Merge pull request #87 from darkowlzz/export-rbac-names

Export rbac resource names
storageos · Mar 26, 2019 · 8fc4b08 · 8fc4b08
2 parents a4a87b1 + 08e75cc
commit 8fc4b08
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 53 deletions.
diff --git a/pkg/storageos/daemonset.go b/pkg/storageos/daemonset.go
@@ -36,7 +36,7 @@ func (s *Deployment) createDaemonSet() error {
 					Labels: ls,
 				},
 				Spec: corev1.PodSpec{
-					ServiceAccountName: "storageos-daemonset-sa",
+					ServiceAccountName: DaemonsetSA,
 					HostPID:            true,
 					HostNetwork:        true,
 					DNSPolicy:          corev1.DNSClusterFirstWithHostNet,

diff --git a/pkg/storageos/delete.go b/pkg/storageos/delete.go
@@ -24,15 +24,15 @@ func (s *Deployment) Delete() error {
 		return err
 	}
 
-	if err := s.deleteRoleBinding(keyManagementBindingName); err != nil {
+	if err := s.deleteRoleBinding(KeyManagementBindingName); err != nil {
 		return err
 	}
 
-	if err := s.deleteRole(keyManagementRoleName); err != nil {
+	if err := s.deleteRole(KeyManagementRoleName); err != nil {
 		return err
 	}
 
-	if err := s.deleteServiceAccount("storageos-daemonset-sa"); err != nil {
+	if err := s.deleteServiceAccount(DaemonsetSA); err != nil {
 		return err
 	}
 
@@ -41,35 +41,35 @@ func (s *Deployment) Delete() error {
 			return err
 		}
 
-		if err := s.deleteClusterRoleBinding("csi-attacher-binding"); err != nil {
+		if err := s.deleteClusterRoleBinding(CSIAttacherClusterBindingName); err != nil {
 			return err
 		}
 
-		if err := s.deleteClusterRoleBinding("csi-provisioner-binding"); err != nil {
+		if err := s.deleteClusterRoleBinding(CSIProvisionerClusterBindingName); err != nil {
 			return err
 		}
 
-		if err := s.deleteClusterRole("csi-attacher-role"); err != nil {
+		if err := s.deleteClusterRole(CSIAttacherClusterRoleName); err != nil {
 			return err
 		}
 
-		if err := s.deleteClusterRole("csi-provisioner-role"); err != nil {
+		if err := s.deleteClusterRole(CSIProvisionerClusterRoleName); err != nil {
 			return err
 		}
 
-		if err := s.deleteServiceAccount("storageos-statefulset-sa"); err != nil {
+		if err := s.deleteServiceAccount(StatefulsetSA); err != nil {
 			return err
 		}
 
-		if err := s.deleteClusterRoleBinding("k8s-driver-registrar-binding"); err != nil {
+		if err := s.deleteClusterRoleBinding(CSIK8SDriverRegistrarClusterBindingName); err != nil {
 			return err
 		}
 
-		if err := s.deleteClusterRoleBinding("driver-registrar-binding"); err != nil {
+		if err := s.deleteClusterRoleBinding(CSIDriverRegistrarClusterBindingName); err != nil {
 			return err
 		}
 
-		if err := s.deleteClusterRole("driver-registrar-role"); err != nil {
+		if err := s.deleteClusterRole(CSIDriverRegistrarClusterRoleName); err != nil {
 			return err
 		}
 
@@ -80,11 +80,11 @@ func (s *Deployment) Delete() error {
 
 	// Delete role for Pod Fencing.
 	if !s.stos.Spec.DisableFencing {
-		if err := s.deleteClusterRoleBinding(fencingClusterBindingName); err != nil {
+		if err := s.deleteClusterRoleBinding(FencingClusterBindingName); err != nil {
 			return err
 		}
 
-		if err := s.deleteClusterRole(fencingClusterRoleName); err != nil {
+		if err := s.deleteClusterRole(FencingClusterRoleName); err != nil {
 			return err
 		}
 	}

diff --git a/pkg/storageos/deploy.go b/pkg/storageos/deploy.go
@@ -27,12 +27,6 @@ const (
 	daemonsetName   = "storageos-daemonset"
 	statefulsetName = "storageos-statefulset"
 
