stashed · tamalsaha · May 7, 2019 · Apr 29, 2019 · May 3, 2019 · May 6, 2019
diff --git a/chart/stash/templates/apiregistration.yaml b/chart/stash/templates/apiregistration.yaml
@@ -66,7 +66,6 @@ data:
   tls.key: {{ b64enc $cert.Key }}
 ---
 {{- end }}
-{{ if .Values.rbac.create }}
 # to read the config for terminating authentication
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -99,4 +98,3 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "stash.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-{{ end }}
diff --git a/chart/stash/templates/cluster-role-binding.yaml b/chart/stash/templates/cluster-role-binding.yaml
@@ -1,4 +1,3 @@
-{{ if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -13,4 +12,3 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "stash.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-{{ end }}
diff --git a/chart/stash/templates/cluster-role.yaml b/chart/stash/templates/cluster-role.yaml
@@ -1,4 +1,3 @@
-{{ if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -86,4 +85,3 @@ rules:
   - roles
   - rolebindings
   verbs: ["get", "create", "delete", "patch"]
-{{ end }}
diff --git a/chart/stash/templates/deployment.yaml b/chart/stash/templates/deployment.yaml
@@ -44,7 +44,6 @@ spec:
         args:
         - run
         - --v={{ .Values.logLevel }}
-        - --rbac={{ .Values.rbac.create }}
         - --docker-registry={{ .Values.operator.registry }}
         - --secure-port=8443
         - --audit-log-path=-

diff --git a/chart/stash/templates/user-roles.yaml b/chart/stash/templates/user-roles.yaml
@@ -1,4 +1,3 @@
-{{ if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -45,4 +44,3 @@ rules:
   resources:
   - snapshots
   verbs: ["get", "list"]
-{{ end }}
diff --git a/chart/stash/values.yaml b/chart/stash/values.yaml
@@ -53,11 +53,6 @@ tolerations: {}
 ##
 affinity: {}
 
-## Install Default RBAC roles and bindings
-rbac:
-  # Specifies whether RBAC resources should be created
-  create: true
-
 serviceAccount:
   # Specifies whether a ServiceAccount should be created
   create: true

diff --git a/hack/deploy/operator.yaml b/hack/deploy/operator.yaml
@@ -26,7 +26,6 @@ spec:
         args:
         - run
         - --v=3
-        - --rbac=${STASH_ENABLE_RBAC}
         - --docker-registry=${STASH_DOCKER_REGISTRY}
         - --secure-port=8443
         - --audit-log-path=-

diff --git a/hack/deploy/stash.sh b/hack/deploy/stash.sh
@@ -108,7 +108,6 @@ onessl_found || {
 export STASH_NAMESPACE=kube-system
 export STASH_SERVICE_ACCOUNT=stash-operator
 export STASH_SERVICE_NAME=stash-operator
-export STASH_ENABLE_RBAC=true
 export STASH_RUN_ON_MASTER=0
 export STASH_ENABLE_VALIDATING_WEBHOOK=false
 export STASH_ENABLE_MUTATING_WEBHOOK=false
@@ -160,7 +159,6 @@ show_help() {
   echo "options:"
   echo "-h, --help                             show brief help"
   echo "-n, --namespace=NAMESPACE              specify namespace (default: kube-system)"
-  echo "    --rbac                             create RBAC roles and bindings (default: true)"
   echo "    --docker-registry                  docker registry used to pull stash images (default: appscode)"
   echo "    --image-pull-secret                name of secret used to pull stash operator images"
   echo "    --run-on-master                    run stash operator on master"
@@ -254,14 +252,6 @@ while test $# -gt 0; do
       fi
       shift
       ;;
-    --rbac*)
-      val=$(echo $1 | sed -e 's/^[^=]*=//g')
-      if [ "$val" = "false" ]; then
-        export STASH_SERVICE_ACCOUNT=default
-        export STASH_ENABLE_RBAC=false
-      fi
-      shift
-      ;;
     --run-on-master)
       export STASH_RUN_ON_MASTER=1
       shift
@@ -429,11 +419,9 @@ export TLS_SERVING_KEY=$(cat server.key | $ONESSL base64)
 
 ${SCRIPT_LOCATION}hack/deploy/operator.yaml | $ONESSL envsubst | kubectl apply -f -
 
