feat: update RBAC configurations and add Jenkinsfile for aml-services

Signed-off-by: zhenyus <zhenyus@mathmast.com>
2025-05-12 09:56:54 +08:00 · 2025-05-12 09:56:54 +08:00 · b7c11d2829
commit b7c11d2829
parent 594471676e
5 changed files with 120 additions and 12 deletions
--- a/aml-services/alpha/ailab/Jenkinsfile
+++ b/aml-services/alpha/ailab/Jenkinsfile
@ -0,0 +1,35 @@
+library 'first-class-pipeline'
+
+executeFreeleapsPipeline {
+  serviceName = 'aml-services'
+  environmentSlug = 'alpha'
+  serviceGitBranch = 'dev'
+  serviceGitRepo = "https://gitea.freeleaps.mathmast.com/freeleaps/aml-services.git"
+  serviceGitRepoType = 'monorepo'
+  serviceGitCredentialsId = 'freeleaps-repos-gitea-credentails'
+  executeMode = 'on-demand'
+  commitMessageLintEnabled = false
+  components = [
+    [
+      name: 'ailab',
+      root: 'apps/ailab',
+      language: 'python',
+      dependenciesManager: 'pip',
+      requirementsFile: 'requirements.txt',
+      buildCacheEnabled: true,
+      buildAgentImage: 'python:3.10-slim-buster',
+      buildArtifacts: ['.'],
+      lintEnabled: false,
+      sastEnabled: false,
+      imageRegistry: 'docker.io',
+      imageRepository: 'freeleaps',
+      imageName: 'ailab',
+      imageBuilder: 'dind',
+      dockerfilePath: 'Dockerfile',
+      imageBuildRoot: '.',
+      imageReleaseArchitectures: ['linux/amd64', 'linux/arm64/v8'],
+      registryCredentialsId: 'freeleaps-devops-docker-hub-credentials',
+      semanticReleaseEnabled: true
+    ]
+  ]
+}
--- a/cluster/bin/freeleaps-cluster-authenticator
+++ b/cluster/bin/freeleaps-cluster-authenticator
@ -304,6 +304,8 @@ clear_auth() {
    exit 1
  fi

+  rm -rf "${HOME}/.kube/cache/oidc-login"
+
  echo "[CLEAR] kubectl authentication cleared successfully."
 }

--- a/cluster/manifests/freeleaps-controls-system/rbac/rbac.yaml
+++ b/cluster/manifests/freeleaps-controls-system/rbac/rbac.yaml
@ -1,9 +1,22 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
  name: certificate-contributor
-  namespace: freeleaps-controls-system
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
-    verbs: ["*"]
+    verbs: ["create", "get", "list", "watch", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: certificate-contributor-binding
+  namespace: freeleaps-controls-system
+subjects:
+  - kind: Group
+    name: mathmast:certificate-contributor
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: certificate-contributor
+  apiGroup: rbac.authorization.k8s.io
--- a/cluster/manifests/freeleaps-data-platform/rbac/rbac.yaml
+++ b/cluster/manifests/freeleaps-data-platform/rbac/rbac.yaml
@ -4,6 +4,38 @@ metadata:
  name: data-platform-contributor
  namespace: freeleaps-data-platform
 rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets", "pods", "configmaps", "endpoints", "services", "persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["deployments", "replicasets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["networkpolicies"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: data-platform-contributor-binding
+  namespace: freeleaps-data-platform
+subjects:
+  - kind: Group
+    name: mathmast:data-platform-contributor
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: data-platform-contributor
+  apiGroup: rbac.authorization.k8s.io
--- a/cluster/manifests/freeleaps-monitoring-system/rbac/rbac.yaml
+++ b/cluster/manifests/freeleaps-monitoring-system/rbac/rbac.yaml
@ -1,19 +1,45 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
  name: prometheus-rules-contributor
-  namespace: freeleaps-monitoring-system
 rules:
  - apiGroups: ["monitoring.coreos.com"]
    resources: ["prometheusrules"]
-    verbs: ["*"]
+    verbs: ["create", "get", "list", "watch", "update", "patch", "delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: RoleBinding
+metadata:
+  name: prometheus-rules-contributor-binding
+  namespace: freeleaps-monitoring-system
+subjects:
+  - kind: Group
+    name: mathmast:prometheus-rules-contributor
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: prometheus-rules-contributor
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
  name: service-monitor-contributor
-  namespace: freeleaps-monitoring-system
 rules:
  - apiGroups: ["monitoring.coreos.com"]
    resources: ["servicemonitors"]
-    verbs: ["*"]
+    verbs: ["create", "get", "list", "watch", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: service-monitor-contributor-binding
+  namespace: freeleaps-monitoring-system
+subjects:
+  - kind: Group
+    name: mathmast:service-monitor-contributor
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: service-monitor-contributor
+  apiGroup: rbac.authorization.k8s.io