-	keyManagementRoleName    = "key-management-role"
-	keyManagementBindingName = "key-management-binding"
-
-	fencingClusterRoleName    = "storageos:pod-fencer"
-	fencingClusterBindingName = "storageos:pod-fencer"
-
 	tlsSecretType       = "kubernetes.io/tls"
 	storageosSecretType = "kubernetes.io/storageos"
 

diff --git a/pkg/storageos/deploy_test.go b/pkg/storageos/deploy_test.go
@@ -124,7 +124,7 @@ func TestCreateRoleForKeyMgmt(t *testing.T) {
 	}
 
 	nsName := types.NamespacedName{
-		Name:      "key-management-role",
+		Name:      KeyManagementRoleName,
 		Namespace: defaultNS,
 	}
 	wantRole := &rbacv1.Role{
@@ -133,7 +133,7 @@ func TestCreateRoleForKeyMgmt(t *testing.T) {
 			Kind:       "Role",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "key-management-role",
+			Name:      KeyManagementRoleName,
 			Namespace: defaultNS,
 			Labels: map[string]string{
 				"app": appName,
@@ -209,7 +209,7 @@ func TestCreateRoleBindingForKeyMgmt(t *testing.T) {
 	}
 
 	nsName := types.NamespacedName{
-		Name:      "key-management-binding",
+		Name:      KeyManagementBindingName,
 		Namespace: defaultNS,
 	}
 	createdRoleBinding := &rbacv1.RoleBinding{
@@ -218,7 +218,7 @@ func TestCreateRoleBindingForKeyMgmt(t *testing.T) {
 			Kind:       "RoleBinding",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "key-management-binding",
+			Name:      KeyManagementBindingName,
 			Namespace: defaultNS,
 			Labels: map[string]string{
 				"app": appName,
@@ -239,13 +239,13 @@ func TestCreateClusterRoleBinding(t *testing.T) {
 	subjects := []rbacv1.Subject{
 		{
 			Kind:      "ServiceAccount",
-			Name:      "storageos-daemonset-sa",
+			Name:      DaemonsetSA,
 			Namespace: defaultNS,
 		},
 	}
 	roleRef := rbacv1.RoleRef{
 		Kind:     "ClusterRole",
-		Name:     "driver-registrar-role",
+		Name:     CSIDriverRegistrarClusterRoleName,
 		APIGroup: "rbac.authorization.k8s.io",
 	}
 	if err := deploy.createClusterRoleBinding(bindingName, subjects, roleRef); err != nil {

diff --git a/pkg/storageos/rbac.go b/pkg/storageos/rbac.go
@@ -6,6 +6,28 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// Exported role, binding and service account resource names.
+const (
+	DaemonsetSA   = "storageos-daemonset-sa"
+	StatefulsetSA = "storageos-statefulset-sa"
+
+	CSIProvisionerClusterRoleName    = "storageos:csi-provisioner"
+	CSIProvisionerClusterBindingName = "storageos:csi-provisioner"
+
+	CSIAttacherClusterRoleName    = "storageos:csi-attacher"
+	CSIAttacherClusterBindingName = "storageos:csi-attacher"
+
+	CSIDriverRegistrarClusterRoleName       = "storageos:driver-registrar"
+	CSIDriverRegistrarClusterBindingName    = "storageos:driver-registrar"
+	CSIK8SDriverRegistrarClusterBindingName = "storageos:k8s-driver-registrar"
+
+	KeyManagementRoleName    = "storageos:key-management"
+	KeyManagementBindingName = "storageos:key-management"
+
+	FencingClusterRoleName    = "storageos:pod-fencer"
+	FencingClusterBindingName = "storageos:pod-fencer"
+)
+
 func (s *Deployment) createServiceAccount(name string) error {
 	sa := s.getServiceAccount(name)
 	return s.createOrUpdateObject(sa)
@@ -34,15 +56,15 @@ func (s *Deployment) getServiceAccount(name string) *corev1.ServiceAccount {
 }
 
