docs: Create kubeconfig for pipeline

Signed-off-by: Ross Fairbanks <[email protected]>

README.md

@@ -22,7 +22,7 @@ If you are interested in contributing to the project, head over to the [Contribu
 
 ### Documentation
 
-All changes to the documentation must be added to [website/content/docs](./docs/) folder.
+All changes to the documentation must be added to the [docs](./docs/) folder.
 
 ## Roadmap
 

docs/infrastructure/read-only-kubeconfig.md → docs/infrastructure/cluster-access.md

@@ -10,17 +10,37 @@ weight: 890
 toc: true
 ---
 
-## Read only kubeconfig
+To access the cluster we generate multiple kubeconfigs with different permissions.
+These are stored in the TAG ENV 1Password account.
 
-> Refer: [Link](https://codeforphilly.github.io/chime/operations/limited-kubeconfigs/limited-kubeconfigs.html)
+Currently supported kubeconfigs are
+
+- `pipeline` for our benchmarking pipeline. Added as a GitHub secret to this repo
+- `readonly` for contributors to the project 
+
+## pipeline kubeconfig
+
+- View cluster role + full access to Flux custom resources
 
+## Steps to get the kubeconfig
+
+```bash
+chmod u+x scripts/gen-kubeconfig.sh
+./scripts/gen-kubeconfig.sh pipeline
+```
+
+## readonly kubeconfig
+
+- View cluster role + port forwarding
+
+> Refer: [Link](https://codeforphilly.github.io/chime/operations/limited-kubeconfigs/limited-kubeconfigs.html)
 [create-token](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#create-token)
 
 ## Steps to get the kubeconfig
 
 ```bash
-chmod u+x scripts/gen-readonly-kubeconfig.sh
-./scripts/gen-readonly-kubeconfig.sh
+chmod u+x scripts/gen-kubeconfig.sh
+./scripts/gen-kubeconfig.sh readonly
 ```
 
 ## Test out the kubeconfig
@@ -32,5 +52,3 @@ export KUBECONFIG=${PWD}/green-reviews-cluster-readonly-config
 ```bash
 kubectl get no # it will fail
 ```
-
-> Just get, watch, list for all pods

scripts/gen-kubeconfig.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+if [ -z "$1" ]; then
+  echo "Usage: $0 [pipeline|readonly]"
+  exit 1
+fi
+
+ROLE_TYPE="$1"
+
+kubectl apply -f ${ROLE_TYPE}-kubeconfig-resources.yaml
+
+USER_TOKEN_VALUE=$(kubectl -n kube-system get secret/${ROLE_TYPE}-account-token -o=go-template='{{.data.token}}' | base64 --decode)
+CURRENT_CONTEXT=$(kubectl config current-context)
+CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
+CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
+CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}')
+
+cat << EOF > green-reviews-cluster-${ROLE_TYPE}-config
+apiVersion: v1
+kind: Config
+current-context: ${CURRENT_CONTEXT}
+contexts:
+- name: ${CURRENT_CONTEXT}
+  context:
+    cluster: ${CURRENT_CONTEXT}
+    user: ${ROLE_TYPE}-account
+clusters:
+- name: ${CURRENT_CONTEXT}
+  cluster:
+    certificate-authority-data: ${CLUSTER_CA}
+    server: ${CLUSTER_SERVER}
+users:
+- name: ${ROLE_TYPE}-account
+  user:
+    token: ${USER_TOKEN_VALUE}
+EOF

scripts/pipeline-kubeconfig-resources.yaml

@@ -0,0 +1,54 @@
+---
+#############################################################################
+# Add custom resources for pipeline which are not covered by view clusterrole
+#############################################################################
+#
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: crole-customresources-pipeline
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources:
+      - gitrepositories
+      - helmrepositories
+      - ocirepositories
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["helm.toolkit.fluxcd.io"]
+    resources:
+      - helmreleases
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["kustomize.toolkit.fluxcd.io"]
+    resources:
+      - kustomizations
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pipeline-account
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: crolebinding-pod-pipeline
+subjects:
+- kind: ServiceAccount
+  name: pipeline-account
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: view
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: pipeline-account-token
+  namespace: kube-system
+  annotations:
+    kubernetes.io/service-account.name: pipeline-account

scripts/readonly-kubeconfig-resources.yaml

@@ -0,0 +1,44 @@
+---
+####################################################################
+# Add custom resources which are not covered by view clusterrole
+####################################################################
+#
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: crole-customresources-readyonly
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: [""]
+  resources: ["pods/portforward"]
+  verbs: ["create"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: readonly-account
+  namespace: kube-system
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: crolebinding-pod-readyonly
+subjects:
+- kind: ServiceAccount
+  name: readonly-account
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: view
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: readonly-account-token
+  namespace: kube-system
+  annotations:
+    kubernetes.io/service-account.name: readonly-account