From 53f85879ec157c7c14c47d58e5d39bdfb876d2db Mon Sep 17 00:00:00 2001
From: Yuedong Wu <57584831+lunarwhite@users.noreply.github.com>
Date: Fri, 1 Mar 2024 13:09:57 +0000
Subject: [PATCH] Add CRD viewer and editor roles in rbac/kustomization.yaml

---
 .../project/config/rbac/kustomization.yaml    |   6 +
 .../project/config/rbac/kustomization.yaml    |   6 +
 docs/book/src/getting-started.md              |   1 -
 .../project/config/rbac/kustomization.yaml    |   6 +
 pkg/plugin/util/util.go                       |  17 ++
 .../common/kustomize/v2/scaffolds/api.go      |  22 +++
 test/e2e/v4/plugin_cluster_test.go            |  15 --
 .../config/rbac/kustomization.yaml            |  22 +++
 .../config/rbac/kustomization.yaml            |  22 +++
 .../config/rbac/kustomization.yaml            |   8 +
 .../dist/install.yaml                         | 116 ++++++++++++
 .../project-v4/config/rbac/kustomization.yaml |  10 +
 testdata/project-v4/dist/install.yaml         | 174 ++++++++++++++++++
 13 files changed, 409 insertions(+), 16 deletions(-)

diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml
index 731832a6ac3..a15cdf55131 100644
--- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml
+++ b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml
@@ -16,3 +16,9 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- projectconfig_editor_role.yaml
+- projectconfig_viewer_role.yaml
diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml
index 731832a6ac3..c763b769ecf 100644
--- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml
+++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml
@@ -16,3 +16,9 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- cronjob_editor_role.yaml
+- cronjob_viewer_role.yaml
diff --git a/docs/book/src/getting-started.md b/docs/book/src/getting-started.md
index a55fea6de6f..c894af48c80 100644
--- a/docs/book/src/getting-started.md
+++ b/docs/book/src/getting-started.md
@@ -464,7 +464,6 @@ After making the necessary changes, run the `make generate` command. This will p
 <h1>RBAC generate under config/rbac</h1>
 
 For each Kind, Kubebuilder will generate scaffold rules with view and edit permissions. (i.e. `memcached_editor_role.yaml` and `memcached_viewer_role.yaml`)
-Those rules are not applied on the cluster when you deploy your solution with `make deploy IMG=myregistery/example:1.0.0`.
 Those rules are aimed to help system admins know what to allow when granting permissions to a group of users.
 
 </aside>
diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml
index 731832a6ac3..0e7aee13091 100644
--- a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml
+++ b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml
@@ -16,3 +16,9 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- memcached_editor_role.yaml
+- memcached_viewer_role.yaml
diff --git a/pkg/plugin/util/util.go b/pkg/plugin/util/util.go
index d4b34d5d616..ebf5418adda 100644
--- a/pkg/plugin/util/util.go
+++ b/pkg/plugin/util/util.go
@@ -80,6 +80,23 @@ func InsertCode(filename, target, code string) error {
 	return os.WriteFile(filename, []byte(out), 0644)
 }
 
+// InsertCodeIfNotExist insert code if it does not already exists
+func InsertCodeIfNotExist(filename, target, code string) error {
+	// false positive
+	// nolint:gosec
+	contents, err := os.ReadFile(filename)
+	if err != nil {
+		return err
+	}
+
+	idx := strings.Index(string(contents), code)
+	if idx != -1 {
+		return nil
+	}
+
+	return InsertCode(filename, target, code)
+}
+
 // UncommentCode searches for target in the file and remove the comment prefix
 // of the target content. The target content may span multiple lines.
 func UncommentCode(filename, target, prefix string) error {
diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/api.go b/pkg/plugins/common/kustomize/v2/scaffolds/api.go
index 21afda71155..654ac8dbfc7 100644
--- a/pkg/plugins/common/kustomize/v2/scaffolds/api.go
+++ b/pkg/plugins/common/kustomize/v2/scaffolds/api.go
@@ -18,6 +18,7 @@ package scaffolds
 
 import (
 	"fmt"
+	"strings"
 
