Milo IAM resources

.github/workflows/publish.yaml

@@ -11,7 +11,7 @@ jobs:
       id-token: write
       contents: read
       packages: write
-    uses: datum-cloud/actions/.github/workflows/publish-docker.yaml@v1.5.0
+    uses: datum-cloud/actions/.github/workflows/publish-docker.yaml@v1.5.1
     with:
       image-name: workload-operator
     secrets: inherit
@@ -21,7 +21,7 @@ jobs:
       id-token: write
       contents: read
       packages: write
-    uses: datum-cloud/actions/.github/workflows/publish-kustomize-bundle.yaml@v1.5.0
+    uses: datum-cloud/actions/.github/workflows/publish-kustomize-bundle.yaml@v1.5.1
     with:
       bundle-name: ghcr.io/datum-cloud/workload-operator-kustomize
       bundle-path: config

config/iam/kustomization.yaml

@@ -0,0 +1,12 @@
+# This kustomization program is used to create all of the Milo IAM resources to
+# configure the roles that are available to users and the resources protected by
+# the IAM system.
+#
+# This is created as a component so it can be included with other
+# kustomizations.
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - protected-resources/
+  - roles/

config/iam/protected-resources/instance.yaml

@@ -0,0 +1,22 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: compute.datumapis.com-instance
+spec:
+  serviceRef:
+    name: "compute.datumapis.com"
+  kind: Instance
+  plural: instances
+  singular: instance
+  permissions:
+    - list
+    - get
+    - create
+    - patch
+    - update
+    - delete
+    - watch
+    - updateStatus
+  parentResources:
+    - apiGroup: resourcemanager.miloapis.com
+      kind: Project

config/iam/protected-resources/kustomization.yaml

@@ -0,0 +1,11 @@
+# This kustomization program is used to create all of the Milo IAM protected
+# resources to configure the resources that are protected by the IAM system.
+#
+# Each Custom Resource Definition (CRD) exposed by the workload API that needs
+# to be protected by the IAM system should have a corresponding protected
+# resource configuration file in this directory.
+
+resources:
+  - workload.yaml
+  - workload-deployment.yaml
+  - instance.yaml

config/iam/protected-resources/workload-deployment.yaml

@@ -0,0 +1,22 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: compute.datumapis.com-workloaddeployment
+spec:
+  serviceRef:
+    name: "compute.datumapis.com"
+  kind: WorkloadDeployment
+  plural: workloaddeployments
+  singular: workloaddeployment
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - patch
+    - delete
+    - watch
+    - updateStatus
+  parentResources:
+    - apiGroup: resourcemanager.miloapis.com
+      kind: Project

config/iam/protected-resources/workload.yaml

@@ -0,0 +1,22 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: compute.datumapis.com-workload
+spec:
+  serviceRef:
+    name: "compute.datumapis.com"
+  kind: Workload
+  plural: workloads
+  singular: workload
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - patch
+    - delete
+    - watch
+    - updateStatus
+  parentResources:
+    - apiGroup: resourcemanager.miloapis.com
+      kind: Project

config/iam/roles/compute-admin.yaml

@@ -0,0 +1,15 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: compute.datumapis.com-admin
+  annotations:
+    kubernetes.io/display-name: Compute Admin
+    kubernetes.io/description: "Full access to all compute resources"
+spec:
+  launchStage: Beta
+  inheritedRoles:
+    - name: compute.datumapis.com-viewer
+  includedPermissions:
+    - compute.datumapis.com/workloads.create
+    - compute.datumapis.com/workloads.update
+    - compute.datumapis.com/workloads.delete

config/iam/roles/compute-viewer.yaml

@@ -0,0 +1,19 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: compute.datumapis.com-viewer
+  annotations:
+    kubernetes.io/display-name: Compute Viewer
+    kubernetes.io/description: "View access to all compute resources"
+spec:
+  launchStage: Beta
+  includedPermissions:
+    - compute.datumapis.com/workloads.list
+    - compute.datumapis.com/workloads.get
+    - compute.datumapis.com/workloads.watch
+    - compute.datumapis.com/workloaddeployments.list
+    - compute.datumapis.com/workloaddeployments.get
+    - compute.datumapis.com/workloaddeployments.watch
+    - compute.datumapis.com/instances.list
+    - compute.datumapis.com/instances.get
+    - compute.datumapis.com/instances.watch

