kind: User
-  name: "wego-admin"
-  apiGroup: rbac.authorization.k8s.io
 - kind: User
   name: "[email protected]"
   apiGroup: rbac.authorization.k8s.io
@@ -39,9 +33,6 @@ metadata:
   name: read-apps
   namespace: flux-system
 subjects:
-- kind: User
-  name: "wego-admin"
-  apiGroup: rbac.authorization.k8s.io
 - kind: User
   name: "[email protected]"
   apiGroup: rbac.authorization.k8s.io
@@ -56,9 +47,6 @@ metadata:
   name: read-configmaps
   namespace: flux-system
 subjects:
-- kind: User
-  name: wego-admin
-  apiGroup: rbac.authorization.k8s.io
 - kind: User
   name: "[email protected]"
   apiGroup: rbac.authorization.k8s.io
@@ -73,9 +61,6 @@ kind: ClusterRoleBinding
 metadata:
   name: read-identities
 subjects:
-- kind: User
-  name: "wego-admin"
-  apiGroup: rbac.authorization.k8s.io
 - kind: User
   name: "[email protected]"
   apiGroup: rbac.authorization.k8s.io
@@ -89,9 +74,6 @@ kind: ClusterRoleBinding
 metadata:
   name: read-secrets
 subjects:
-- kind: User
-  name: "wego-admin"
-  apiGroup: rbac.authorization.k8s.io
 - kind: User
   name: "[email protected]"
   apiGroup: rbac.authorization.k8s.io
@@ -105,9 +87,6 @@ kind: ClusterRoleBinding
 metadata:
   name: read-policies
 subjects:
-- kind: User
-  name: "wego-admin"
-  apiGroup: rbac.authorization.k8s.io
 - kind: User
   name: "[email protected]"
   apiGroup: rbac.authorization.k8s.io