Skip to content

Commit

Permalink
feat: add generic sync chart permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
FabianKramm committed Aug 12, 2024
1 parent 093889f commit 9efb2a1
Show file tree
Hide file tree
Showing 9 changed files with 233 additions and 15 deletions.
32 changes: 32 additions & 0 deletions chart/templates/_rbac.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@
(eq (toString .Values.sync.fromHost.csiDrivers.enabled) "true")
(eq (toString .Values.sync.fromHost.csiStorageCapacities.enabled) "true")
.Values.sync.fromHost.nodes.enabled
.Values.sync.toHost.customResourceDefinitions
.Values.sync.fromHost.customResourceDefinitions
.Values.integrations.kubeVirt.enabled
(and .Values.integrations.metricsServer.enabled .Values.integrations.metricsServer.nodes)
.Values.experimental.multiNamespaceMode.enabled -}}
Expand Down Expand Up @@ -121,6 +123,36 @@
{{- end }}
{{- end -}}

{{/*
Role rules defined in generic syncer
*/}}
{{- define "vcluster.customResourceDefinitions.roleExtraRules" -}}
{{- if .Values.sync.toHost.customResourceDefinitions }}
{{- range $crdName, $rule := .Values.sync.toHost.customResourceDefinitions }}
{{- if $rule.enabled }}
- resources: [ "{{ (splitn "." 2 $crdName)._0 }}" ]
apiGroups: [ "{{ (splitn "." 2 $crdName)._1 }}" ]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- end }}
{{- end }}
{{- end -}}

{{/*
Cluster role rules defined in generic syncer
*/}}
{{- define "vcluster.customResourceDefinitions.clusterRoleExtraRules" -}}
{{- if .Values.sync.fromHost.customResourceDefinitions }}
{{- range $crdName, $rule := .Values.sync.fromHost.customResourceDefinitions }}
{{- if $rule.enabled }}
- resources: [ "{{ (splitn "." 2 $crdName)._0 }}" ]
apiGroups: [ "{{ (splitn "." 2 $crdName)._1 }}" ]
verbs: ["get", "list", "watch"]
{{- end }}
{{- end }}
{{- end }}
{{- end -}}

{{/*
Cluster role rules defined in generic syncer
*/}}
Expand Down
11 changes: 6 additions & 5 deletions chart/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -112,16 +112,17 @@ rules:
resources: ["nodes"]
verbs: ["get", "list"]
{{- end }}
{{- if .Values.integrations.kubeVirt.enabled }}
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
{{- end }}
{{- if and .Values.integrations.kubeVirt.enabled .Values.integrations.kubeVirt.webhook.enabled }}
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch"]
{{- end }}
{{- if or .Values.integrations.kubeVirt.enabled .Values.sync.toHost.customResourceDefinitions .Values.sync.fromHost.customResourceDefinitions }}
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
{{- end }}
{{- include "vcluster.customResourceDefinitions.clusterRoleExtraRules" . | indent 2 }}
{{- include "vcluster.plugin.clusterRoleExtraRules" . | indent 2 }}
{{- include "vcluster.generic.clusterRoleExtraRules" . | indent 2 }}
{{- include "vcluster.rbac.clusterRoleExtraRules" . | indent 2 }}
Expand Down
1 change: 1 addition & 0 deletions chart/templates/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ rules:
resources: ["virtualmachines", "virtualmachines/status", "virtualmachineinstances", "virtualmachineinstances/status", "virtualmachineinstancemigrations", "virtualmachineinstancemigrations/status"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- include "vcluster.customResourceDefinitions.roleExtraRules" . | indent 2 }}
{{- include "vcluster.plugin.roleExtraRules" . | indent 2 }}
{{- include "vcluster.generic.roleExtraRules" . | indent 2 }}
{{- include "vcluster.rbac.roleExtraRules" . | indent 2 }}
Expand Down
52 changes: 52 additions & 0 deletions chart/tests/clusterrole_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -323,3 +323,55 @@ tests:
apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch"]

- it: crd sync to host
set:
sync:
toHost:
customResourceDefinitions:
test.test-group:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 1
- contains:
path: rules
content:
apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: [ "get", "list", "watch" ]

- it: crd sync from host
set:
sync:
fromHost:
customResourceDefinitions:
test.test-group:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 2
- contains:
path: rules
content:
apiGroups: [ "test-group" ]
resources: [ "test" ]
verbs: [ "get", "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: [ "get", "list", "watch" ]
71 changes: 71 additions & 0 deletions chart/tests/role_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -213,3 +213,74 @@ tests:
apiGroups: [ "pool.kubevirt.io" ]
resources: [ "virtualmachinepools", "virtualmachinepools/status" ]
verbs: [ "create", "delete", "patch", "update", "get", "list", "watch" ]

- it: crd sync
set:
sync:
toHost:
customResourceDefinitions:
test.my-group:
enabled: false
test.my-group-2:
enabled: true
tests.my-group-3.com:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: Role
- lengthEqual:
path: rules
count: 7
- contains:
path: rules
content:
apiGroups: [ "my-group-2" ]
resources: [ "test" ]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- contains:
path: rules
content:
apiGroups: [ "my-group-3.com" ]
resources: [ "tests" ]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]