config/iam/roles/kustomization.yaml

@@ -0,0 +1,8 @@
+# This kustomization program is used to create all of the Milo IAM roles that
+# are available to users.
+#
+# Each role should have a corresponding configuration file in this directory.
+
+resources:
+  - compute-admin.yaml
+  - compute-viewer.yaml

config/resource-metrics/kustomization.yaml

@@ -5,7 +5,7 @@ configMapGenerator:
   - name: workload-services-metrics
     options:
       labels:
-        telemetry.datumapis.com/resource-metrics-config: "true"
+        telemetry.miloapis.com/resource-metrics-config: "true"
 
     files:
       - instances.yaml

go.mod

@@ -10,12 +10,12 @@ require (
 	github.com/onsi/gomega v1.37.0
 	github.com/stretchr/testify v1.10.0
 	go.datum.net/network-services-operator v0.1.0
-	go.miloapis.com/milo v0.0.0-20250613224328-4b8d8b88be08
+	go.miloapis.com/milo v0.0.0-20250625230108-ec23f7d5c3f5
 	golang.org/x/crypto v0.39.0
 	golang.org/x/sync v0.15.0
 	google.golang.org/protobuf v1.36.6
 	k8s.io/api v0.33.1
-	k8s.io/apimachinery v0.33.1
+	k8s.io/apimachinery v0.33.2
 	k8s.io/client-go v0.33.1
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
 	sigs.k8s.io/controller-runtime v0.21.0
@@ -79,6 +79,7 @@ require (
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.41.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
@@ -103,5 +104,5 @@ require (
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	sigs.k8s.io/yaml v1.5.0 // indirect
 )

go.sum

@@ -137,6 +137,8 @@ go.datum.net/network-services-operator v0.1.0 h1:PAXOZ5DdJFgRoeVBPIXhqkCm6DxbP4t
 go.datum.net/network-services-operator v0.1.0/go.mod h1:uloVfxqE+8DgSiMB651X8UC9yECpXbwp/NBstofCceE=
 go.miloapis.com/milo v0.0.0-20250613224328-4b8d8b88be08 h1:4lr7cQLnROPjJGF7CLBmlgCJQws9aWiWeqsUmwVWnBg=
 go.miloapis.com/milo v0.0.0-20250613224328-4b8d8b88be08/go.mod h1:hh74+itTatDKu88z8rOItbrn3g98jei7ecaMKjJpFds=
+go.miloapis.com/milo v0.0.0-20250625230108-ec23f7d5c3f5 h1:aXcqUvOZBwVCybk4hV73DgGC7/xGJ/uDv5gfLCHbOlA=
+go.miloapis.com/milo v0.0.0-20250625230108-ec23f7d5c3f5/go.mod h1:hh74+itTatDKu88z8rOItbrn3g98jei7ecaMKjJpFds=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
@@ -165,6 +167,8 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -236,6 +240,8 @@ k8s.io/apiextensions-apiserver v0.33.1 h1:N7ccbSlRN6I2QBcXevB73PixX2dQNIW0ZRuguE
 k8s.io/apiextensions-apiserver v0.33.1/go.mod h1:uNQ52z1A1Gu75QSa+pFK5bcXc4hq7lpOXbweZgi4dqA=
 k8s.io/apimachinery v0.33.1 h1:mzqXWV8tW9Rw4VeW9rEkqvnxj59k1ezDUl20tFK/oM4=
 k8s.io/apimachinery v0.33.1/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
+k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
 k8s.io/apiserver v0.33.1 h1:yLgLUPDVC6tHbNcw5uE9mo1T6ELhJj7B0geifra3Qdo=
 k8s.io/apiserver v0.33.1/go.mod h1:VMbE4ArWYLO01omz+k8hFjAdYfc3GVAYPrhP2tTKccs=
 k8s.io/client-go v0.33.1 h1:ZZV/Ks2g92cyxWkRRnfUDsnhNn28eFpt26aGc8KbXF4=
@@ -265,3 +271,5 @@ sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxg
 sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
+sigs.k8s.io/yaml v1.5.0 h1:M10b2U7aEUY6hRtU870n2VTPgR5RZiL/I6Lcc2F4NUQ=
+sigs.k8s.io/yaml v1.5.0/go.mod h1:wZs27Rbxoai4C0f8/9urLZtZtF3avA3gKvGyPdDqTO4=