Merge pull request #12 from appuio/feat/aggregated-roles

simu · web-flow · commit cbf6aca03cde · 2023-06-13T10:18:02.000+02:00
Aggregate permissions for upgrade controller custom resources to `view` and `edit` cluster roles
diff --git a/class/openshift-upgrade-controller.yml b/class/openshift-upgrade-controller.yml
@@ -8,6 +8,7 @@ parameters:
       - input_paths:
           - ${_base_directory}/component/main.jsonnet
           - ${_base_directory}/component/cluster-version.jsonnet
+          - ${_base_directory}/component/rbac.jsonnet
         input_type: jsonnet
         output_path: openshift-upgrade-controller/
 
diff --git a/component/rbac.jsonnet b/component/rbac.jsonnet
@@ -0,0 +1,57 @@
+local kube = import 'lib/kube.libjsonnet';
+
+local aggregatedRoles = [
+  kube.ClusterRole('syn:openshift-upgrade-controller:view') {
+    metadata+: {
+      labels+: {
+        'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
+        'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
+        'rbac.authorization.k8s.io/aggregate-to-view': 'true',
+      },
+    },
+    rules: [
+      {
+        apiGroups: 'managedupgrade.appuio.io',
+        resources: [
+          'clusterversions',
+          'upgradeconfigs',
+          'upgradejobs',
+        ],
+        verbs: [
+          'get',
+          'list',
+          'watch',
+        ],
+      },
+    ],
+  },
+  kube.ClusterRole('syn:openshift-upgrade-controller:edit') {
+    metadata+: {
+      labels+: {
+        'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
+        'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
+      },
+    },
+    rules: [
+      {
+        apiGroups: 'managedupgrade.appuio.io',
+        resources: [
+          'clusterversions',
+          'upgradeconfigs',
+          'upgradejobs',
+        ],
+        verbs: [
+          'create',
+          'delete',
+          'deletecollection',
+          'patch',
+          'update',
+        ],
+      },
+    ],
+  },
+];
+
+{
+  '30_rbac': aggregatedRoles,
+}
diff --git a/tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/30_rbac.yaml b/tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/30_rbac.yaml
@@ -0,0 +1,42 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: syn-openshift-upgrade-controller-view
+    rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+    rbac.authorization.k8s.io/aggregate-to-edit: 'true'
+    rbac.authorization.k8s.io/aggregate-to-view: 'true'
+  name: syn:openshift-upgrade-controller:view
+rules:
+  - apiGroups: managedupgrade.appuio.io
+    resources:
+      - clusterversions
+      - upgradeconfigs
+      - upgradejobs
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: syn-openshift-upgrade-controller-edit
+    rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+    rbac.authorization.k8s.io/aggregate-to-edit: 'true'
+  name: syn:openshift-upgrade-controller:edit
+rules:
+  - apiGroups: managedupgrade.appuio.io
+    resources:
+      - clusterversions
+      - upgradeconfigs
+      - upgradejobs
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
