From 260a271859e525cad9293ee11f197d01dc795b1a Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Fri, 17 Jul 2020 14:42:02 -0700
Subject: [PATCH] Add RBAC for autoregistration

- Also fix mistakes in the deployment.yaml
- Also hardcode the ownerRef kind and version because otherwise we get an error

Signed-off-by: Monis Khan <mok@vmware.com>
---
 deploy/deployment.yaml                        | 45 +++++++++-------
 deploy/rbac.yaml                              | 51 +++++++++++++++++++
 internal/autoregistration/autoregistration.go |  4 +-
 3 files changed, 79 insertions(+), 21 deletions(-)
 create mode 100644 deploy/rbac.yaml

diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
index 4a0e087f..71713551 100644
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -9,6 +9,12 @@ metadata:
     name: #@ data.values.namespace
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: #@ data.values.app_name + "-service-account"
+  namespace: #@ data.values.namespace
+---
+apiVersion: v1
 kind: ConfigMap
 metadata:
   name: #@ data.values.app_name + "-config"
@@ -39,6 +45,7 @@ spec:
       labels:
         app: #@ data.values.app_name
     spec:
+      serviceAccountName: #@ data.values.app_name + "-service-account"
       containers:
         - name: placeholder-name
           #@ if data.values.image_digest:
@@ -48,25 +55,25 @@ spec:
           #@ end
           imagePullPolicy: IfNotPresent
           command:
-          - ./app
-          - --config=/etc/config/placeholder-config.yaml
-          - --downward-api-path=/etc/podinfo
+            - ./app
+          args:
+            - --config=/etc/config/placeholder-config.yaml
+            - --downward-api-path=/etc/podinfo
           volumeMounts:
-          - name: config-volume
-            mountPath: /etc/config
+            - name: config-volume
+              mountPath: /etc/config
+            - name: podinfo
+              mountPath: /etc/podinfo
       volumes:
-      - name: config-volume
-        configMap:
-          name: #@ data.values.app_name + "-config"
+        - name: config-volume
+          configMap:
+            name: #@ data.values.app_name + "-config"
         - name: podinfo
-          mountPath: /etc/podinfo
-  volumes:
-    - name: podinfo
-      downwardAPI:
-        items:
-          - path: "labels"
-            fieldRef:
-              fieldPath: metadata.labels
-          - path: "namespace"
-            fieldRef:
-              fieldPath: metadata.namespace
+          downwardAPI:
+            items:
+              - path: "labels"
+                fieldRef:
+                  fieldPath: metadata.labels
+              - path: "namespace"
+                fieldRef:
+                  fieldPath: metadata.namespace
diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml
new file mode 100644
index 00000000..dda81a1b
--- /dev/null
+++ b/deploy/rbac.yaml
@@ -0,0 +1,51 @@
+#@ load("@ytt:data", "data")
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: #@ data.values.app_name + "-aggregated-api-server-cluster-role"
+rules:
+  - apiGroups: [""]
+    resources: [namespaces]
+    verbs: [get, list, watch]
+  - apiGroups: [apiregistration.k8s.io]
+    resources: [apiservices]
+    verbs: [create, get, list, patch, update, watch]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ data.values.app_name + "-aggregated-api-server-cluster-role-binding"
+subjects:
+  - kind: ServiceAccount
+    name: #@ data.values.app_name + "-service-account"
+    namespace: #@ data.values.namespace
+roleRef:
+  kind: ClusterRole
+  name: #@ data.values.app_name + "-aggregated-api-server-cluster-role"
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: #@ data.values.app_name + "-aggregated-api-server-role"
+  namespace: #@ data.values.namespace
+rules:
+  - apiGroups: [""]
+    resources: [services]
+    verbs: [create, get, list, patch, update, watch]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ data.values.app_name + "-aggregated-api-server-role-binding"
+  namespace: #@ data.values.namespace
+subjects:
+  - kind: ServiceAccount
+    name: #@ data.values.app_name + "-service-account"
+    namespace: #@ data.values.namespace
+roleRef:
+  kind: Role
+  name: #@ data.values.app_name + "-aggregated-api-server-role"
+  apiGroup: rbac.authorization.k8s.io
diff --git a/internal/autoregistration/autoregistration.go b/internal/autoregistration/autoregistration.go
index e5098e50..a7a36f03 100644
--- a/internal/autoregistration/autoregistration.go
+++ b/internal/autoregistration/autoregistration.go
@@ -64,8 +64,8 @@ func Setup(ctx context.Context, options SetupOptions) error {
 		Port:      &svc.Spec.Ports[0].Port,
 	}
 	apiSvc.ObjectMeta.OwnerReferences = []metav1.OwnerReference{{
-		APIVersion: ns.APIVersion,
-		Kind:       ns.Kind,
+		APIVersion: "v1",        // TODO why did we need to hardcode this to avoid errors? was ns.APIVersion
+		Kind:       "Namespace", // TODO why did we need to hardcode this to avoid errors? was ns.Kind
 		UID:        ns.UID,
 		Name:       ns.Name,
 	}}