-if [ "$STASH_ENABLE_RBAC" = true ]; then
-  ${SCRIPT_LOCATION}hack/deploy/service-account.yaml | $ONESSL envsubst | kubectl apply -f -
-  ${SCRIPT_LOCATION}hack/deploy/rbac-list.yaml | $ONESSL envsubst | kubectl auth reconcile -f -
-  ${SCRIPT_LOCATION}hack/deploy/user-roles.yaml | $ONESSL envsubst | kubectl auth reconcile -f -
-fi
+${SCRIPT_LOCATION}hack/deploy/service-account.yaml | $ONESSL envsubst | kubectl apply -f -
+${SCRIPT_LOCATION}hack/deploy/rbac-list.yaml | $ONESSL envsubst | kubectl auth reconcile -f -
+${SCRIPT_LOCATION}hack/deploy/user-roles.yaml | $ONESSL envsubst | kubectl auth reconcile -f -
 
 if [ "$STASH_RUN_ON_MASTER" -eq 1 ]; then
   kubectl patch deploy stash-operator -n $STASH_NAMESPACE \

diff --git a/hack/dev/run.sh b/hack/dev/run.sh
@@ -125,7 +125,6 @@ if [ "$STASH_E2E_TEST" = false ]; then # don't run operator while run this scrip
     --authentication-skip-lookup \
     --docker-registry="$STASH_DOCKER_REGISTRY" \
     --image-tag="$STASH_IMAGE_TAG" \
-    --rbac=true \
     --enable-status-subresource=true \
     --v=5
 fi

diff --git a/pkg/backup/backup.go b/pkg/backup/backup.go
@@ -155,9 +155,8 @@ func (c *Controller) Backup() error {
 		return err
 	}
 	if errors.IsNotFound(err) {
-		if c.opt.EnableRBAC {
-			job.Spec.Template.Spec.ServiceAccountName = job.Name
-		}
+		job.Spec.Template.Spec.ServiceAccountName = job.Name
+
 		if job, err = c.k8sClient.BatchV1().Jobs(restic.Namespace).Create(job); err != nil {
 			err = fmt.Errorf("failed to get check job, reason: %s", err)
 			ref, rerr := reference.GetReference(scheme.Scheme, repository)
@@ -177,14 +176,12 @@ func (c *Controller) Backup() error {
 		}
 
 		// create service-account and role-binding
-		if c.opt.EnableRBAC {
-			ref, err := reference.GetReference(scheme.Scheme, job)
-			if err != nil {
-				return err
-			}
-			if err = c.ensureCheckRBAC(ref); err != nil {
-				return fmt.Errorf("error ensuring rbac for check job %s, reason: %s", job.Name, err)
-			}
+		ref, err := reference.GetReference(scheme.Scheme, job)
+		if err != nil {
+			return err
+		}
+		if err = c.ensureCheckRBAC(ref); err != nil {
+			return fmt.Errorf("error ensuring rbac for check job %s, reason: %s", job.Name, err)
 		}
 
 		log.Infoln("Created check job:", job.Name)

diff --git a/pkg/cmds/backup.go b/pkg/cmds/backup.go
@@ -34,6 +34,7 @@ func NewCmdBackup() *cobra.Command {
 			ResyncPeriod:   5 * time.Minute,
 			MaxNumRequeues: 5,
 			NumThreads:     1,
+			EnableRBAC:     true,
 		}
 	)
 

diff --git a/pkg/cmds/run_backup.go b/pkg/cmds/run_backup.go
@@ -28,6 +28,7 @@ func NewCmdRunBackup() *cobra.Command {
 			ScratchDir:  restic.DefaultScratchDir,
 			EnableCache: true,
 		},
+		EnableRBAC: true,
 	}
 
 	cmd := &cobra.Command{

diff --git a/pkg/cmds/server/options.go b/pkg/cmds/server/options.go
@@ -43,6 +43,7 @@ func NewExtraOptions() *ExtraOptions {
 		QPS:            100,
 		Burst:          100,
 		ResyncPeriod:   10 * time.Minute,
+		EnableRBAC:     true,
 	}
 }
 

diff --git a/pkg/controller/backup_configuration.go b/pkg/controller/backup_configuration.go
@@ -205,34 +205,33 @@ func (c *StashController) EnsureCronJob(backupConfiguration *api_v1beta1.BackupC
 	// if RBAC is enabled then ensure respective ClusterRole,RoleBinding,ServiceAccount etc.
 	serviceAccountName := "default"
 
-	if c.EnableRBAC {
-		if backupConfiguration.Spec.RuntimeSettings.Pod != nil &&
-			backupConfiguration.Spec.RuntimeSettings.Pod.ServiceAccountName != "" {
-			// ServiceAccount has been specified, so use it.
-			serviceAccountName = backupConfiguration.Spec.RuntimeSettings.Pod.ServiceAccountName
-		} else {
-			// ServiceAccount hasn't been specified. so create new one with same name as BackupConfiguration object.
-			serviceAccountName = meta.Name
+	if backupConfiguration.Spec.RuntimeSettings.Pod != nil &&
+		backupConfiguration.Spec.RuntimeSettings.Pod.ServiceAccountName != "" {
+		// ServiceAccount has been specified, so use it.
+		serviceAccountName = backupConfiguration.Spec.RuntimeSettings.Pod.ServiceAccountName
+	} else {
+		// ServiceAccount hasn't been specified. so create new one with same name as BackupConfiguration object.
+		serviceAccountName = meta.Name
 
