diff --git a/README.md b/README.md index 64d5fb5..d25d405 100644 --- a/README.md +++ b/README.md @@ -81,17 +81,3 @@ spec: ``` - -### Configuring Service Authentication and Authorization - -The [Unikorn Identity Service](https://github.com/unikorn-cloud/identity) describes how to configure a service organization, groups and role mappings for services that require them. - -This service requires asynchronous access to the Unikorn Region API in order to poll cloud identity and physical network status during cluster creation, and delete those resources on cluster deletion. - -This service defines the `unikorn-compute` user that will need to be added to a group in the service organization. -It will need the built in role `infra-manager-service` that allows: - -* Read access to the `region` endpoints to access external networks -* Read/delete access to the `identites` endpoints to poll and delete cloud identities -* Read/delete access to the `physicalnetworks` endpoints to poll and delete physical networks -* Create/Read/Delete access to the `servers` endpoints to manage compute instances diff --git a/charts/compute/templates/certificate.yaml b/charts/compute/templates/certificate.yaml deleted file mode 100644 index fb23505..0000000 --- a/charts/compute/templates/certificate.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Release.Name }}-client - labels: - {{- include "unikorn.labels" . | nindent 4 }} -spec: - issuerRef: - group: cert-manager.io - kind: ClusterIssuer - name: unikorn-client-issuer - privateKey: - algorithm: RSA - encoding: PKCS8 - size: 4096 - secretName: {{ include "unikorn.mtls.certificate-name" . }} - commonName: unikorn-compute diff --git a/charts/compute/templates/rbac.yaml b/charts/compute/templates/rbac.yaml new file mode 100644 index 0000000..adf0a2b --- /dev/null +++ b/charts/compute/templates/rbac.yaml @@ -0,0 +1,67 @@ +{{- $systemAccountName := "unikorn-compute" -}} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }}-client + labels: + {{- include "unikorn.labels" . | nindent 4 }} +spec: + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: unikorn-client-issuer + privateKey: + algorithm: RSA + encoding: PKCS8 + size: 4096 + secretName: {{ include "unikorn.mtls.certificate-name" . }} + commonName: {{ $systemAccountName }} +--- +apiVersion: identity.unikorn-cloud.org/v1alpha1 +kind: Role +metadata: + name: {{ include "resource.id" $systemAccountName }} + labels: + {{- include "unikorn.labels" $ | nindent 4 }} + unikorn-cloud.org/name: {{ $systemAccountName }} + annotations: + unikorn-cloud.org/description: Unikorn Kubernetes service. +spec: + protected: true + scopes: + global: + # For quota management. + - name: "identity:allocations" + operations: [create,read,update,delete] + # To create a cloud identity to provision hardware. + - name: "region:identities" + operations: [create,read,delete] + # To present compatible regions. + - name: "region:regions" + operations: [read] + # To present compatible flavors. + - name: "region:flavors" + operations: [read] + # To present compatible images. + - name: "region:images" + operations: [read] + # To create VLAN provider networks for baremetal clusters. + - name: "region:networks" + operations: [create,read,delete] + # To create servers. + - name: "region:servers" + operations: [create,read,update,delete] + # To create securtiy groups. + - name: "region:securitygroups" + operations: [create,read,update,delete] +--- +apiVersion: identity.unikorn-cloud.org/v1alpha1 +kind: SystemAccount +metadata: + name: {{ $systemAccountName }} + labels: + {{- include "unikorn.labels" $ | nindent 4 }} +spec: + role: + name: {{ include "resource.id" $systemAccountName }}