chore: add fleet networking rules

.github/workflows/publish-image.yml

@@ -15,11 +15,11 @@ permissions:
 env:
  REGISTRY: ghcr.io
  HUB_AGENT_IMAGE_NAME : hub-agent
- HUB_AGENT_IMAGE_VERSION: v0.1.0
+ HUB_AGENT_IMAGE_VERSION: main
  MEMBER_AGENT_IMAGE_NAME: member-agent
- MEMBER_AGENT_IMAGE_VERSION: v0.1.0
+ MEMBER_AGENT_IMAGE_VERSION: main
  REFRESH_TOKEN_IMAGE_NAME: refresh-token
- REFRESH_TOKEN_IMAGE_VERSION: v0.1.0
+ REFRESH_TOKEN_IMAGE_VERSION: main
 
 jobs:
   export-registry:
@@ -41,6 +41,12 @@ jobs:
         with:
           submodules: true
           fetch-depth: 0
+      - name: Set image version for a new release
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          echo "HUB_AGENT_IMAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+          echo "MEMBER_AGENT_IMAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+          echo "REFRESH_TOKEN_IMAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
       - name: Login to ${{ env.REGISTRY }}
         uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b
         with:

Makefile

@@ -1,11 +1,15 @@
 REGISTRY ?= ghcr.io
 KIND_IMAGE ?= kindest/node:v1.23.3
+ifndef TAG
+	TAG ?= $(shell git rev-parse --short=7 HEAD)
+endif
+HUB_AGENT_IMAGE_VERSION ?= $(TAG)
+MEMBER_AGENT_IMAGE_VERSION ?= $(TAG)
+REFRESH_TOKEN_IMAGE_VERSION ?= $(TAG)
+
 HUB_AGENT_IMAGE_NAME ?= hub-agent
-HUB_AGENT_IMAGE_VERSION ?= v0.1.0
 MEMBER_AGENT_IMAGE_NAME ?= member-agent
-MEMBER_AGENT_IMAGE_VERSION ?= v0.1.0
 REFRESH_TOKEN_IMAGE_NAME := refresh-token
-REFRESH_TOKEN_IMAGE_VERSION ?= v0.1.0
 
 KUBECONFIG ?= $(HOME)/.kube/config
 HUB_SERVER_URL ?= https://172.19.0.2:6443
@@ -128,7 +132,8 @@ install-hub-agent-helm:
 	kind export kubeconfig --name $(HUB_KIND_CLUSTER_NAME)
 	helm install hub-agent ./charts/hub-agent/ \
     --set image.pullPolicy=Never \
-    --set image.repository=$(REGISTRY)/$(HUB_AGENT_IMAGE_NAME)
+    --set image.repository=$(REGISTRY)/$(HUB_AGENT_IMAGE_NAME) \
+    --set image.tag=$(HUB_AGENT_IMAGE_VERSION)
 
 .PHONY: e2e-hub-kubeconfig-secret
 e2e-hub-kubeconfig-secret: install-hub-agent-helm
@@ -146,7 +151,9 @@ install-member-agent-helm: e2e-hub-kubeconfig-secret
 	helm install member-agent ./charts/member-agent/ \
 	--set config.hubURL=$$HUB_SERVER_URL \
 	--set image.repository=$(REGISTRY)/$(MEMBER_AGENT_IMAGE_NAME) \
+	--set image.tag=$(MEMBER_AGENT_IMAGE_VERSION) \
     --set refreshtoken.repository=$(REGISTRY)/$(REFRESH_TOKEN_IMAGE_NAME) \
+    --set refreshtoken.tag=$(REFRESH_TOKEN_IMAGE_VERSION) \
     --set image.pullPolicy=Never --set refreshtoken.pullPolicy=Never \
     --set config.memberClusterName="kind-$(MEMBER_KIND_CLUSTER_NAME)"
 	# to make sure member-agent reads the token file.

charts/hub-agent/templates/rbac.yaml

@@ -16,8 +16,11 @@ rules:
     resources: ["memberclusters", "memberclusters/status"]
     verbs: ["get", "list", "watch", "update", "patch"]
   - apiGroups: ["fleet.azure.com"]
-    resources: ["internalmemberclusters","internalmemberclusters/status"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
+    resources: ["*"]
+    verbs: ["*"]
+  - apiGroups: ["networking.fleet.azure.com"]
+    resources: ["*"]
+    verbs: ["*"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

pkg/controllers/membercluster/membercluster_controller.go

@@ -425,22 +425,12 @@ func markMemberClusterLeft(recorder record.EventRecorder, mc apis.ConditionedObj
 // createRole creates role for member cluster.
 func createRole(roleName, namespaceName string) rbacv1.Role {
 	// TODO: More API groups and verbs will be added as new member agents are added apart from the Join agent.
-	fleetRule := rbacv1.PolicyRule{
-		Verbs:     []string{"get", "list", "update", "patch", "watch"},
-		APIGroups: []string{fleetv1alpha1.GroupVersion.Group},
-		Resources: []string{"*"},
-	}
-	eventRule := rbacv1.PolicyRule{
-		Verbs:     []string{"get", "list", "update", "patch", "watch", "create"},
-		APIGroups: []string{""},
-		Resources: []string{"events"},
-	}
 	role := rbacv1.Role{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      roleName,
 			Namespace: namespaceName,
 		},
-		Rules: []rbacv1.PolicyRule{fleetRule, eventRule},
+		Rules: []rbacv1.PolicyRule{utils.FleetRule, utils.EventRule, utils.FleetNetworkRule},
 	}
 	return role
 }

pkg/controllers/membercluster/membercluster_controller_test.go

@@ -158,16 +158,6 @@ func TestReconcilerCheckAndCreateRole(t *testing.T) {
 				Client: &test.MockClient{
 					MockGet: func(ctx context.Context, key client.ObjectKey, obj client.Object) error {
 						o := obj.(*rbacv1.Role)
-						fleetRule := rbacv1.PolicyRule{
-							Verbs:     []string{"get", "list", "update", "patch", "watch"},
-							APIGroups: []string{fleetv1alpha1.GroupVersion.Group},
-							Resources: []string{"*"},
-						}
-						eventRule := rbacv1.PolicyRule{
-							Verbs:     []string{"get", "list", "update", "patch", "watch", "create"},
-							APIGroups: []string{""},
-							Resources: []string{"events"},
-						}
 						*o = rbacv1.Role{
 							TypeMeta: metav1.TypeMeta{
 								Kind:       "Role",
@@ -177,7 +167,7 @@ func TestReconcilerCheckAndCreateRole(t *testing.T) {
 								Name:      "fleet-role-mc1",
 								Namespace: namespace1,
 							},
-							Rules: []rbacv1.PolicyRule{fleetRule, eventRule},
+							Rules: []rbacv1.PolicyRule{utils.FleetRule, utils.EventRule, utils.FleetNetworkRule},
 						}
 						return nil
 					},

pkg/utils/common.go

@@ -14,6 +14,7 @@ import (
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/discovery"
@@ -72,6 +73,24 @@ var (
 	}
 )
 
+var (
+	FleetRule = rbacv1.PolicyRule{
+		Verbs:     []string{"*"},
+		APIGroups: []string{fleetv1alpha1.GroupVersion.Group},
+		Resources: []string{"*"},
+	}
+	EventRule = rbacv1.PolicyRule{
+		Verbs:     []string{"get", "list", "update", "patch", "watch", "create"},
+		APIGroups: []string{""},
+		Resources: []string{"events"},
+	}
+	FleetNetworkRule = rbacv1.PolicyRule{
+		Verbs:     []string{"*"},
+		APIGroups: []string{"networking.fleet.azure.com"},
+		Resources: []string{"*"},
+	}
+)
+
 // ReconcileErrorCondition returns a condition indicating that we encountered an
 // error while reconciling the resource.
 func ReconcileErrorCondition(err error) metav1.Condition {