diff --git a/pkg/config/constants.go b/pkg/config/constants.go index c036b827..9a81efa8 100644 --- a/pkg/config/constants.go +++ b/pkg/config/constants.go @@ -51,10 +51,7 @@ const ( ValidatorVsphereEntityVirtualMachine = "Virtual Machine" ValidatorVsphereEntityVirtualApp = "Virtual App" ValidatorVsphereVersionConstraint = ">= 6.0, < 9.0" - SpectroRootLevelPrivilegesV6_7 = "Spectro Root-level Role Privileges vSphere 6.7" - SpectroRootLevelPrivilegesV7_0 = "Spectro Root-level Role Privileges vSphere 7.0" - SpectroRootLevelPrivilegesV8_0 = "Spectro Root-level Role Privileges vSphere 8.0" - CustomPrivileges = "Custom Root-level Role Privileges vSphere" + ValidatorVsphereRolePrivilegeFiles = "vsphere-root-level-privileges-all.yaml" SpectroEntityPrivileges = "Spectro Entity Privileges" CustomEntityPrivileges = "Custom Entity Privileges" SpectroCloudTags = "Spectro Cloud Tags" @@ -171,15 +168,6 @@ var ( }, } - ValidatorPluginVsphereRolePrivilegeChoices = []string{ - SpectroRootLevelPrivilegesV6_7, - SpectroRootLevelPrivilegesV7_0, - SpectroRootLevelPrivilegesV8_0, - CustomPrivileges, - } - ValidatorPluginVsphereRolePrivilegeFiles = map[string]string{ - CustomPrivileges: "vsphere-root-level-privileges-all.yaml", - } ValidatorPluginVsphereEntityPrivilegeChoices = []string{ SpectroEntityPrivileges, CustomEntityPrivileges, diff --git a/pkg/services/validator/vmware.go b/pkg/services/validator/vmware.go index 0d5a2703..8eb5229a 100644 --- a/pkg/services/validator/vmware.go +++ b/pkg/services/validator/vmware.go @@ -331,20 +331,14 @@ func readRolePrivilegeRule(c *components.VspherePluginConfig, r *components.Vsph log.InfoCLI(`Privilege validation rule will be applied for username %s`, c.Account.Username) r.Username = c.Account.Username } - privilegeSet, err := prompts.Select("Root-level privilege set", cfg.ValidatorPluginVsphereRolePrivilegeChoices) + privileges, err := LoadPrivileges(cfg.ValidatorVsphereRolePrivilegeFiles) if err != nil { return err } - privileges, err := LoadPrivileges(cfg.ValidatorPluginVsphereRolePrivilegeFiles[privilegeSet]) + privileges, err = selectPrivileges(privileges) if err != nil { return err } - if privilegeSet == cfg.CustomPrivileges { - privileges, err = selectPrivileges(privileges) - if err != nil { - return err - } - } r.Privileges = privileges if idx == -1 { c.VsphereRolePrivilegeRules = append(c.VsphereRolePrivilegeRules, *r) diff --git a/pkg/utils/embed/resources/validator/vsphere-spectro-cloud-tags.yaml b/pkg/utils/embed/resources/validator/vsphere-spectro-cloud-tags.yaml new file mode 100644 index 00000000..94997350 --- /dev/null +++ b/pkg/utils/embed/resources/validator/vsphere-spectro-cloud-tags.yaml @@ -0,0 +1,15 @@ +--- +- name: "Datacenter: k8s-region (ensure that the selected datacenter has a 'k8s-region' tag)" + entityType: "datacenter" + entityName: "" + tag: "k8s-region" + clusterName: "" + clusterScoped: false + ruleType: Spectro Cloud Tags +- name: "Cluster: k8s-zone (ensure that the selected cluster has a 'k8s-zone' tag)" + entityType: "cluster" + entityName: "" + tag: "k8s-zone" + clusterName: "" + clusterScoped: true + ruleType: Spectro Cloud Tags diff --git a/pkg/utils/embed/resources/validator/vsphere-spectro-entity-privileges.yaml b/pkg/utils/embed/resources/validator/vsphere-spectro-entity-privileges.yaml new file mode 100644 index 00000000..8c22ba18 --- /dev/null +++ b/pkg/utils/embed/resources/validator/vsphere-spectro-entity-privileges.yaml @@ -0,0 +1,8 @@ +- name: "Read folder: spectro-templates" + entityType: "folder" + entityName: "spectro-templates" + privileges: + - Folder.Create + clusterName: "" + clusterScoped: false + ruleType: Spectro Entity Privileges diff --git a/tests/integration/_validator/testcases/test_validator.go b/tests/integration/_validator/testcases/test_validator.go index dc433a9f..cf25e753 100644 --- a/tests/integration/_validator/testcases/test_validator.go +++ b/tests/integration/_validator/testcases/test_validator.go @@ -270,53 +270,56 @@ func (t *ValidatorTest) testDeployInteractive(ctx *test.TestContext) (tr *test.T "y", // enable vsphere plugin cfg.ValidatorHelmRepository, // validator-plugin-vsphere helm chart repo cfg.ValidatorChartVersions[cfg.ValidatorPluginVsphere], // validator-plugin-vsphere helm chart version - "y", // Re-use validator chart security configuration - "vsphere-creds", // vSphere secret name - "fake.vsphere.com", // vSphere domain - "bob@vsphere.com", // vSphere username - "password", // vSphere password - "y", // insecure skip verify - "DC0", // datacenter - "y", // Enable NTP check - "ntpd", // NTP rule name - "y", // are hosts cluster scoped - "C0", // cluster name - "DC0_C0_H0", // host1 - "y", // add more hosts - "DC0_C0_H1", // host2 - "n", // add more hosts - "n", // add more validation rules - "y", // Check role privileges - "role rule 1", // Role privilege rule name - "user1@vsphere.local", // user to check role privileges against - cfg.SpectroRootLevelPrivilegesV7_0, // vSphere permission version - "n", // add more role privilege checks - "y", // check entity privileges - "entity rule 1", // entity privilege rule name - cfg.SpectroEntityPrivileges, // entity level permissions - "Read folder: spectro-templates", // spectro entity permission - "user2@vsphere.local", // user to check entity privileges against - "n", // add more entity permission checks - "y", // check compute resource requirements - "resource requirement rule 1", // resource requirement rule name - "Cluster", // select cluster for resource check - "C0", // cluster name for resource check - "master-pool", // node pool name - "1", // number of nodes - "2GHz", // per node cpu - "4Gi", // per node memory - "10Gi", // per node storage - "y", // add another node pool - "worker-pool", // node pool name - "3", // number of nodes - "3GHz", // per node cpu - "8Gi", // per node memory - "20Gi", // per node storage - "n", // add more node pools - "n", // add more resource requirement checks - "y", // check tags on entities - "tag rule 1", // tag rule name - cfg.SpectroCloudTags, // zone & region tags + "y", // Re-use validator chart security configuration + "vsphere-creds", // vSphere secret name + "fake.vsphere.com", // vSphere domain + "bob@vsphere.com", // vSphere username + "password", // vSphere password + "y", // insecure skip verify + "DC0", // datacenter + "y", // Enable NTP check + "ntpd", // NTP rule name + "y", // are hosts cluster scoped + "C0", // cluster name + "DC0_C0_H0", // host1 + "y", // add more hosts + "DC0_C0_H1", // host2 + "n", // add more hosts + "n", // add more validation rules + "y", // Check role privileges + "role rule 1", // Role privilege rule name + "user1@vsphere.local", // user to check role privileges against + "System.Read", // role privilege + "y", // add another role privilege to this rule + "Alarm.Acknowledge", // role privilege + "n", // add another role privilege to this rule + "n", // add another role privilege rule + "y", // check entity privileges + "entity rule 1", // entity privilege rule name + cfg.SpectroEntityPrivileges, // entity level permissions + "Read folder: spectro-templates", // spectro entity permission + "user2@vsphere.local", // user to check entity privileges against + "n", // add more entity permission checks + "y", // check compute resource requirements + "resource requirement rule 1", // resource requirement rule name + "Cluster", // select cluster for resource check + "C0", // cluster name for resource check + "master-pool", // node pool name + "1", // number of nodes + "2GHz", // per node cpu + "4Gi", // per node memory + "10Gi", // per node storage + "y", // add another node pool + "worker-pool", // node pool name + "3", // number of nodes + "3GHz", // per node cpu + "8Gi", // per node memory + "20Gi", // per node storage + "n", // add more node pools + "n", // add more resource requirement checks + "y", // check tags on entities + "tag rule 1", // tag rule name + cfg.SpectroCloudTags, // zone & region tags "Cluster: k8s-zone (ensure that the selected cluster has a 'k8s-zone' tag)", // zone tag "C0", // cluster name "n", // add another tag rule