 func (s *Deployment) createServiceAccountForDaemonSet() error {
-	return s.createServiceAccount("storageos-daemonset-sa")
+	return s.createServiceAccount(DaemonsetSA)
 }
 
 func (s *Deployment) createServiceAccountForStatefulSet() error {
-	return s.createServiceAccount("storageos-statefulset-sa")
+	return s.createServiceAccount(StatefulsetSA)
 }
 
 func (s *Deployment) createRoleForKeyMgmt() error {
-	role := s.getRole(keyManagementRoleName)
+	role := s.getRole(KeyManagementRoleName)
 	role.Rules = []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{""},
@@ -55,7 +77,7 @@ func (s *Deployment) createRoleForKeyMgmt() error {
 }
 
 func (s *Deployment) deleteRole(name string) error {
-	return s.deleteObject(s.getRole(keyManagementRoleName))
+	return s.deleteObject(s.getRole(KeyManagementRoleName))
 }
 
 // getRole creates a generic role object with the given name and returns it.
@@ -133,7 +155,7 @@ func (s *Deployment) createClusterRoleForFencing() error {
 			Verbs:     []string{"list", "watch", "create", "update", "patch"},
 		},
 	}
-	return s.createClusterRole(fencingClusterRoleName, rules)
+	return s.createClusterRole(FencingClusterRoleName, rules)
 }
 
 func (s *Deployment) createClusterRoleForDriverRegistrar() error {
@@ -159,7 +181,7 @@ func (s *Deployment) createClusterRoleForDriverRegistrar() error {
 			Verbs:     []string{"create"},
 		},
 	}
-	return s.createClusterRole("driver-registrar-role", rules)
+	return s.createClusterRole(CSIDriverRegistrarClusterRoleName, rules)
 }
 
 func (s *Deployment) createClusterRoleForProvisioner() error {
@@ -190,7 +212,7 @@ func (s *Deployment) createClusterRoleForProvisioner() error {
 			Verbs:     []string{"list", "watch", "create", "update", "patch"},
 		},
 	}
-	return s.createClusterRole("csi-provisioner-role", rules)
+	return s.createClusterRole(CSIProvisionerClusterRoleName, rules)
 }
 
 func (s *Deployment) createClusterRoleForAttacher() error {
@@ -226,21 +248,21 @@ func (s *Deployment) createClusterRoleForAttacher() error {
 			Verbs:     []string{"list", "watch", "create", "update", "patch"},
 		},
 	}
-	return s.createClusterRole("csi-attacher-role", rules)
+	return s.createClusterRole(CSIAttacherClusterRoleName, rules)
 }
 
 func (s *Deployment) createRoleBindingForKeyMgmt() error {
-	roleBinding := s.getRoleBinding(keyManagementBindingName)
+	roleBinding := s.getRoleBinding(KeyManagementBindingName)
 	roleBinding.Subjects = []rbacv1.Subject{
 		{
 			Kind:      "ServiceAccount",
-			Name:      "storageos-daemonset-sa",
+			Name:      DaemonsetSA,
 			Namespace: s.stos.Spec.GetResourceNS(),
 		},
 	}
 	roleBinding.RoleRef = rbacv1.RoleRef{
 		Kind:     "Role",
-		Name:     keyManagementRoleName,
+		Name:     KeyManagementRoleName,
 		APIGroup: "rbac.authorization.k8s.io",
 	}
 	return s.createOrUpdateObject(roleBinding)
@@ -296,78 +318,78 @@ func (s *Deployment) createClusterRoleBindingForFencing() error {
 	subjects := []rbacv1.Subject{
 		{
 			Kind:      "ServiceAccount",
-			Name:      "storageos-daemonset-sa",
+			Name:      DaemonsetSA,
 			Namespace: s.stos.Spec.GetResourceNS(),
 		},
 	}
 	roleRef := rbacv1.RoleRef{
 		Kind:     "ClusterRole",
-		Name:     fencingClusterRoleName,
+		Name:     FencingClusterRoleName,
 		APIGroup: "rbac.authorization.k8s.io",
 	}
-	return s.createClusterRoleBinding(fencingClusterBindingName, subjects, roleRef)
+	return s.createClusterRoleBinding(FencingClusterBindingName, subjects, roleRef)
 }
 