- it: translate
set:
sync:
toHost:
customResourceDefinitions:
test.my-group-2:
enabled: true
translate:
- path: "test"
expression:
toHost: "test"
release:
name: my-release
namespace: my-namespace
asserts:
- notFailedTemplate: {}

- it: translate 2
set:
sync:
toHost:
customResourceDefinitions:
test.my-group-2:
enabled: true
translate:
- path: "test"
reference:
apiVersion: "v1"
kind: "Secret"
release:
name: my-release
namespace: my-namespace
asserts:
- notFailedTemplate: {}
47 changes: 45 additions & 2 deletions chart/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -2985,6 +2985,20 @@
"type": "object"
},
"TranslatePatch": {
"oneOf": [
{
"required": [
"expression"
],
"title": "expression"
},
{
"required": [
"reference"
],
"title": "reference"
}
],
"properties": {
"path": {
"type": "string",
Expand All @@ -3000,9 +3014,26 @@
}
},
"additionalProperties": false,
"type": "object"
"type": "object",
"required": [
"path"
]
},
"TranslatePatchExpression": {
"oneOf": [
{
"required": [
"toHost"
],
"title": "toHost"
},
{
"required": [
"fromHost"
],
"title": "fromHost"
}
],
"properties": {
"toHost": {
"type": "string",
Expand All @@ -3025,10 +3056,22 @@
"kind": {
"type": "string",
"description": "Kind is the kind of the referenced object."
},
"namePath": {
"type": "string",
"description": "NamePath is the optional path to the reference name within the object. If omitted namePath equals to the\ntranslate patch path."
},
"namespacePath": {
"type": "string",
"description": "NamespacePath is the optional path to the reference namespace within the object. If omitted namespacePath equals to the\nmetadata.namespace path of the object."
}
},
"additionalProperties": false,
"type": "object"
"type": "object",
"required": [
"apiVersion",
"kind"
]
},
"ValidatingWebhook": {
"properties": {
Expand Down
22 changes: 15 additions & 7 deletions config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -445,29 +445,37 @@ type SyncToHostCustomResourceDefinition struct {

type TranslatePatch struct {
// Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
Path string `json:"path,omitempty"`
Path string `json:"path,omitempty" jsonschema:"required"`

// Expression transforms the value according to the given JavaScript expression.
Expression *TranslatePatchExpression `json:"expression,omitempty"`
Expression *TranslatePatchExpression `json:"expression,omitempty" jsonschema:"oneof_required=expression"`

// Reference rewrites the value value according to the name.
Reference *TranslatePatchReference `json:"reference,omitempty"`
Reference *TranslatePatchReference `json:"reference,omitempty" jsonschema:"oneof_required=reference"`
}

type TranslatePatchReference struct {
// APIVersion is the apiVersion of the referenced object.
APIVersion string `json:"apiVersion,omitempty"`
APIVersion string `json:"apiVersion,omitempty" jsonschema:"required"`

// Kind is the kind of the referenced object.
Kind string `json:"kind,omitempty"`
Kind string `json:"kind,omitempty" jsonschema:"required"`

// NamePath is the optional path to the reference name within the object. If omitted namePath equals to the
// translate patch path.
NamePath string `json:"namePath,omitempty"`

// NamespacePath is the optional path to the reference namespace within the object. If omitted namespacePath equals to the
// metadata.namespace path of the object.
NamespacePath string `json:"namespacePath,omitempty"`
}

type TranslatePatchExpression struct {
// ToHost is the expression to apply when retrieving a change from virtual to host.
ToHost string `json:"toHost,omitempty"`
ToHost string `json:"toHost,omitempty" jsonschema:"oneof_required=toHost"`

// FromHost is the patch to apply when retrieving a change from host to virtual.
FromHost string `json:"fromHost,omitempty"`
FromHost string `json:"fromHost,omitempty" jsonschema:"oneof_required=fromHost"`
}

type SyncFromHostCustomResourceDefinition struct {
Expand Down
10 changes: 10 additions & 0 deletions pkg/config/validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,12 @@ func ValidateConfigAndSetDefaults(config *VirtualClusterConfig) error {
config.ControlPlane.Advanced.WorkloadServiceAccount.Name = "vc-workload-" + config.Name
}

// pro validate config
err = ProValidateConfig(config)
if err != nil {
return err
}

return nil
}

Expand Down Expand Up @@ -458,3 +464,7 @@ func validateK0sAndNoExperimentalKubeconfig(c *VirtualClusterConfig) error {
}
return nil
}

var ProValidateConfig = func(_ *VirtualClusterConfig) error {
return nil
}
2 changes: 1 addition & 1 deletion pkg/util/translate/single_namespace.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ func (s *singleNamespace) HostNameShort(ctx *synccontext.SyncContext, vName, vNa
// we use base36 to avoid as much conflicts as possible
digest := sha256.Sum256([]byte(strings.Join([]string{vName, "x", vNamespace, "x", VClusterName}, "-")))
return types.NamespacedName{
Name: base36.EncodeBytes(digest[:])[0:10],
Name: "v" + base36.EncodeBytes(digest[:])[0:13], // needs to start with a character for certain objects (e.g. services)
Namespace: s.HostNamespace(ctx, vNamespace),
}
}
Expand Down

0 comments on commit 9efb2a1

Please sign in to comment.