github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 18:18:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add helper function to generate subjects

Browse Source 
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
This commit is contained in:
Timofei Larkin
2025-06-16 19:19:57 +03:00
parent 8eabe30548
commit 028f2e4e8d
2 changed files with 87 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
packages/apps/tenant/charts/cozy-lib Symbolic link
View File

@@ -0,0 +1 @@
../../../library/cozy-lib

86
packages/library/cozy-lib/templates/_rbac.tpl Normal file
View File

@@ -0,0 +1,86 @@
{{- define "cozy-lib.rbac.accessLevelMap" }}
view: 0
use: 1
admin: 2
super-admin: 3
{{- end }}
{{- define "cozy-lib.rbac.accessLevelToInt" }}
{{- $accessMap := include "cozy-lib.rbac.accessLevelMap" "" | fromYaml }}
{{- $accessLevel := dig . -1 $accessMap | int }}
{{- if eq $accessLevel -1 }}
{{- printf "encountered access level of %s, allowed values are %s" . ($accessMap | keys) | fail }}
{{- end }}
{{- $accessLevel }}
{{- end }}
{{- define "cozy-lib.rbac.accessLevelsAtOrAbove" }}
{{- $minLevelInt := include "cozy-lib.rbac.accessLevelToInt" . | int }}
{{- range $k, $v := (include "cozy-lib.rbac.accessLevelMap" "" | fromYaml) }}
{{- if ge (int $v) $minLevelInt }}
- {{ $k }}
{{- end }}
{{- end }}
{{- end }}
{{- define "cozy-lib.rbac.allParentTenantsAndThis" }}
{{- if not (hasPrefix "tenant-" .) }}
{{- printf "'%s' is not a valid tenant identifier" . | fail }}
{{- end }}
{{- $parts := append (splitList "-" .) "" }}
{{- $tenants := list }}
{{- range untilStep 2 (len $parts) 1 }}
{{- $tenants = append $tenants (slice $parts 0 . | join "-") }}
{{- end }}
{{- range $tenants }}
- {{ . }}
{{- end }}
{{- end }}
{{- define "cozy-lib.rbac.groupSubject" -}}
- kind: Group
name: {{ . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
{{- /*
A helper function to get a list of groups that should have access, given a
minimal access level and the tenant. Invoked as:
{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" $) }}
For an example input of (list "use" $) and a .Release.Namespace of
tenant-abc-def it will return:
---
- kind: Group
name: tenant-abc-admin
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: tenant-abc-def-admin
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: tenant-abc-super-admin
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: tenant-abc-def-super-admin
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: tenant-abc-use
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: tenant-abc-def-use
apiGroup: rbac.authorization.k8s.io
in other words, all roles including use and higher and for tenant-abc-def, as
well as all parent, grandparent, etc. tenants.
*/}}
{{- define "cozy-lib.rbac.subjectsForTenantAndAccessLevel" }}
{{- include "cozy-lib.checkInput" . }}
{{- $level := index . 0 }}
{{- $global := index . 1 }}
{{- $levels := include "cozy-lib.rbac.accessLevelsAtOrAbove" $level | fromYamlArray }}
{{- $tenants := include "cozy-lib.rbac.allParentTenantsAndThis" $global.Release.Namespace | fromYamlArray }}
{{- range $l := $levels }}
{{- range $t := $tenants }}
{{- include "cozy-lib.rbac.groupSubject" (printf "%s-%s" $t $l) }}{{ printf "\n" }}
{{- end }}
{{- end}}
{{- end }}