Add scaffolded CRD viewer and editor roles in config/rbac/kustomizati…

…on.yaml
kubernetes-sigs · Apr 5, 2024 · 22ac247 · 22ac247
1 parent 6bcd440
commit 22ac247
Show file tree

Hide file tree

Showing 15 changed files with 1,692 additions and 132 deletions.
diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml
@@ -16,3 +16,9 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- projectconfig_editor_role.yaml
+- projectconfig_viewer_role.yaml
diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml
@@ -16,3 +16,9 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- cronjob_editor_role.yaml
+- cronjob_viewer_role.yaml
diff --git a/docs/book/src/getting-started.md b/docs/book/src/getting-started.md
@@ -464,7 +464,6 @@ After making the necessary changes, run the `make generate` command. This will p
 <h1>RBAC generate under config/rbac</h1>
 
 For each Kind, Kubebuilder will generate scaffold rules with view and edit permissions. (i.e. `memcached_editor_role.yaml` and `memcached_viewer_role.yaml`)
-Those rules are not applied on the cluster when you deploy your solution with `make deploy IMG=myregistery/example:1.0.0`.
 Those rules are aimed to help system admins know what to allow when granting permissions to a group of users.
 
 </aside>

diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml
@@ -16,3 +16,9 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- memcached_editor_role.yaml
+- memcached_viewer_role.yaml
diff --git a/pkg/plugin/util/util.go b/pkg/plugin/util/util.go
@@ -80,6 +80,23 @@ func InsertCode(filename, target, code string) error {
 	return os.WriteFile(filename, []byte(out), 0644)
 }
 
+// InsertCodeIfNotExist insert code if it does not already exists
+func InsertCodeIfNotExist(filename, target, code string) error {
+	// false positive
+	// nolint:gosec
+	contents, err := os.ReadFile(filename)
+	if err != nil {
+		return err
+	}
+
+	idx := strings.Index(string(contents), code)
+	if idx != -1 {
+		return nil
+	}
+
+	return InsertCode(filename, target, code)
+}
+
 // UncommentCode searches for target in the file and remove the comment prefix
 // of the target content. The target content may span multiple lines.
 func UncommentCode(filename, target, prefix string) error {

diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/api.go b/pkg/plugins/common/kustomize/v2/scaffolds/api.go
@@ -18,6 +18,7 @@ package scaffolds
 
 import (
 	"fmt"
+	"strings"
 
 	pluginutil "sigs.k8s.io/kubebuilder/v3/pkg/plugin/util"
 	"sigs.k8s.io/kubebuilder/v3/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/crd"
@@ -98,6 +99,30 @@ func (s *apiScaffolder) Scaffold() error {
 					"%s.", kustomizeFilePath)
 			}
 		}
+
+		// Add scaffolded CRD Editor and Viewer roles in config/rbac/kustomization.yaml
+		rbacKustomizeFilePath := "config/rbac/kustomization.yaml"
+		comment := `
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.`
+		err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath,
+			"- auth_proxy_client_clusterrole.yaml", comment)
+		if err != nil {
+			log.Errorf("Unable to add a comment in the file "+
+				"%s.", rbacKustomizeFilePath)
+		}
+		crdName := strings.ToLower(s.resource.Kind)
+		if s.config.IsMultiGroup() && s.resource.Group != "" {
+			crdName = strings.ToLower(s.resource.Group) + "_" + crdName
+		}
+		err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, comment,
+			fmt.Sprintf("\n- %[1]s_editor_role.yaml\n- %[1]s_viewer_role.yaml", crdName))
+		if err != nil {
+			log.Errorf("Unable to add Editor and Viewer roles in the file "+
+				"%s.", rbacKustomizeFilePath)
+		}
 	}
 
 	return nil

diff --git a/test/e2e/v4/plugin_cluster_test.go b/test/e2e/v4/plugin_cluster_test.go
@@ -271,21 +271,6 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller bool) {
 		return err
 	}, time.Minute, time.Second).Should(Succeed())
 
-	By("applying the CRD Editor Role")
-	crdEditorRole := filepath.Join("config", "rbac",
-		fmt.Sprintf("%s_editor_role.yaml", strings.ToLower(kbc.Kind)))
-	EventuallyWithOffset(1, func() error {
-		_, err = kbc.Kubectl.Apply(true, "-f", crdEditorRole)
-		return err
-	}, time.Minute, time.Second).Should(Succeed())
-
-	By("applying the CRD Viewer Role")
-	crdViewerRole := filepath.Join("config", "rbac", fmt.Sprintf("%s_viewer_role.yaml", strings.ToLower(kbc.Kind)))
-	EventuallyWithOffset(1, func() error {
-		_, err = kbc.Kubectl.Apply(true, "-f", crdViewerRole)
-		return err
-	}, time.Minute, time.Second).Should(Succeed())
-
 	By("validating that the created resource object gets reconciled in the controller")
 	metricsOutput := curlMetrics(kbc)
 	ExpectWithOffset(1, metricsOutput).To(ContainSubstring(fmt.Sprintf(

diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml
@@ -16,3 +16,27 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- lakers_editor_role.yaml
+- lakers_viewer_role.yaml
+- fiz_bar_editor_role.yaml
+- fiz_bar_viewer_role.yaml
+- foo_bar_editor_role.yaml
+- foo_bar_viewer_role.yaml
+- foo.policy_healthcheckpolicy_editor_role.yaml
+- foo.policy_healthcheckpolicy_viewer_role.yaml
+- sea-creatures_leviathan_editor_role.yaml
+- sea-creatures_leviathan_viewer_role.yaml
+- sea-creatures_kraken_editor_role.yaml
+- sea-creatures_kraken_viewer_role.yaml
+- ship_cruiser_editor_role.yaml
+- ship_cruiser_viewer_role.yaml
+- ship_destroyer_editor_role.yaml
+- ship_destroyer_viewer_role.yaml
+- ship_frigate_editor_role.yaml
+- ship_frigate_viewer_role.yaml
+- crew_captain_editor_role.yaml
+- crew_captain_viewer_role.yaml