From 83b3fa8cd07058b9c59b52b698f12e30c850daa5 Mon Sep 17 00:00:00 2001
From: Akram Ben Aissi <akram.benaissi@gmail.com>
Date: Tue, 28 Apr 2020 16:45:30 +0200
Subject: [PATCH] Default rule policy now allows watching resources required by
 OpenShift (#352)

---
 ...openshift_jenkins_v1alpha2_jenkins_cr.yaml | 72 ++++++++++++++--
 deploy/role.yaml                              | 17 ++++
 .../configuration/base/resources/rbac.go      | 83 +++++++++++--------
 3 files changed, 129 insertions(+), 43 deletions(-)

diff --git a/deploy/crds/openshift_jenkins_v1alpha2_jenkins_cr.yaml b/deploy/crds/openshift_jenkins_v1alpha2_jenkins_cr.yaml
index 9fdca028..ae20efc5 100644
--- a/deploy/crds/openshift_jenkins_v1alpha2_jenkins_cr.yaml
+++ b/deploy/crds/openshift_jenkins_v1alpha2_jenkins_cr.yaml
@@ -1,16 +1,70 @@
 apiVersion: jenkins.io/v1alpha2
 kind: Jenkins
 metadata:
+  annotations:
+    jenkins.io/openshift-mode: 'true'
   name: jenkins
 spec:
   master:
     containers:
-    - name: jenkins-master
-      image: quay.io/openshift/origin-jenkins:latest
-      resources:
-        limits:
-          cpu: 1500m
-          memory: 3Gi
-        requests:
-          cpu: "1"
-          memory: 500Mi
+      - name: jenkins-master
+        command:
+          - /usr/bin/go-init
+          - '-main'
+          - /usr/libexec/s2i/run
+        env:
+          - name: OPENSHIFT_ENABLE_OAUTH
+            value: 'true'
+          - name: OPENSHIFT_ENABLE_REDIRECT_PROMPT
+            value: 'true'
+          - name: DISABLE_ADMINISTRATIVE_MONITORS
+            value: 'false'
+          - name: KUBERNETES_MASTER
+            value: 'https://kubernetes.default:443'
+          - name: KUBERNETES_TRUST_CERTIFICATES
+            value: 'true'
+          - name: JENKINS_SERVICE_NAME
+            value: jenkins-operator-http-example
+          - name: JNLP_SERVICE_NAME
+            value: jenkins-operator-slave-example
+          - name: JENKINS_UC_INSECURE
+            value: 'false'
+          - name: JENKINS_HOME
+            value: /var/lib/jenkins
+          - name: JAVA_OPTS
+            value: >-
+              -XX:+UnlockExperimentalVMOptions -XX:+UnlockExperimentalVMOptions
+              -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=1
+              -Djenkins.install.runSetupWizard=false -Djava.awt.headless=true
+        image: 'quay.io/openshift/origin-jenkins:latest'
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /login
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 420
+          periodSeconds: 360
+          timeoutSeconds: 240
+        readinessProbe:
+          httpGet:
+            path: /login
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 3
+          periodSeconds: 0
+          timeoutSeconds: 240
+        resources:
+          limits:
+            cpu: 600m
+            memory: 4Gi
+          requests:
+            cpu: 500m
+            memory: 3Gi
+  service:
+    port: 8080
+    type: ClusterIP
+  slaveService:
+    port: 50000
+    type: ClusterIP
+
diff --git a/deploy/role.yaml b/deploy/role.yaml
index 215055ee..c4e0059b 100644
--- a/deploy/role.yaml
+++ b/deploy/role.yaml
@@ -88,3 +88,20 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - "image.openshift.io"
+    resources:
+      - imagestreams
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "build.openshift.io"
+    resources:
+      - builds
+      - buildconfigs
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/pkg/controller/jenkins/configuration/base/resources/rbac.go b/pkg/controller/jenkins/configuration/base/resources/rbac.go
index e6e23ca3..cd4e6457 100644
--- a/pkg/controller/jenkins/configuration/base/resources/rbac.go
+++ b/pkg/controller/jenkins/configuration/base/resources/rbac.go
@@ -6,50 +6,29 @@ import (
 )
 