-			_, _, err := core_util.CreateOrPatchServiceAccount(c.kubeClient, meta, func(in *core.ServiceAccount) *core.ServiceAccount {
-				core_util.EnsureOwnerReference(&in.ObjectMeta, ref)
-				if in.Labels == nil {
-					in.Labels = map[string]string{}
-				}
-				in.Labels[util.LabelApp] = util.AppLabelStash
-				return in
-			})
-			if err != nil {
-				return err
+		_, _, err := core_util.CreateOrPatchServiceAccount(c.kubeClient, meta, func(in *core.ServiceAccount) *core.ServiceAccount {
+			core_util.EnsureOwnerReference(&in.ObjectMeta, ref)
+			if in.Labels == nil {
+				in.Labels = map[string]string{}
 			}
-		}
-
-		// now ensure RBAC stuff for this CronJob
-		err := c.ensureCronJobRBAC(ref, serviceAccountName)
+			in.Labels[util.LabelApp] = util.AppLabelStash
+			return in
+		})
 		if err != nil {
 			return err
 		}
 	}
+
+	// now ensure RBAC stuff for this CronJob
+	err = c.ensureCronJobRBAC(ref, serviceAccountName)
+	if err != nil {
+		return err
+	}
+
 	_, _, err = batch_util.CreateOrPatchCronJob(c.kubeClient, meta, func(in *batch_v1beta1.CronJob) *batch_v1beta1.CronJob {
 		//set backup-configuration as cron-job owner
 		core_util.EnsureOwnerReference(&in.ObjectMeta, ref)
@@ -255,9 +254,7 @@ func (c *StashController) EnsureCronJob(backupConfiguration *api_v1beta1.BackupC
 				},
 			})
 		in.Spec.JobTemplate.Spec.Template.Spec.RestartPolicy = core.RestartPolicyNever
-		if c.EnableRBAC {
-			in.Spec.JobTemplate.Spec.Template.Spec.ServiceAccountName = serviceAccountName
-		}
+		in.Spec.JobTemplate.Spec.Template.Spec.ServiceAccountName = serviceAccountName
 		return in
 	})
 

diff --git a/pkg/controller/backup_session.go b/pkg/controller/backup_session.go
@@ -156,35 +156,33 @@ func (c *StashController) ensureBackupJob(backupSession *api_v1beta1.BackupSessi
 	serviceAccountName := "default"
 
 	// if RBAC is enabled then ensure respective RBAC stuffs
-	if c.EnableRBAC {
-		if backupConfig.Spec.RuntimeSettings.Pod != nil && backupConfig.Spec.RuntimeSettings.Pod.ServiceAccountName != "" {
-			serviceAccountName = backupConfig.Spec.RuntimeSettings.Pod.ServiceAccountName
-		} else {
-			// ServiceAccount hasn't been specified. so create new one.
-			serviceAccountName = backupConfig.Name
-			saMeta := metav1.ObjectMeta{
-				Name:      serviceAccountName,
-				Namespace: backupConfig.Namespace,
-			}
-			_, _, err := core_util.CreateOrPatchServiceAccount(c.kubeClient, saMeta, func(in *core.ServiceAccount) *core.ServiceAccount {
-				core_util.EnsureOwnerReference(&in.ObjectMeta, backupConfigRef)
-				if in.Labels == nil {
-					in.Labels = map[string]string{}
-				}
-				in.Labels[util.LabelApp] = util.AppLabelStash
-				return in
-			})
-			if err != nil {
-				return err
-			}
+	if backupConfig.Spec.RuntimeSettings.Pod != nil && backupConfig.Spec.RuntimeSettings.Pod.ServiceAccountName != "" {
+		serviceAccountName = backupConfig.Spec.RuntimeSettings.Pod.ServiceAccountName
+	} else {
+		// ServiceAccount hasn't been specified. so create new one.
+		serviceAccountName = backupConfig.Name
+		saMeta := metav1.ObjectMeta{
+			Name:      serviceAccountName,
+			Namespace: backupConfig.Namespace,
 		}
-
-		err := c.ensureBackupJobRBAC(backupConfigRef, serviceAccountName)
+		_, _, err := core_util.CreateOrPatchServiceAccount(c.kubeClient, saMeta, func(in *core.ServiceAccount) *core.ServiceAccount {
+			core_util.EnsureOwnerReference(&in.ObjectMeta, backupConfigRef)
+			if in.Labels == nil {
+				in.Labels = map[string]string{}
+			}
+			in.Labels[util.LabelApp] = util.AppLabelStash
+			return in
+		})
 		if err != nil {
 			return err
 		}
 	}
 