 	pluginutil "sigs.k8s.io/kubebuilder/v3/pkg/plugin/util"
 	"sigs.k8s.io/kubebuilder/v3/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/crd"
@@ -98,6 +99,27 @@ func (s *apiScaffolder) Scaffold() error {
 					"%s.", kustomizeFilePath)
 			}
 		}
+
+		// Add scaffolded CRD Editor and Viewer roles in config/rbac/kustomization.yaml
+		rbacKustomizeFilePath := "config/rbac/kustomization.yaml"
+		comment := `
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.`
+		err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath,
+			"- auth_proxy_client_clusterrole.yaml", comment)
+		if err != nil {
+			log.Errorf("Unable to add a comment in the file "+
+				"%s.", rbacKustomizeFilePath)
+		}
+		crdKind := strings.ToLower(s.resource.Kind)
+		err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, comment, 
+			fmt.Sprintf("\n- %[1]s_editor_role.yaml\n- %[1]s_viewer_role.yaml", crdKind))
+		if err != nil {
+			log.Errorf("Unable to add Editor and Viewer roles in the file "+
+				"%s.", rbacKustomizeFilePath)
+		}
 	}
 
 	return nil
diff --git a/test/e2e/v4/plugin_cluster_test.go b/test/e2e/v4/plugin_cluster_test.go
index a757e793dbc..02588eec066 100644
--- a/test/e2e/v4/plugin_cluster_test.go
+++ b/test/e2e/v4/plugin_cluster_test.go
@@ -271,21 +271,6 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller bool) {
 		return err
 	}, time.Minute, time.Second).Should(Succeed())
 