 const (
-	createVerb = "create"
-	deleteVerb = "delete"
-	getVerb    = "get"
-	listVerb   = "list"
-	watchVerb  = "watch"
-	patchVerb  = "patch"
-	updateVerb = "update"
+	createVerb        = "create"
+	deleteVerb        = "delete"
+	getVerb           = "get"
+	listVerb          = "list"
+	watchVerb         = "watch"
+	patchVerb         = "patch"
+	updateVerb        = "update"
+	EmptyApiGroups    = ""
+	OpenshiftApiGroup = "image.openshift.io"
+	BuildApiGroup     = "build.openshift.io"
+
 )
 
 // NewRole returns rbac role for jenkins master
 func NewRole(meta metav1.ObjectMeta) *v1.Role {
+	rules := NewDefaultPolicyRules()
 	return &v1.Role{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Role",
 			APIVersion: "rbac.authorization.k8s.io/v1",
 		},
 		ObjectMeta: meta,
-		Rules: []v1.PolicyRule{
-			{
-				APIGroups: []string{""},
-				Resources: []string{"pods/portforward"},
-				Verbs:     []string{createVerb},
-			},
-			{
-				APIGroups: []string{""},
-				Resources: []string{"pods"},
-				Verbs:     []string{createVerb, deleteVerb, getVerb, listVerb, patchVerb, updateVerb, watchVerb},
-			},
-			{
-				APIGroups: []string{""},
-				Resources: []string{"pods/exec"},
-				Verbs:     []string{createVerb, deleteVerb, getVerb, listVerb, patchVerb, updateVerb, watchVerb},
-			},
-			{
-				APIGroups: []string{""},
-				Resources: []string{"pods/log"},
-				Verbs:     []string{getVerb, listVerb, watchVerb},
-			},
-			{
-				APIGroups: []string{""},
-				Resources: []string{"secrets"},
-				Verbs:     []string{getVerb, listVerb, watchVerb},
-			},
-		},
+		Rules:      rules,
 	}
 }
 
@@ -74,3 +53,39 @@ func NewRoleBinding(name, namespace, serviceAccountName string, roleRef v1.RoleR
 		},
 	}
 }
+
+func NewDefaultPolicyRules() []v1.PolicyRule {
+	var rules []v1.PolicyRule
+	ReadOnly := []string{getVerb, listVerb, watchVerb}
+	Default  := []string{createVerb, deleteVerb, getVerb, listVerb, patchVerb, updateVerb, watchVerb}
+	Create   := []string{createVerb}
+
+	rules = append(rules,  NewPolicyRule(EmptyApiGroups, "pods/portforward", Create))
+	rules = append(rules,  NewPolicyRule(EmptyApiGroups, "pods", Default))
+	rules = append(rules,  NewPolicyRule(EmptyApiGroups, "pods/exec", Default))
+	rules = append(rules,  NewPolicyRule(EmptyApiGroups, "configmaps", ReadOnly))
+	rules = append(rules,  NewPolicyRule(EmptyApiGroups, "pods/log", ReadOnly))
+	rules = append(rules,  NewPolicyRule(EmptyApiGroups, "secrets", ReadOnly))
+
+	rules = append(rules,  NewOpenShiftPolicyRule(OpenshiftApiGroup, "imagestreams", ReadOnly))
+	rules = append(rules,  NewOpenShiftPolicyRule(BuildApiGroup, "buildconfigs", ReadOnly))
+	rules = append(rules,  NewOpenShiftPolicyRule(BuildApiGroup, "builds", ReadOnly))
+
+	return rules
+}
+
+// NewPolicyRule returns a policyRule allowing verbs on resources
+func NewPolicyRule(apiGroup string, resource string, verbs []string) v1.PolicyRule {
+	rule := v1.PolicyRule{
+		APIGroups: []string{apiGroup},
+		Resources: []string{resource},
+		Verbs:     verbs,
+	}
+	return rule
+}
+
+// NewPolicyRule returns a policyRule allowing verbs on resources
+func NewOpenShiftPolicyRule(apiGroup string, resource string, verbs []string) v1.PolicyRule {
+	return NewPolicyRule(apiGroup,resource,verbs)
+}
+