From 4b98aea0e210f1ec2c5978d0373184bf86f27ed9 Mon Sep 17 00:00:00 2001 From: Sean Holcomb Date: Tue, 7 Jan 2025 15:16:51 -0800 Subject: [PATCH 1/2] Add configmap mounting for RBAC teams Signed-off-by: Sean Holcomb --- cost-analyzer/templates/_helpers.tpl | 16 ++++++++++++++++ .../templates/aggregator-statefulset.yaml | 5 +++++ .../cost-analyzer-deployment-template.yaml | 5 +++++ .../kubecost-rbac-teams-configmap-template.yaml | 11 +++++++++++ 4 files changed, 37 insertions(+) create mode 100644 cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml diff --git a/cost-analyzer/templates/_helpers.tpl b/cost-analyzer/templates/_helpers.tpl index 43a9f05b9..088262838 100755 --- a/cost-analyzer/templates/_helpers.tpl +++ b/cost-analyzer/templates/_helpers.tpl @@ -1018,6 +1018,10 @@ Begin Kubecost 2.0 templates - name: kubecost-rbac-secret mountPath: /var/configs/kubecost-rbac-secret {{- end }} + {{- if eq (include "rbacTeamsConfig" .) "true" }} + - name: kubecost-rbac-teams-config + mountPath: /var/configs/rbac-teams-configs + {{- end }} {{- if .Values.global.integrations.postgres.enabled }} - name: postgres-creds mountPath: /var/configs/integrations/postgres-creds @@ -1171,6 +1175,10 @@ Begin Kubecost 2.0 templates value: "true" {{- end }} {{- end}} + {{- if eq (include "rbacTeamsConfig" .) "true" }} + - name: RBAC_TEAMS_HELM_CONFIG_PATH + value: "/var/configs/rbac-teams-configs/rbac-teams-configs.json" + {{- end }} {{- if .Values.kubecostAggregator }} {{- if .Values.kubecostAggregator.collections }} {{- if (((.Values.kubecostAggregator).collections).cache) }} @@ -1383,6 +1391,14 @@ Groups is only used when using external RBAC. {{- end -}} {{- end -}} +{{- define "rbacTeamsConfig" -}} + {{- if (.Values.rbac).teamsConfig -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end }} +{{- end }} + {{/* Backups configured flag for nginx configmap */}} diff --git a/cost-analyzer/templates/aggregator-statefulset.yaml b/cost-analyzer/templates/aggregator-statefulset.yaml index 655279ab6..0c6656aaf 100644 --- a/cost-analyzer/templates/aggregator-statefulset.yaml +++ b/cost-analyzer/templates/aggregator-statefulset.yaml @@ -174,6 +174,11 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if eq (include "rbacTeamsConfig" .) "true" }} + - name: kubecost-rbac-teams-config + configMap: + name: kubecost-rbac-teams-config + {{- end }} {{- if .Values.global.integrations.postgres.enabled }} - name: postgres-creds secret: diff --git a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index 123ef791d..52c1a4148 100644 --- a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -277,6 +277,11 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if eq (include "rbacTeamsConfig" .) "true" }} + - name: kubecost-rbac-teams-config + configMap: + name: kubecost-rbac-teams-config + {{- end }} {{- if .Values.extraVolumes }} # Extra volume(s) {{- toYaml .Values.extraVolumes | nindent 8 }} diff --git a/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml b/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml new file mode 100644 index 000000000..df1931a4a --- /dev/null +++ b/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml @@ -0,0 +1,11 @@ +{{- if eq (include "rbacTeamsConfig" .) "true" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "kubecost-rbac-teams-config" + namespace: {{ .Release.Namespace }} + labels: + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} +data: + rbac-teams-configs.json: '{{ toJson .Values.rbac.teamsConfig }}' +{{- end }} \ No newline at end of file From 71deaf4a6ad74adf029d2d6ddb2b530eb9a67a29 Mon Sep 17 00:00:00 2001 From: Sean Holcomb Date: Wed, 8 Jan 2025 14:05:05 -0800 Subject: [PATCH 2/2] Unify variables and redefine values structure Signed-off-by: Sean Holcomb --- cost-analyzer/templates/_helpers.tpl | 60 +++++++++++++------ .../templates/aggregator-statefulset.yaml | 13 ++-- .../cost-analyzer-deployment-template.yaml | 33 +++++----- ...analyzer-frontend-config-map-template.yaml | 2 +- .../kubecost-rbac-secret-template.yaml | 6 +- ...ubecost-rbac-teams-configmap-template.yaml | 4 +- 6 files changed, 66 insertions(+), 52 deletions(-) diff --git a/cost-analyzer/templates/_helpers.tpl b/cost-analyzer/templates/_helpers.tpl index 088262838..bf7b82c98 100755 --- a/cost-analyzer/templates/_helpers.tpl +++ b/cost-analyzer/templates/_helpers.tpl @@ -161,7 +161,7 @@ will result in failure. Users are asked to select one of the two presently-avail RBAC exclusivity check: make sure either RBAC or RBAC Teams is enabled, not both */}} {{- define "rbacCheck" -}} - {{- if or (and ((.Values.saml).rbac).teamsEnabled ((.Values.saml).rbac).enabled) (and ((.Values.oidc).rbac).teamsEnabled ((.Values.oidc).rbac).enabled) -}} + {{- if and (or ((.Values.saml).rbac).enabled ((.Values.oidc).rbac).enabled) (.Values.rbacTeams).enabled -}} {{- fail "\nSimple RBAC and RBAC Teams are mutually exclusive. Please specify only one." -}} {{- end -}} {{- end -}} @@ -1014,11 +1014,11 @@ Begin Kubecost 2.0 templates {{- end }} {{- end }} {{- end }} - {{- if or .Values.oidc.rbac.teamsEnabled .Values.saml.rbac.teamsEnabled }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} - name: kubecost-rbac-secret mountPath: /var/configs/kubecost-rbac-secret {{- end }} - {{- if eq (include "rbacTeamsConfig" .) "true" }} + {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} - name: kubecost-rbac-teams-config mountPath: /var/configs/rbac-teams-configs {{- end }} @@ -1170,12 +1170,18 @@ Begin Kubecost 2.0 templates value: "true" - name: OIDC_SKIP_ONLINE_VALIDATION value: {{ (quote .Values.oidc.skipOnlineTokenValidation) | default (quote false) }} - {{- if .Values.oidc.rbac.teamsEnabled }} + {{- end}} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} + {{- if .Values.oidc.enabled }} - name: OIDC_RBAC_TEAMS_ENABLED value: "true" {{- end }} - {{- end}} - {{- if eq (include "rbacTeamsConfig" .) "true" }} + {{- if .Values.saml.enabled }} + - name: SAML_RBAC_TEAMS_ENABLED + value: "true" + {{- end }} + {{- end }} + {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} - name: RBAC_TEAMS_HELM_CONFIG_PATH value: "/var/configs/rbac-teams-configs/rbac-teams-configs.json" {{- end }} @@ -1223,10 +1229,6 @@ Begin Kubecost 2.0 templates - name: SAML_RBAC_ENABLED value: "true" {{- end }} - {{- if .Values.saml.rbac.teamsEnabled }} - - name: SAML_RBAC_TEAMS_ENABLED - value: "true" - {{- end }} {{- if and .Values.saml.encryptionCertSecret .Values.saml.decryptionKeySecret }} - name: SAML_RESPONSE_ENCRYPTED value: "true" @@ -1375,7 +1377,7 @@ SSO enabled flag for nginx configmap To use the Kubecost built-in Teams UI RBAC< you must enable SSO and RBAC and not specify any groups. Groups is only used when using external RBAC. */}} -{{- define "rbacTeamsEnabled" -}} +{{- define "rbacTeamsLegacyEnabled" -}} {{- if or (.Values.saml).enabled (.Values.oidc).enabled -}} {{- if or ((.Values.saml).rbac).enabled ((.Values.oidc).rbac).enabled -}} {{- if not (or (.Values.saml).groups (.Values.oidc).groups) -}} @@ -1391,12 +1393,36 @@ Groups is only used when using external RBAC. {{- end -}} {{- end -}} -{{- define "rbacTeamsConfig" -}} - {{- if (.Values.rbac).teamsConfig -}} - {{- printf "true" -}} - {{- else -}} - {{- printf "false" -}} - {{- end }} +{{/* +RBAC teams enabled requires that it be explicitly enabled in addition to SAML or OIDC being enabled +and legacy RBAC being disabled. +*/}} +{{- define "rbacTeamsEnabled" -}} + {{- if or (.Values.saml).enabled (.Values.oidc).enabled -}} + {{- if and (not ((.Values.saml).rbac).enabled) (not ((.Values.oidc).rbac).enabled) -}} + {{- if (.Values.rbacTeams).enabled -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end }} + +{{- define "rbacTeamsConfigEnabled" -}} + {{- if eq (include "rbacTeamsEnabled" .) "true" -}} + {{- if (.Values.rbacTeams).teamsConfig -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end }} + {{- else -}} + {{- printf "false" -}} + {{- end }} {{- end }} {{/* diff --git a/cost-analyzer/templates/aggregator-statefulset.yaml b/cost-analyzer/templates/aggregator-statefulset.yaml index 0c6656aaf..6c72fb85b 100644 --- a/cost-analyzer/templates/aggregator-statefulset.yaml +++ b/cost-analyzer/templates/aggregator-statefulset.yaml @@ -145,11 +145,6 @@ spec: configMap: name: {{ template "cost-analyzer.fullname" . }}-saml {{- end }} - {{- if .Values.saml.rbac.teamsEnabled }} - - name: kubecost-rbac-secret - secret: - secretName: kubecost-rbac-secret - {{- end }} {{- end }} {{- end }} {{- if .Values.oidc }} @@ -167,14 +162,14 @@ spec: secret: secretName: {{ .Values.oidc.existingCustomSecret.name }} {{- end }} - {{- if .Values.oidc.rbac.teamsEnabled }} + {{- end }} + {{- end }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} - name: kubecost-rbac-secret secret: secretName: kubecost-rbac-secret {{- end }} - {{- end }} - {{- end }} - {{- if eq (include "rbacTeamsConfig" .) "true" }} + {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} - name: kubecost-rbac-teams-config configMap: name: kubecost-rbac-teams-config diff --git a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index 52c1a4148..a155a3e52 100644 --- a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -248,11 +248,6 @@ spec: configMap: name: {{ template "cost-analyzer.fullname" . }}-saml {{- end }} - {{- if .Values.saml.rbac.teamsEnabled }} - - name: kubecost-rbac-secret - secret: - secretName: kubecost-rbac-secret - {{- end }} {{- end }} {{- end }} {{- if .Values.oidc }} @@ -270,14 +265,14 @@ spec: secret: secretName: {{ .Values.oidc.existingCustomSecret.name }} {{- end }} - {{- if .Values.oidc.rbac.teamsEnabled }} + {{- end }} + {{- end }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} - name: kubecost-rbac-secret secret: secretName: kubecost-rbac-secret {{- end }} - {{- end }} - {{- end }} - {{- if eq (include "rbacTeamsConfig" .) "true" }} + {{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} - name: kubecost-rbac-teams-config configMap: name: kubecost-rbac-teams-config @@ -704,7 +699,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if or .Values.oidc.rbac.teamsEnabled .Values.saml.rbac.teamsEnabled }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} - name: kubecost-rbac-secret mountPath: /var/configs/kubecost-rbac-secret {{- end }} @@ -751,8 +746,8 @@ spec: value: {{ .Values.assetReportConfigmapName }} {{- end }} {{- if .Values.cloudCostReportConfigmapName }} - - name: CLOUD_COST_REPORT_CONFIGMAP_NAME - value: {{ .Values.cloudCostReportConfigmapName }} + - name: CLOUD_COST_REPORT_CONFIGMAP_NAME + value: {{ .Values.cloudCostReportConfigmapName }} {{- end }} {{- if .Values.savedReportConfigmapName }} - name: SAVED_REPORT_CONFIGMAP_NAME @@ -982,10 +977,6 @@ spec: value: "true" - name: OIDC_SKIP_ONLINE_VALIDATION value: {{ (quote .Values.oidc.skipOnlineTokenValidation) | default (quote false) }} - {{- if .Values.oidc.rbac.teamsEnabled }} - - name: OIDC_RBAC_TEAMS_ENABLED - value: "true" - {{- end }} {{- end }} {{- if .Values.saml }} {{- if .Values.saml.enabled }} @@ -1023,10 +1014,16 @@ spec: - name: SAML_RESPONSE_ENCRYPTED value: "true" {{- end}} - {{- if .Values.saml.rbac.teamsEnabled }} - - name: SAML_RBAC_TEAMS_ENABLED + {{- end }} + {{- end }} + {{- if eq (include "rbacTeamsEnabled" .) "true" }} + {{- if .Values.oidc.enabled }} + - name: OIDC_RBAC_TEAMS_ENABLED value: "true" {{- end }} + {{- if .Values.saml.enabled }} + - name: SAML_RBAC_TEAMS_ENABLED + value: "true" {{- end }} {{- end }} {{- if and (.Values.prometheus.server.global.external_labels.cluster_id) (not .Values.prometheus.server.clusterIDConfigmap) }} diff --git a/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml b/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml index 9390da726..fc19c3e93 100755 --- a/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml @@ -1531,7 +1531,7 @@ data: return 200 '\n { "ssoConfigured": "{{ template "ssoEnabled" . }}", - "rbacTeamsEnabled": "{{ template "rbacTeamsEnabled" . }}", + "rbacTeamsEnabled": "{{ template "rbacTeamsLegacyEnabled" . }}", "dataBackupConfigured": "{{ template "dataBackupConfigured" . }}", "costEventsAuditEnabled": "{{ template "costEventsAuditEnabled" . }}", "frontendDeployMethod": "{{ template "frontend.deployMethod" . }}", diff --git a/cost-analyzer/templates/kubecost-rbac-secret-template.yaml b/cost-analyzer/templates/kubecost-rbac-secret-template.yaml index a19ff318f..4f2116035 100644 --- a/cost-analyzer/templates/kubecost-rbac-secret-template.yaml +++ b/cost-analyzer/templates/kubecost-rbac-secret-template.yaml @@ -1,6 +1,4 @@ -{{- if or .Values.oidc.enabled .Values.saml.enabled }} -{{- if and (not .Values.oidc.rbac.enabled) (not .Values.saml.rbac.enabled) }} -{{- if or .Values.oidc.rbac.teamsEnabled .Values.saml.rbac.teamsEnabled }} +{{- if eq (include "rbacTeamsEnabled" .) "true" }} apiVersion: v1 kind: Secret type: Opaque @@ -18,5 +16,3 @@ stringData: {{ .Values.saml.authSecret | default (randAlphaNum 32 | quote) }} {{- end }} {{- end }} -{{- end }} -{{- end }} diff --git a/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml b/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml index df1931a4a..1a8922c3a 100644 --- a/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml +++ b/cost-analyzer/templates/kubecost-rbac-teams-configmap-template.yaml @@ -1,4 +1,4 @@ -{{- if eq (include "rbacTeamsConfig" .) "true" }} +{{- if eq (include "rbacTeamsConfigEnabled" .) "true" }} apiVersion: v1 kind: ConfigMap metadata: @@ -7,5 +7,5 @@ metadata: labels: {{- include "cost-analyzer.commonLabels" . | nindent 4 }} data: - rbac-teams-configs.json: '{{ toJson .Values.rbac.teamsConfig }}' + rbac-teams-configs.json: '{{ toJson .Values.rbacTeams.teamsConfig }}' {{- end }} \ No newline at end of file