-	By("applying the CRD Editor Role")
-	crdEditorRole := filepath.Join("config", "rbac",
-		fmt.Sprintf("%s_editor_role.yaml", strings.ToLower(kbc.Kind)))
-	EventuallyWithOffset(1, func() error {
-		_, err = kbc.Kubectl.Apply(true, "-f", crdEditorRole)
-		return err
-	}, time.Minute, time.Second).Should(Succeed())
-
-	By("applying the CRD Viewer Role")
-	crdViewerRole := filepath.Join("config", "rbac", fmt.Sprintf("%s_viewer_role.yaml", strings.ToLower(kbc.Kind)))
-	EventuallyWithOffset(1, func() error {
-		_, err = kbc.Kubectl.Apply(true, "-f", crdViewerRole)
-		return err
-	}, time.Minute, time.Second).Should(Succeed())
-
 	By("validating that the created resource object gets reconciled in the controller")
 	metricsOutput := curlMetrics(kbc)
 	ExpectWithOffset(1, metricsOutput).To(ContainSubstring(fmt.Sprintf(
diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml
index 731832a6ac3..93f9737759c 100644
--- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml
+++ b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml
@@ -16,3 +16,25 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- lakers_editor_role.yaml
+- lakers_viewer_role.yaml
+- bar_editor_role.yaml
+- bar_viewer_role.yaml
+- healthcheckpolicy_editor_role.yaml
+- healthcheckpolicy_viewer_role.yaml
+- leviathan_editor_role.yaml
+- leviathan_viewer_role.yaml
+- kraken_editor_role.yaml
+- kraken_viewer_role.yaml
+- cruiser_editor_role.yaml
+- cruiser_viewer_role.yaml
+- destroyer_editor_role.yaml
+- destroyer_viewer_role.yaml
+- frigate_editor_role.yaml
+- frigate_viewer_role.yaml
+- captain_editor_role.yaml
+- captain_viewer_role.yaml
diff --git a/testdata/project-v4-multigroup/config/rbac/kustomization.yaml b/testdata/project-v4-multigroup/config/rbac/kustomization.yaml
index 731832a6ac3..93f9737759c 100644
--- a/testdata/project-v4-multigroup/config/rbac/kustomization.yaml
+++ b/testdata/project-v4-multigroup/config/rbac/kustomization.yaml
@@ -16,3 +16,25 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- lakers_editor_role.yaml
+- lakers_viewer_role.yaml
+- bar_editor_role.yaml
+- bar_viewer_role.yaml
+- healthcheckpolicy_editor_role.yaml
+- healthcheckpolicy_viewer_role.yaml
+- leviathan_editor_role.yaml
+- leviathan_viewer_role.yaml
+- kraken_editor_role.yaml
+- kraken_viewer_role.yaml
+- cruiser_editor_role.yaml
+- cruiser_viewer_role.yaml
+- destroyer_editor_role.yaml
+- destroyer_viewer_role.yaml
+- frigate_editor_role.yaml
+- frigate_viewer_role.yaml
+- captain_editor_role.yaml
+- captain_viewer_role.yaml
diff --git a/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml b/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml
index 731832a6ac3..2763dcf398a 100644
--- a/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml
+++ b/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml
@@ -16,3 +16,11 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- busybox_editor_role.yaml
+- busybox_viewer_role.yaml
+- memcached_editor_role.yaml
+- memcached_viewer_role.yaml
diff --git a/testdata/project-v4-with-deploy-image/dist/install.yaml b/testdata/project-v4-with-deploy-image/dist/install.yaml
index e439551580e..7c3de5749f2 100644
--- a/testdata/project-v4-with-deploy-image/dist/install.yaml
+++ b/testdata/project-v4-with-deploy-image/dist/install.yaml
@@ -340,6 +340,64 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4-with-deploy-image
+    app.kubernetes.io/instance: busybox-editor-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4-with-deploy-image
+  name: project-v4-with-deploy-image-busybox-editor-role
+rules:
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - busyboxes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - busyboxes/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4-with-deploy-image
+    app.kubernetes.io/instance: busybox-viewer-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4-with-deploy-image
+  name: project-v4-with-deploy-image-busybox-viewer-role
+rules:
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - busyboxes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - busyboxes/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   name: project-v4-with-deploy-image-manager-role
 rules:
@@ -425,6 +483,64 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4-with-deploy-image
+    app.kubernetes.io/instance: memcached-editor-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4-with-deploy-image
+  name: project-v4-with-deploy-image-memcached-editor-role
+rules:
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - memcacheds
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - memcacheds/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4-with-deploy-image
+    app.kubernetes.io/instance: memcached-viewer-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4-with-deploy-image
+  name: project-v4-with-deploy-image-memcached-viewer-role
+rules:
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - memcacheds
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - memcacheds/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/component: kube-rbac-proxy
diff --git a/testdata/project-v4/config/rbac/kustomization.yaml b/testdata/project-v4/config/rbac/kustomization.yaml
index 731832a6ac3..e0fb32bdc03 100644
--- a/testdata/project-v4/config/rbac/kustomization.yaml
+++ b/testdata/project-v4/config/rbac/kustomization.yaml
@@ -16,3 +16,13 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- admiral_editor_role.yaml
+- admiral_viewer_role.yaml
+- firstmate_editor_role.yaml
+- firstmate_viewer_role.yaml
+- captain_editor_role.yaml
+- captain_viewer_role.yaml
diff --git a/testdata/project-v4/dist/install.yaml b/testdata/project-v4/dist/install.yaml
index 53cf691e997..adc1f4bb4e5 100644
--- a/testdata/project-v4/dist/install.yaml
+++ b/testdata/project-v4/dist/install.yaml
@@ -259,6 +259,180 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4
+    app.kubernetes.io/instance: admiral-editor-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4
+  name: project-v4-admiral-editor-role
+rules:
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - admirales
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - admirales/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4
+    app.kubernetes.io/instance: admiral-viewer-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4
+  name: project-v4-admiral-viewer-role
+rules:
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - admirales
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - admirales/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4
+    app.kubernetes.io/instance: captain-editor-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4
+  name: project-v4-captain-editor-role
+rules:
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - captains
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - captains/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4
+    app.kubernetes.io/instance: captain-viewer-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4
+  name: project-v4-captain-viewer-role
+rules:
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - captains
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - captains/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4
+    app.kubernetes.io/instance: firstmate-editor-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4
+  name: project-v4-firstmate-editor-role
+rules:
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - firstmates
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - firstmates/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4
+    app.kubernetes.io/instance: firstmate-viewer-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4
+  name: project-v4-firstmate-viewer-role
+rules:
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - firstmates
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - firstmates/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   name: project-v4-manager-role
 rules: