Merge pull request #132 from FyraLabs/main

Update RBAC

Author: korewaChino

Cargo.lock

@@ -1,11 +1,11 @@
 [package]
 name = "chisel-operator"
-version = "0.4.0"
+version = "0.4.1"
 edition = "2021"
 description = "Chisel tunnel operator for Kubernetes"
 authors = [
     "Pornpipat 'Cappy Ishihara' Popum <cappy@fyralabs.com>",
-    "Lleyton Grey <lleyton@fyralabs.com>"
+    "Lleyton Grey <lleyton@fyralabs.com>",
 ]
 categories = ["Network programming", "Configuration"]
 license = "MIT"
@@ -25,7 +25,13 @@ default-run = "chisel-operator"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-kube = { version = "0.82.2", features = ["runtime", "derive", "rustls-tls", "jsonpatch", "client",], default-features = false }
+kube = { version = "0.82.2", features = [
+    "runtime",
+    "derive",
+    "rustls-tls",
+    "jsonpatch",
+    "client",
+], default-features = false }
 k8s-openapi = { version = "0.18.0", features = ["v1_26"] }
 serde = { version = "1.0.204", features = ["derive"] }
 serde_json = "1"
@@ -41,18 +47,38 @@ thiserror = "1.0"
 tracing-subscriber = { version = "0.3", features = ["json", "env-filter"] }
 tracing-logfmt = "0.3.4"
 uuid = "1.9"
-digitalocean-rs = { version = "0.1.9", default-features = false, features = ["default-rustls"] }
+digitalocean-rs = { version = "0.1.9", default-features = false, features = [
+    "default-rustls",
+] }
 rand = { version = "0.8.5", features = ["log", "serde"] }
 async-trait = "0.1.80"
 names = "0.14.0"
-linode-rs = { version = "0.1.3", default-features = false, features = ["default-rustls"] }
+linode-rs = { version = "0.1.3", default-features = false, features = [
+    "default-rustls",
+] }
 base64 = "0.22.0"
 trait_enum = "0.5.0"
-aws-config = { version = "1.1.1", default-features = false, features = ["rt-tokio", "behavior-version-latest"] }
-aws-sdk-ec2 = { version = "1.13.0", default-features = false, features = ["rt-tokio", "behavior-version-latest"] }
-aws-sdk-ssm = { version = "1.7.0", default-features = false, features = ["rt-tokio", "behavior-version-latest"] }
-aws-smithy-runtime = { version = "1.1.1", default-features = false, features = ["client", "connector-hyper-0-14-x"] }
-hyper-rustls = { version = "0.24.2", features = ["http2", "webpki-roots", "webpki-tokio"] }
+aws-config = { version = "1.1.1", default-features = false, features = [
+    "rt-tokio",
+    "behavior-version-latest",
+] }
+aws-sdk-ec2 = { version = "1.13.0", default-features = false, features = [
+    "rt-tokio",
+    "behavior-version-latest",
+] }
+aws-sdk-ssm = { version = "1.7.0", default-features = false, features = [
+    "rt-tokio",
+    "behavior-version-latest",
+] }
+aws-smithy-runtime = { version = "1.1.1", default-features = false, features = [
+    "client",
+    "connector-hyper-0-14-x",
+] }
+hyper-rustls = { version = "0.24.2", features = [
+    "http2",
+    "webpki-roots",
+    "webpki-tokio",
+] }
 itertools = "0.12.1"
 # opentelemetry = { version = "0.18.0", features = ["trace", "rt-tokio"] }
 # opentelemetry-otlp = { version = "0.11.0", features = ["tokio"] }

Cargo.toml

@@ -21,4 +21,5 @@ version: 0.1.0
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.4.0"
+appVersion: "v0.4.1"
+

charts/chisel-operator/Chart.yaml

@@ -21,9 +21,18 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 rules:
-  - apiGroups: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["deployments", "deployments/*"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["services", "services/status", "services/finalizers"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["chisel-operator.io"]
     resources: ["*"]
     verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

charts/chisel-operator/templates/serviceaccount.yaml

@@ -3,6 +3,15 @@ kind: ClusterRole
 metadata:
   name: chisel-operator
 rules:
-  - apiGroups: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["deployments", "deployments/*"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["services", "services/status", "services/finalizers"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["chisel-operator.io"]
     resources: ["*"]
     verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]

deploy/clusterrole.yaml

@@ -19,7 +19,7 @@ spec:
       automountServiceAccountToken: true
       containers:
         - name: chisel-operator
-          image: ghcr.io/fyralabs/chisel-operator:v0.3.4
+          image: ghcr.io/fyralabs/chisel-operator:v0.4.1
           env:
             - name: RUST_LOG
               value: "debug"