Skip to content

Commit

Permalink
Add scaffolded CRD viewer and editor roles in config/rbac/kustomizati…
Browse files Browse the repository at this point in the history
…on.yaml
  • Loading branch information
lunarwhite authored Apr 6, 2024
1 parent a7f6e03 commit a1d8c2c
Show file tree
Hide file tree
Showing 15 changed files with 1,692 additions and 132 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,9 @@ resources:
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml
# For each CRD, "Editor" and "Viewer" roles are scaffolded by
# default, aiding admins in cluster management. Those roles are
# not used by the Project itself. You can comment the following lines
# if you do not want those helpers be installed with your Project.
- projectconfig_editor_role.yaml
- projectconfig_viewer_role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,9 @@ resources:
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml
# For each CRD, "Editor" and "Viewer" roles are scaffolded by
# default, aiding admins in cluster management. Those roles are
# not used by the Project itself. You can comment the following lines
# if you do not want those helpers be installed with your Project.
- cronjob_editor_role.yaml
- cronjob_viewer_role.yaml
1 change: 0 additions & 1 deletion docs/book/src/getting-started.md
Original file line number Diff line number Diff line change
Expand Up @@ -464,7 +464,6 @@ After making the necessary changes, run the `make generate` command. This will p
<h1>RBAC generate under config/rbac</h1>

For each Kind, Kubebuilder will generate scaffold rules with view and edit permissions. (i.e. `memcached_editor_role.yaml` and `memcached_viewer_role.yaml`)
Those rules are not applied on the cluster when you deploy your solution with `make deploy IMG=myregistery/example:1.0.0`.
Those rules are aimed to help system admins know what to allow when granting permissions to a group of users.

</aside>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,9 @@ resources:
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml
# For each CRD, "Editor" and "Viewer" roles are scaffolded by
# default, aiding admins in cluster management. Those roles are
# not used by the Project itself. You can comment the following lines
# if you do not want those helpers be installed with your Project.
- memcached_editor_role.yaml
- memcached_viewer_role.yaml
17 changes: 17 additions & 0 deletions pkg/plugin/util/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,23 @@ func InsertCode(filename, target, code string) error {
return os.WriteFile(filename, []byte(out), 0644)
}

// InsertCodeIfNotExist insert code if it does not already exists
func InsertCodeIfNotExist(filename, target, code string) error {
// false positive
// nolint:gosec
contents, err := os.ReadFile(filename)
if err != nil {
return err
}

idx := strings.Index(string(contents), code)
if idx != -1 {
return nil
}

return InsertCode(filename, target, code)
}

// UncommentCode searches for target in the file and remove the comment prefix
// of the target content. The target content may span multiple lines.
func UncommentCode(filename, target, prefix string) error {
Expand Down
25 changes: 25 additions & 0 deletions pkg/plugins/common/kustomize/v2/scaffolds/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package scaffolds

import (
"fmt"
"strings"

pluginutil "sigs.k8s.io/kubebuilder/v3/pkg/plugin/util"
"sigs.k8s.io/kubebuilder/v3/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/crd"
Expand Down Expand Up @@ -98,6 +99,30 @@ func (s *apiScaffolder) Scaffold() error {
"%s.", kustomizeFilePath)
}
}

// Add scaffolded CRD Editor and Viewer roles in config/rbac/kustomization.yaml
rbacKustomizeFilePath := "config/rbac/kustomization.yaml"
comment := `
# For each CRD, "Editor" and "Viewer" roles are scaffolded by
# default, aiding admins in cluster management. Those roles are
# not used by the Project itself. You can comment the following lines
# if you do not want those helpers be installed with your Project.`
err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath,
"- auth_proxy_client_clusterrole.yaml", comment)
if err != nil {
log.Errorf("Unable to add a comment in the file "+
"%s.", rbacKustomizeFilePath)
}
crdName := strings.ToLower(s.resource.Kind)
if s.config.IsMultiGroup() && s.resource.Group != "" {
crdName = strings.ToLower(s.resource.Group) + "_" + crdName
}
err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, comment,
fmt.Sprintf("\n- %[1]s_editor_role.yaml\n- %[1]s_viewer_role.yaml", crdName))
if err != nil {
log.Errorf("Unable to add Editor and Viewer roles in the file "+
"%s.", rbacKustomizeFilePath)
}
}

return nil
Expand Down
15 changes: 0 additions & 15 deletions test/e2e/v4/plugin_cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -269,21 +269,6 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller bool) {
return err
}, time.Minute, time.Second).Should(Succeed())

By("applying the CRD Editor Role")
crdEditorRole := filepath.Join("config", "rbac",
fmt.Sprintf("%s_editor_role.yaml", strings.ToLower(kbc.Kind)))
EventuallyWithOffset(1, func() error {
_, err = kbc.Kubectl.Apply(true, "-f", crdEditorRole)
return err
}, time.Minute, time.Second).Should(Succeed())

By("applying the CRD Viewer Role")
crdViewerRole := filepath.Join("config", "rbac", fmt.Sprintf("%s_viewer_role.yaml", strings.ToLower(kbc.Kind)))
EventuallyWithOffset(1, func() error {
_, err = kbc.Kubectl.Apply(true, "-f", crdViewerRole)
return err
}, time.Minute, time.Second).Should(Succeed())

By("validating that the created resource object gets reconciled in the controller")
metricsOutput := curlMetrics(kbc)
ExpectWithOffset(1, metricsOutput).To(ContainSubstring(fmt.Sprintf(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,27 @@ resources:
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml
# For each CRD, "Editor" and "Viewer" roles are scaffolded by
# default, aiding admins in cluster management. Those roles are
# not used by the Project itself. You can comment the following lines
# if you do not want those helpers be installed with your Project.
- lakers_editor_role.yaml
- lakers_viewer_role.yaml
- fiz_bar_editor_role.yaml
- fiz_bar_viewer_role.yaml
- foo_bar_editor_role.yaml
- foo_bar_viewer_role.yaml
- foo.policy_healthcheckpolicy_editor_role.yaml
- foo.policy_healthcheckpolicy_viewer_role.yaml
- sea-creatures_leviathan_editor_role.yaml
- sea-creatures_leviathan_viewer_role.yaml
- sea-creatures_kraken_editor_role.yaml
- sea-creatures_kraken_viewer_role.yaml
- ship_cruiser_editor_role.yaml
- ship_cruiser_viewer_role.yaml
- ship_destroyer_editor_role.yaml
- ship_destroyer_viewer_role.yaml
- ship_frigate_editor_role.yaml
- ship_frigate_viewer_role.yaml
- crew_captain_editor_role.yaml
- crew_captain_viewer_role.yaml
Loading

0 comments on commit a1d8c2c

Please sign in to comment.