updated rbac approach

src/lib/assets/deploy.ts

@@ -9,7 +9,7 @@ import { Assets } from ".";
 import Log from "../logger";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
 import { deployment, moduleSecret, namespace, watcher } from "./pods";
-import { getClusterRole, getClusterRoleBinding, getServiceAccount, getStoreRole, getStoreRoleBinding } from "./rbac";
+import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { peprStoreCRD } from "./store";
 import { webhookConfig } from "./webhooks";
 import { CapabilityExport, ImagePullSecret } from "../types";
@@ -91,23 +91,23 @@ export async function deploy(assets: Assets, force: boolean, webhookTimeout?: nu
 
 async function setupRBAC(name: string, capabilities: CapabilityExport[], force: boolean) {
   Log.info("Applying cluster role binding");
-  const crb = getClusterRoleBinding(name);
+  const crb = clusterRoleBinding(name);
   await K8s(kind.ClusterRoleBinding).Apply(crb, { force });
 
   Log.info("Applying cluster role");
-  const cr = getClusterRole(name, capabilities);
+  const cr = clusterRole(name, capabilities);
   await K8s(kind.ClusterRole).Apply(cr, { force });
 
   Log.info("Applying service account");
-  const sa = getServiceAccount(name);
+  const sa = serviceAccount(name);
   await K8s(kind.ServiceAccount).Apply(sa, { force });
 
   Log.info("Applying store role");
-  const role = getStoreRole(name);
+  const role = storeRole(name);
   await K8s(kind.Role).Apply(role, { force });
 
   Log.info("Applying store role binding");
-  const roleBinding = getStoreRoleBinding(name);
+  const roleBinding = storeRoleBinding(name);
   await K8s(kind.RoleBinding).Apply(roleBinding, { force });
 }
 

src/lib/assets/helm.test.ts

@@ -62,63 +62,3 @@ describe("Kubernetes Template Generators", () => {
     });
   });
 });
-
-describe("Helm Templates", () => {
-  describe("Namespace Template", () => {
-    test("should generate namespace template correctly", () => {
-      const result = nsTemplate();
-      expect(result).toContain("kind: Namespace");
-      expect(result).toContain("name: pepr-system");
-    });
-  });
-
-  describe("Chart YAML", () => {
-    test("should generate Chart.yaml correctly", () => {
-      const name = "test-chart";
-      const description = "Test Description";
-      const result = chartYaml(name, description);
-      expect(result).toContain(`name: ${name}`);
-      expect(result).toContain(`description: ${description}`);
-      expect(result).toContain("type: application");
-      expect(result).toContain("version: 0.1.0");
-      expect(result).toContain('appVersion: "1.16.0"');
-    });
-
-    test("should handle missing description in Chart.yaml", () => {
-      const name = "test-chart";
-      const result = chartYaml(name);
-      expect(result).toContain(`name: ${name}`);
-      expect(result).toContain("description:");
-    });
-  });
-
-  describe("Watcher Deployment Template", () => {
-    test("should generate watcher deployment template correctly", () => {
-      const buildTimestamp = "2024-01-01T00:00:00Z";
-      const result = watcherDeployTemplate(buildTimestamp);
-      expect(result).toContain("kind: Deployment");
-      expect(result).toContain(`buildTimestamp: "${buildTimestamp}"`);
-      expect(result).toContain("serviceAccountName: {{ .Values.uuid }}");
-    });
-  });
-
-  describe("Admission Deployment Template", () => {
-    test("should generate admission deployment template correctly", () => {
-      const buildTimestamp = "2024-01-01T00:00:00Z";
-      const result = admissionDeployTemplate(buildTimestamp);
-      expect(result).toContain("kind: Deployment");
-      expect(result).toContain(`buildTimestamp: "${buildTimestamp}"`);
-      expect(result).toContain("serviceAccountName: {{ .Values.uuid }}");
-    });
-  });
-
-  describe("ServiceMonitor Template", () => {
-    test("should generate service monitor template correctly when enabled", () => {
-      const name = "admission";
-      const result = serviceMonitorTemplate(name);
-      expect(result).toContain(`kind: ServiceMonitor`);
-      expect(result).toContain(`name: ${name}`);
-      expect(result).toContain(`{{- if .Values.${name}.serviceMonitor.enabled }}`);
-    });
-  });
-});

src/lib/assets/helm.ts

@@ -1,6 +1,20 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
+export function clusterRoleTemplate() {
+  return `
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: {{ .Values.uuid }}
+      namespace: pepr-system
+    rules: 
+      {{- if .Values.rbac }}
+      {{- toYaml .Values.rbac | nindent 2 }}
+      {{- end }}
+  `;
+}
+
 export function nsTemplate() {
   return `
     apiVersion: v1
@@ -44,7 +58,7 @@ export function chartYaml(name: string, description?: string) {
     # follow Semantic Versioning. They should reflect the version the application is using.
     # It is recommended to use it with quotes.
     appVersion: "1.16.0"
-  `;
+`;
 }
 
 export function watcherDeployTemplate(buildTimestamp: string) {
@@ -68,7 +82,7 @@ export function watcherDeployTemplate(buildTimestamp: string) {
             pepr.dev/controller: watcher
         template:
           metadata:
-            annotations:
+            annotations: 
               buildTimestamp: "${buildTimestamp}"
               {{- if .Values.watcher.podAnnotations }}
               {{- toYaml .Values.watcher.podAnnotations | nindent 8 }}
@@ -207,7 +221,7 @@ export function admissionDeployTemplate(buildTimestamp: string) {
                   secretName: {{ .Values.uuid }}-api-token
               - name: module
                 secret:
-                  secretName: {{ .Values.uuid }}-module
+                  secretName: {{ .Values.uuid }}-module  
               {{- if .Values.admission.extraVolumes }}
               {{- toYaml .Values.admission.extraVolumes | nindent 8 }}
               {{- end }}