 func (s *Deployment) createClusterRoleBindingForDriverRegistrar() error {
 	subjects := []rbacv1.Subject{
 		{
 			Kind:      "ServiceAccount",
-			Name:      "storageos-daemonset-sa",
+			Name:      DaemonsetSA,
 			Namespace: s.stos.Spec.GetResourceNS(),
 		},
 	}
 	roleRef := rbacv1.RoleRef{
 		Kind:     "ClusterRole",
-		Name:     "driver-registrar-role",
+		Name:     CSIDriverRegistrarClusterRoleName,
 		APIGroup: "rbac.authorization.k8s.io",
 	}
-	return s.createClusterRoleBinding("driver-registrar-binding", subjects, roleRef)
+	return s.createClusterRoleBinding(CSIDriverRegistrarClusterBindingName, subjects, roleRef)
 }
 
 func (s *Deployment) createClusterRoleBindingForK8SDriverRegistrar() error {
 	subjects := []rbacv1.Subject{
 		{
 			Kind:      "ServiceAccount",
-			Name:      "storageos-statefulset-sa",
+			Name:      StatefulsetSA,
 			Namespace: s.stos.Spec.GetResourceNS(),
 		},
 	}
 	roleRef := rbacv1.RoleRef{
 		Kind:     "ClusterRole",
-		Name:     "driver-registrar-role",
+		Name:     CSIDriverRegistrarClusterRoleName,
 		APIGroup: "rbac.authorization.k8s.io",
 	}
-	return s.createClusterRoleBinding("k8s-driver-registrar-binding", subjects, roleRef)
+	return s.createClusterRoleBinding(CSIK8SDriverRegistrarClusterBindingName, subjects, roleRef)
 }
 
 func (s *Deployment) createClusterRoleBindingForProvisioner() error {
 	subjects := []rbacv1.Subject{
 		{
 			Kind:      "ServiceAccount",
-			Name:      "storageos-statefulset-sa",
+			Name:      StatefulsetSA,
 			Namespace: s.stos.Spec.GetResourceNS(),
 		},
 	}
 	roleRef := rbacv1.RoleRef{
 		Kind:     "ClusterRole",
-		Name:     "csi-provisioner-role",
+		Name:     CSIProvisionerClusterRoleName,
 		APIGroup: "rbac.authorization.k8s.io",
 	}
-	return s.createClusterRoleBinding("csi-provisioner-binding", subjects, roleRef)
+	return s.createClusterRoleBinding(CSIProvisionerClusterBindingName, subjects, roleRef)
 }
 
 func (s *Deployment) createClusterRoleBindingForAttacher() error {
 	subjects := []rbacv1.Subject{
 		{
 			Kind:      "ServiceAccount",
-			Name:      "storageos-statefulset-sa",
+			Name:      StatefulsetSA,
 			Namespace: s.stos.Spec.GetResourceNS(),
 		},
 	}
 	roleRef := rbacv1.RoleRef{
 		Kind:     "ClusterRole",
-		Name:     "csi-attacher-role",
+		Name:     CSIAttacherClusterRoleName,
 		APIGroup: "rbac.authorization.k8s.io",
 	}
-	return s.createClusterRoleBinding("csi-attacher-binding", subjects, roleRef)
+	return s.createClusterRoleBinding(CSIAttacherClusterBindingName, subjects, roleRef)
 }
diff --git a/pkg/storageos/statefulset.go b/pkg/storageos/statefulset.go
@@ -34,7 +34,7 @@ func (s *Deployment) createStatefulSet() error {
 					Labels: ls,
 				},
 				Spec: corev1.PodSpec{
-					ServiceAccountName: "storageos-statefulset-sa",
+					ServiceAccountName: StatefulsetSA,
 					Containers: []corev1.Container{
 						{
 							Image:           s.stos.Spec.GetCSIExternalProvisionerImage(CSIV1Supported(s.k8sVersion)),