diff --git a/cost-analyzer/templates/_helpers.tpl b/cost-analyzer/templates/_helpers.tpl index 43a9f05b9..bf7b82c98 100755 --- a/cost-analyzer/templates/_helpers.tpl +++ b/cost-analyzer/templates/_helpers.tpl @@ -161,7 +161,7 @@ will result in failure. Users are asked to select one of the two presently-avail RBAC exclusivity check: make sure either RBAC or RBAC Teams is enabled, not both */}} {{- define "rbacCheck" -}} - {{- if or (and ((.Values.saml).rbac).teamsEnabled ((.Values.saml).rbac).enabled) (and ((.Values.oidc).rbac).teamsEnabled ((.Values.oidc).rbac).enabled) -}} + {{- if and (or ((.Values.saml).rbac).enabled ((.Values.oidc).rbac).enabled) (.Values.rbacTeams).enabled -}} {{- fail "\nSimple RBAC and RBAC Teams are mutually exclusive. Please specify only one." -}} {{- end -}} {{- end -}} @@ -1014,10 +1014,14 @@ Begin Kubecost 2.0 templates {{- end }} {{- end }} {{- end }} - {{- if or .Values.oidc.rbac.teamsEnabled .Values.saml.rbac.teamsEnabled }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} - name: kubecost-rbac-secret mountPath: /var/configs/kubecost-rbac-secret {{- end }} + {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} + - name: kubecost-rbac-teams-config + mountPath: /var/configs/rbac-teams-configs + {{- end }} {{- if .Values.global.integrations.postgres.enabled }} - name: postgres-creds mountPath: /var/configs/integrations/postgres-creds @@ -1166,11 +1170,21 @@ Begin Kubecost 2.0 templates value: "true" - name: OIDC_SKIP_ONLINE_VALIDATION value: {{ (quote .Values.oidc.skipOnlineTokenValidation) | default (quote false) }} - {{- if .Values.oidc.rbac.teamsEnabled }} + {{- end}} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} + {{- if .Values.oidc.enabled }} - name: OIDC_RBAC_TEAMS_ENABLED value: "true" {{- end }} - {{- end}} + {{- if .Values.saml.enabled }} + - name: SAML_RBAC_TEAMS_ENABLED + value: "true" + {{- end }} + {{- end }} + {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} + - name: RBAC_TEAMS_HELM_CONFIG_PATH + value: "/var/configs/rbac-teams-configs/rbac-teams-configs.json" + {{- end }} {{- if .Values.kubecostAggregator }} {{- if .Values.kubecostAggregator.collections }} {{- if (((.Values.kubecostAggregator).collections).cache) }} @@ -1215,10 +1229,6 @@ Begin Kubecost 2.0 templates - name: SAML_RBAC_ENABLED value: "true" {{- end }} - {{- if .Values.saml.rbac.teamsEnabled }} - - name: SAML_RBAC_TEAMS_ENABLED - value: "true" - {{- end }} {{- if and .Values.saml.encryptionCertSecret .Values.saml.decryptionKeySecret }} - name: SAML_RESPONSE_ENCRYPTED value: "true" @@ -1367,7 +1377,7 @@ SSO enabled flag for nginx configmap To use the Kubecost built-in Teams UI RBAC< you must enable SSO and RBAC and not specify any groups. Groups is only used when using external RBAC. */}} -{{- define "rbacTeamsEnabled" -}} +{{- define "rbacTeamsLegacyEnabled" -}} {{- if or (.Values.saml).enabled (.Values.oidc).enabled -}} {{- if or ((.Values.saml).rbac).enabled ((.Values.oidc).rbac).enabled -}} {{- if not (or (.Values.saml).groups (.Values.oidc).groups) -}} @@ -1383,6 +1393,38 @@ Groups is only used when using external RBAC. {{- end -}} {{- end -}} +{{/* +RBAC teams enabled requires that it be explicitly enabled in addition to SAML or OIDC being enabled +and legacy RBAC being disabled. +*/}} +{{- define "rbacTeamsEnabled" -}} + {{- if or (.Values.saml).enabled (.Values.oidc).enabled -}} + {{- if and (not ((.Values.saml).rbac).enabled) (not ((.Values.oidc).rbac).enabled) -}} + {{- if (.Values.rbacTeams).enabled -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end }} + +{{- define "rbacTeamsConfigEnabled" -}} + {{- if eq (include "rbacTeamsEnabled" .) "true" -}} + {{- if (.Values.rbacTeams).teamsConfig -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end }} + {{- else -}} + {{- printf "false" -}} + {{- end }} +{{- end }} + {{/* Backups configured flag for nginx configmap */}} diff --git a/cost-analyzer/templates/aggregator-statefulset.yaml b/cost-analyzer/templates/aggregator-statefulset.yaml index 655279ab6..6c72fb85b 100644 --- a/cost-analyzer/templates/aggregator-statefulset.yaml +++ b/cost-analyzer/templates/aggregator-statefulset.yaml @@ -145,11 +145,6 @@ spec: configMap: name: {{ template "cost-analyzer.fullname" . }}-saml {{- end }} - {{- if .Values.saml.rbac.teamsEnabled }} - - name: kubecost-rbac-secret - secret: - secretName: kubecost-rbac-secret - {{- end }} {{- end }} {{- end }} {{- if .Values.oidc }} @@ -167,12 +162,17 @@ spec: secret: secretName: {{ .Values.oidc.existingCustomSecret.name }} {{- end }} - {{- if .Values.oidc.rbac.teamsEnabled }} + {{- end }} + {{- end }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} - name: kubecost-rbac-secret secret: secretName: kubecost-rbac-secret {{- end }} - {{- end }} + {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} + - name: kubecost-rbac-teams-config + configMap: + name: kubecost-rbac-teams-config {{- end }} {{- if .Values.global.integrations.postgres.enabled }} - name: postgres-creds diff --git a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index 123ef791d..a155a3e52 100644 --- a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -248,11 +248,6 @@ spec: configMap: name: {{ template "cost-analyzer.fullname" . }}-saml {{- end }} - {{- if .Values.saml.rbac.teamsEnabled }} - - name: kubecost-rbac-secret - secret: - secretName: kubecost-rbac-secret - {{- end }} {{- end }} {{- end }} {{- if .Values.oidc }} @@ -270,12 +265,17 @@ spec: secret: secretName: {{ .Values.oidc.existingCustomSecret.name }} {{- end }} - {{- if .Values.oidc.rbac.teamsEnabled }} + {{- end }} + {{- end }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} - name: kubecost-rbac-secret secret: secretName: kubecost-rbac-secret {{- end }} - {{- end }} + {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} + - name: kubecost-rbac-teams-config + configMap: + name: kubecost-rbac-teams-config {{- end }} {{- if .Values.extraVolumes }} # Extra volume(s) @@ -699,7 +699,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if or .Values.oidc.rbac.teamsEnabled .Values.saml.rbac.teamsEnabled }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} - name: kubecost-rbac-secret mountPath: /var/configs/kubecost-rbac-secret {{- end }} @@ -746,8 +746,8 @@ spec: value: {{ .Values.assetReportConfigmapName }} {{- end }} {{- if .Values.cloudCostReportConfigmapName }} - - name: CLOUD_COST_REPORT_CONFIGMAP_NAME - value: {{ .Values.cloudCostReportConfigmapName }} + - name: CLOUD_COST_REPORT_CONFIGMAP_NAME + value: {{ .Values.cloudCostReportConfigmapName }} {{- end }} {{- if .Values.savedReportConfigmapName }} - name: SAVED_REPORT_CONFIGMAP_NAME @@ -977,10 +977,6 @@ spec: value: "true" - name: OIDC_SKIP_ONLINE_VALIDATION value: {{ (quote .Values.oidc.skipOnlineTokenValidation) | default (quote false) }} - {{- if .Values.oidc.rbac.teamsEnabled }} - - name: OIDC_RBAC_TEAMS_ENABLED - value: "true" - {{- end }} {{- end }} {{- if .Values.saml }} {{- if .Values.saml.enabled }} @@ -1018,10 +1014,16 @@ spec: - name: SAML_RESPONSE_ENCRYPTED value: "true" {{- end}} - {{- if .Values.saml.rbac.teamsEnabled }} - - name: SAML_RBAC_TEAMS_ENABLED + {{- end }} + {{- end }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} + {{- if .Values.oidc.enabled }} + - name: OIDC_RBAC_TEAMS_ENABLED value: "true" {{- end }} + {{- if .Values.saml.enabled }} + - name: SAML_RBAC_TEAMS_ENABLED + value: "true" {{- end }} {{- end }} {{- if and (.Values.prometheus.server.global.external_labels.cluster_id) (not .Values.prometheus.server.clusterIDConfigmap) }} diff --git a/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml b/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml index 9390da726..fc19c3e93 100755 --- a/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml @@ -1531,7 +1531,7 @@ data: return 200 '\n { "ssoConfigured": "{{ template "ssoEnabled" . }}", - "rbacTeamsEnabled": "{{ template "rbacTeamsEnabled" . }}", + "rbacTeamsEnabled": "{{ template "rbacTeamsLegacyEnabled" . }}", "dataBackupConfigured": "{{ template "dataBackupConfigured" . }}", "costEventsAuditEnabled": "{{ template "costEventsAuditEnabled" . }}", "frontendDeployMethod": "{{ template "frontend.deployMethod" . }}", diff --git a/cost-analyzer/templates/kubecost-rbac-secret-template.yaml b/cost-analyzer/templates/kubecost-rbac-secret-template.yaml index a19ff318f..4f2116035 100644 --- a/cost-analyzer/templates/kubecost-rbac-secret-template.yaml +++ b/cost-analyzer/templates/kubecost-rbac-secret-template.yaml @@ -1,6 +1,4 @@ -{{- if or .Values.oidc.enabled .Values.saml.enabled }} -{{- if and (not .Values.oidc.rbac.enabled) (not .Values.saml.rbac.enabled) }} -{{- if or .Values.oidc.rbac.teamsEnabled .Values.saml.rbac.teamsEnabled }} +{{- if eq (include "rbacTeamsEnabled" .) "true" }} apiVersion: v1 kind: Secret type: Opaque @@ -18,5 +16,3 @@ stringData: {{ .Values.saml.authSecret | default (randAlphaNum 32 | quote) }} {{- end }} {{- end }} -{{- end }} -{{- end }} diff --git a/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml b/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml new file mode 100644 index 000000000..1a8922c3a --- /dev/null +++ b/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml @@ -0,0 +1,11 @@ +{{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "kubecost-rbac-teams-config" + namespace: {{ .Release.Namespace }} + labels: + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} +data: + rbac-teams-configs.json: '{{ toJson .Values.rbacTeams.teamsConfig }}' +{{- end }} \ No newline at end of file