+	err = c.ensureBackupJobRBAC(backupConfigRef, serviceAccountName)
+	if err != nil {
+		return err
+	}
+
 	// get repository for backupConfig
 	repository, err := c.stashClient.StashV1alpha1().Repositories(backupConfig.Namespace).Get(
 		backupConfig.Spec.Repository.Name,

diff --git a/pkg/controller/config.go b/pkg/controller/config.go
@@ -94,10 +94,8 @@ func (c *Config) New() (*StashController, error) {
 		}
 	}
 
-	if ctrl.EnableRBAC {
-		if err := ctrl.ensureSidecarClusterRole(); err != nil {
-			return nil, err
-		}
+	if err := ctrl.ensureSidecarClusterRole(); err != nil {
+		return nil, err
 	}
 
 	ctrl.initNamespaceWatcher()

diff --git a/pkg/controller/init_container.go b/pkg/controller/init_container.go
@@ -19,20 +19,18 @@ import (
 
 func (c *StashController) ensureRestoreInitContainer(w *wapi.Workload, rs *api_v1beta1.RestoreSession) error {
 	// if RBAC is enabled then ensure ServiceAccount and respective ClusterRole and RoleBinding
-	if c.EnableRBAC {
-		sa := stringz.Val(w.Spec.Template.Spec.ServiceAccountName, "default")
-		ref, err := reference.GetReference(scheme.Scheme, w)
-		if err != nil {
-			ref = &core.ObjectReference{
-				Name:      w.Name,
-				Namespace: w.Namespace,
-			}
-		}
-		err = c.ensureRestoreInitContainerRBAC(ref, sa)
-		if err != nil {
-			return err
+	sa := stringz.Val(w.Spec.Template.Spec.ServiceAccountName, "default")
+	ref, err := reference.GetReference(scheme.Scheme, w)
+	if err != nil {
+		ref = &core.ObjectReference{
+			Name:      w.Name,
+			Namespace: w.Namespace,
 		}
 	}
+	err = c.ensureRestoreInitContainerRBAC(ref, sa)
+	if err != nil {
+		return err
+	}
 
 	repository, err := c.stashClient.StashV1alpha1().Repositories(rs.Namespace).Get(rs.Spec.Repository.Name, metav1.GetOptions{})
 	if err != nil {

diff --git a/pkg/controller/jobs.go b/pkg/controller/jobs.go
@@ -63,12 +63,11 @@ func (c *StashController) runJobInjector(key string) error {
 
 			glog.Infof("Deleted stash job: %s", job.GetName())
 
-			if c.EnableRBAC {
-				err = c.ensureRepoReaderRolebindingDeleted(&job.ObjectMeta)
-				if err != nil {
-					return fmt.Errorf("failed to delete repo-reader rolebinding. reason: %s", err)
-				}
+			err = c.ensureRepoReaderRolebindingDeleted(&job.ObjectMeta)
+			if err != nil {
+				return fmt.Errorf("failed to delete repo-reader rolebinding. reason: %s", err)
 			}
+
 		}
 	}
 	return nil

diff --git a/pkg/controller/rbac_sidecar.go b/pkg/controller/rbac_sidecar.go
@@ -134,21 +134,19 @@ func (c *StashController) ensureSidecarRoleBindingDeleted(w *wapi.Workload) erro
 }
 
 func (c *StashController) ensureUnnecessaryWorkloadRBACDeleted(w *wapi.Workload) error {
-	if c.EnableRBAC {
-		// delete backup sidecar RoleBinding if workload does not have stash sidecar
-		if !hasStashSidecar(w.Spec.Template.Spec.Containers) {
-			err := c.ensureSidecarRoleBindingDeleted(w)
-			if err != nil && !kerr.IsNotFound(err) {
-				return err
-			}
+	// delete backup sidecar RoleBinding if workload does not have stash sidecar
+	if !hasStashSidecar(w.Spec.Template.Spec.Containers) {
+		err := c.ensureSidecarRoleBindingDeleted(w)
+		if err != nil && !kerr.IsNotFound(err) {
+			return err
 		}
+	}
 
-		// delete restore init-container RoleBinding if workload does not have sash init-container
-		if !hasStashInitContainer(w.Spec.Template.Spec.InitContainers) {
-			err := c.ensureRestoreInitContainerRoleBindingDeleted(w)
-			if err != nil && !kerr.IsNotFound(err) {
-				return err
-			}
+	// delete restore init-container RoleBinding if workload does not have sash init-container
+	if !hasStashInitContainer(w.Spec.Template.Spec.InitContainers) {
+		err := c.ensureRestoreInitContainerRoleBindingDeleted(w)
+		if err != nil && !kerr.IsNotFound(err) {
+			return err
 		}
 	}