Merge pull request #2221 from hankfreund/facade_rbac

Update composition controller RBAC

experiments/compositions/composition/config/rbac/role.yaml

@@ -35,11 +35,18 @@ rules:
   - get
   - list
   - patch
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
 - apiGroups:
   - apiextensions.k8s.io
   resources:
   - customresourcedefinitions
   verbs:
+  - create
   - get
   - list
   - watch
@@ -57,6 +64,11 @@ rules:
   - composition.google.com
   resources:
   - compositions
+  - contexts
+  - expanderversions
+  - facades
+  - getterconfigurations
+  - plans
   verbs:
   - create
   - delete
@@ -209,6 +221,25 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - facade.compositions.google.com
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - facade.compositions.google.com
+  resources:
+  - '*/status'
+  verbs:
+  - get
+  - update
 - apiGroups:
   - facade.facade
   resources:

experiments/compositions/composition/internal/controller/composition_controller.go

@@ -56,16 +56,20 @@ type CompositionReconciler struct {
 	handoffChannels map[schema.GroupVersionKind]chan event.GenericEvent
 }
 
-//+kubebuilder:rbac:groups=composition.google.com,resources=compositions,verbs=get;list;watch;create;update;patch;delete
+// TODO: To simplify preview for customers, grant superuser to the composition controller. This should be revisited going forward.
+//+kubebuilder:rbac:groups=*,resources=*,verbs=*
+//+kubebuilder:rbac:groups=composition.google.com,resources=compositions;contexts;expanderversions;facades;getterconfigurations;plans,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=composition.google.com,resources=compositions/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=composition.google.com,resources=compositions/finalizers,verbs=update
-//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch
+//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=create;get;list;watch
 //+kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 //+kubebuilder:rbac:groups=facade.facade,resources=*,verbs=get;list;watch;update;patch
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;create;patch;delete
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;create;patch;delete
 //+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=create;get;patch;list;delete
 //+kubebuilder:rbac:groups="batch",resources=jobs,verbs=create;get;patch;list;delete
+//+kubebuilder:rbac:groups=facade.compositions.google.com,resources=*,verbs=get;list;patch;update;watch;create;delete
+//+kubebuilder:rbac:groups=facade.compositions.google.com,resources=*/status,verbs=get;update
 
 // /
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
@@ -361,7 +365,7 @@ func (r *CompositionReconciler) processComposition(
 		InputGVR:                  gvk.GroupVersion().WithResource(crd.Spec.Names.Plural),
 		RESTMapper:                r.mgr.GetRESTMapper(),
 		Config:                    r.mgr.GetConfig(),
-		ComopsitionChangedWatcher: r.handoffChannels[gvk],
+		CompositionChangedWatcher: r.handoffChannels[gvk],
 	}
 
 	if err := expanderController.SetupWithManager(r.mgr, cr); err != nil {

experiments/compositions/composition/internal/controller/expander_reconciler.go

@@ -62,7 +62,7 @@ type ExpanderReconciler struct {
 	InputGVK                  schema.GroupVersionKind
 	InputGVR                  schema.GroupVersionResource
 	Composition               types.NamespacedName
-	ComopsitionChangedWatcher chan event.GenericEvent
+	CompositionChangedWatcher chan event.GenericEvent
 }
 
 type EvaluateWaitError struct {
@@ -660,7 +660,7 @@ func (r *ExpanderReconciler) SetupWithManager(mgr ctrl.Manager, cr *unstructured
 
 	return ctrl.NewControllerManagedBy(mgr).
 		For(cr).
-		WatchesRawSource(&source.Channel{Source: r.ComopsitionChangedWatcher}, handler.EnqueueRequestsFromMapFunc(r.enqueueAllFromGVK)).
+		WatchesRawSource(&source.Channel{Source: r.CompositionChangedWatcher}, handler.EnqueueRequestsFromMapFunc(r.enqueueAllFromGVK)).
 		WithOptions(controller.Options{RateLimiter: ratelimiter}).
 		Complete(r)
 }

experiments/compositions/composition/release/crds.yaml

@@ -184,6 +184,21 @@ spec:
                   - type
                   type: object
                 type: array
+              generation:
+                format: int64
+                type: integer
+              stages:
+                additionalProperties:
+                  description: StageStatus captures the status of a stage
+                  properties:
+                    message:
+                      type: string
+                    reason:
+                      type: string
+                    validationStatus:
+                      type: string
+                  type: object
+                type: object
             type: object
         type: object
     served: true
@@ -755,6 +770,13 @@ spec:
           status:
             description: PlanStatus defines the observed state of Plan
             properties:
+              compositionGeneration:
+                description: Composition generation last succesfully reconciled
+                format: int64
+                type: integer
+              compositionUID:
+                description: Composition UID
+                type: string
               conditions:
                 items:
                   description: "Condition contains details for one aspect of the current
@@ -829,19 +851,68 @@ spec:
                 format: int64
                 type: integer
               inputGeneration:
-                description: Facade's generation last we successfully reconciled
+                description: Facade's generation last succesfully reconciled
                 format: int64
                 type: integer
+              lastPruned:
+                items:
+                  properties:
+                    group:
+                      type: string
+                    health:
+                      type: string
+                    kind:
+                      type: string
+                    name:
+                      type: string
+                    namespace:
+                      type: string
+                    status:
+                      type: string
+                    version:
+                      type: string
+                  required:
+                  - health
+                  - kind
+                  type: object
+                type: array
               stages:
                 additionalProperties:
                   description: StageStatus captures the status of a stage
                   properties:
+                    appliedCount:
+                      type: integer
+                    lastApplied:
+                      items:
+                        properties:
+                          group:
+                            type: string
+                          health:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          status:
+                            type: string
+                          version:
+                            type: string
+                        required:
+                        - health
+                        - kind
+                        type: object
+                      type: array
                     resourceCount:
                       type: integer
                   required:
                   - resourceCount
                   type: object
                 type: object
+            required:
+            - compositionGeneration
+            - inputGeneration
             type: object
         type: object
     served: true