deploy: add API for getting OpenShift SecurityContextConstraints

This new Go module allows other projects (like Rook) to consume
deployment details (the SCC to get started) directly from Ceph-CSI.

Based-on: https://github.com/rook/rook/blob/3c93eb3/cluster/examples/kubernetes/ceph/operator-openshift.yaml#L47-L90
Signed-off-by: Niels de Vos <ndevos@redhat.com>

api/deploy/ocp/doc.go

@@ -0,0 +1,20 @@
+/*
+Copyright 2021 The Ceph-CSI Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package ocp contains functions to obtain standard and recommended
+// deployment artifacts for OpenShift. These artifacts can be used by
+// automation tools that want to deploy Ceph-CSI.
+package ocp

api/deploy/ocp/scc.go

@@ -0,0 +1,107 @@
+/*
+Copyright 2021 The Ceph-CSI Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ocp
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"text/template"
+
+	"github.com/ghodss/yaml"
+	secv1 "github.com/openshift/api/security/v1"
+)
+
+//go:embed scc.yaml
+var securityContextConstraints string
+
+// SecurityContextConstraintsValues contains values that need replacing in the
+// template.
+type SecurityContextConstraintsValues struct {
+	// Namespace contains the OpenShift Namespace where the SCC will be
+	// used.
+	Namespace string
+	// Deployer refers to the Operator that creates the SCC and
+	// ServiceAccounts. This is an optional option.
+	Deployer string
+}
+
+// SecurityContextConstraintsDefaults can be used for generating deployment
+// artifacts with defails values.
+var SecurityContextConstraintsDefaults = SecurityContextConstraintsValues{
+	Namespace: "ceph-csi",
+	Deployer:  "",
+}
+
+// NewSecurityContextConstraints creates a new SecurityContextConstraints
+// object by replacing variables in the template by the values set in the
+// SecurityContextConstraintsValues.
+//
+// The deployer parameter (when not an empty string) is used as a prefix for
+// the name of the SCC and the linked ServiceAccounts.
+func NewSecurityContextConstraints(values SecurityContextConstraintsValues) (*secv1.SecurityContextConstraints, error) {
+	data, err := NewSecurityContextConstraintsYAML(values)
+	if err != nil {
+		return nil, err
+	}
+
+	scc := &secv1.SecurityContextConstraints{}
+	err = yaml.Unmarshal([]byte(data), scc)
+	if err != nil {
+		return nil, fmt.Errorf("failed convert YAML to %T: %w", scc, err)
+	}
+
+	return scc, nil
+}
+
+// internalSecurityContextConstraintsValues extends
+// SecurityContextConstraintsValues with some private attributes that may get
+// set based on other values.
+type internalSecurityContextConstraintsValues struct {
+	SecurityContextConstraintsValues
+
+	// Prefix is based on SecurityContextConstraintsValues.Deployer.
+	Prefix string
+}
+
+// NewSecurityContextConstraintsYAML returns a YAML string where the variables
+// in the template have been replaced by the values set in the
+// SecurityContextConstraintsValues.
+func NewSecurityContextConstraintsYAML(values SecurityContextConstraintsValues) (string, error) {
+	var buf bytes.Buffer
+
+	// internalValues is a copy of values, but will get extended with
+	// API-internal values
+	internalValues := internalSecurityContextConstraintsValues{
+		SecurityContextConstraintsValues: values,
+	}
+
+	if internalValues.Deployer != "" {
+		internalValues.Prefix = internalValues.Deployer + "-"
+	}
+
+	tmpl, err := template.New("SCC").Parse(securityContextConstraints)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse template: %w", err)
+	}
+	err = tmpl.Execute(&buf, internalValues)
+	if err != nil {
+		return "", fmt.Errorf("failed to replace values in template: %w", err)
+	}
+
+	return buf.String(), nil
+}

api/deploy/ocp/scc.yaml

@@ -0,0 +1,43 @@
+---
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: "{{ .Prefix }}ceph-csi"
+# To allow running privilegedContainers
+allowPrivilegedContainer: true
+# CSI daemonset pod needs hostnetworking
+allowHostNetwork: true
+# This need to be set to true as we use HostPath
+allowHostDirVolumePlugin: true
+priority:
+# SYS_ADMIN is needed for rbd to execture rbd map command
+allowedCapabilities: ["SYS_ADMIN"]
+# Needed as we run liveness container on daemonset pods
+allowHostPorts: true
+# Needed as we are setting this in RBD plugin pod
+allowHostPID: true
+# Required for encryption
+allowHostIPC: true
+# Set to false as we write to RootFilesystem inside csi containers
+readOnlyRootFilesystem: false
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+fsGroup:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+# The type of volumes which are mounted to csi pods
+volumes:
+  - configMap
+  - projected
+  - emptyDir
+  - hostPath
+users:
+  # A user needs to be added for each service account.
+  - "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-rbd-plugin-sa"
+  - "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-rbd-provisioner-sa"
+  - "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-cephfs-plugin-sa"
+  # yamllint disable-line rule:line-length
+  - "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-cephfs-provisioner-sa"

api/deploy/ocp/scc_test.go

@@ -0,0 +1,91 @@
+/*
+Copyright 2021 The Ceph-CSI Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ocp
+
+import (
+	"strings"
+	"testing"
+
+	secv1 "github.com/openshift/api/security/v1"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewSecurityContextConstraints(t *testing.T) {
+	t.Parallel()
+
+	t.Run("SecurityContextConstraintsDefaults", func(t *testing.T) {
+		var (
+			err error
+			scc *secv1.SecurityContextConstraints
+		)
+
+		getSCC := func() {
+			scc, err = NewSecurityContextConstraints(SecurityContextConstraintsDefaults)
+		}
+
+		require.NotPanics(t, getSCC)
+		require.Nil(t, err)
+		require.NotNil(t, scc)
+
+		require.Equal(t, scc.Name, "ceph-csi")
+		for _, user := range scc.Users {
+			require.True(t, strings.HasPrefix(user, "system:serviceaccount:ceph-csi:csi"))
+		}
+	})
+
+	t.Run("DeployerRook", func(t *testing.T) {
+		var (
+			err error
+			scc *secv1.SecurityContextConstraints
+		)
+
+		rookValues := SecurityContextConstraintsValues{
+			Namespace: "rook-ceph",
+			Deployer: "rook",
+		}
+
+		getSCC := func() {
+			scc, err = NewSecurityContextConstraints(rookValues)
+		}
+
+		require.NotPanics(t, getSCC)
+		require.Nil(t, err)
+		require.NotNil(t, scc)
+
+		require.Equal(t, scc.Name, "rook-ceph-csi")
+		for _, user := range scc.Users {
+			require.True(t, strings.HasPrefix(user, "system:serviceaccount:rook-ceph:rook-csi"))
+		}
+	})
+}
+
+func TestNewSecurityContextConstraintsYAML(t *testing.T) {
+	t.Parallel()
+
+	var (
+		err error
+		yaml string
+	)
+
+	getYAML := func() {
+		yaml, err = NewSecurityContextConstraintsYAML(SecurityContextConstraintsDefaults)
+	}
+
+	require.NotPanics(t, getYAML)
+	require.Nil(t, err)
+	require.NotEqual(t, "", yaml)
+}