diff --git a/pkg/scaffold/api.go b/pkg/scaffold/api.go index 9469624b016..ad94f13242a 100644 --- a/pkg/scaffold/api.go +++ b/pkg/scaffold/api.go @@ -185,6 +185,8 @@ func (api *API) scaffoldV2() error { Resource: r}, &scaffoldv2.Group{Resource: r}, &scaffoldv2.CRDSample{Resource: r}, + &scaffoldv2.CRDEditorRole{Resource: r}, + &scaffoldv2.CRDViewerRole{Resource: r}, &crdv2.EnableWebhookPatch{Resource: r}, &crdv2.EnableCAInjectionPatch{Resource: r}, } diff --git a/pkg/scaffold/v2/crd_editor_rbac.go b/pkg/scaffold/v2/crd_editor_rbac.go new file mode 100644 index 00000000000..38d10189db1 --- /dev/null +++ b/pkg/scaffold/v2/crd_editor_rbac.go @@ -0,0 +1,79 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v2 + +import ( + "fmt" + "path/filepath" + "strings" + + "sigs.k8s.io/kubebuilder/pkg/scaffold/input" + "sigs.k8s.io/kubebuilder/pkg/scaffold/resource" +) + +var _ input.File = &CRDEditorRole{} + +// CRD Editor role scaffolds the config/rbca/_editor_role.yaml +type CRDEditorRole struct { + input.Input + + // Resource is a resource in the API group + Resource *resource.Resource +} + +// GetInput implements input.File +func (g *CRDEditorRole) GetInput() (input.Input, error) { + if g.Path == "" { + g.Path = filepath.Join("config", "rbac", fmt.Sprintf("%s_editor_role.yaml", strings.ToLower(g.Resource.Kind))) + } + + g.TemplateBody = crdRoleEditorTemplate + return g.Input, nil +} + +// Validate validates the values +func (g *CRDEditorRole) Validate() error { + return g.Resource.Validate() +} + +const crdRoleEditorTemplate = `# permissions to do edit {{ .Resource.Resource }}. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ lower .Resource.Kind }}-editor-role +rules: +- apiGroups: + - {{ .Resource.Group }}.{{ .Domain }} + resources: + - {{ .Resource.Resource }} + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - {{ .Resource.Group }}.{{ .Domain }} + resources: + - {{ .Resource.Resource }}/status + verbs: + - get + - patch + - update +` diff --git a/pkg/scaffold/v2/crd_viewer_rbac.go b/pkg/scaffold/v2/crd_viewer_rbac.go new file mode 100644 index 00000000000..47c9ddd2db5 --- /dev/null +++ b/pkg/scaffold/v2/crd_viewer_rbac.go @@ -0,0 +1,73 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v2 + +import ( + "fmt" + "path/filepath" + "strings" + + "sigs.k8s.io/kubebuilder/pkg/scaffold/input" + "sigs.k8s.io/kubebuilder/pkg/scaffold/resource" +) + +var _ input.File = &CRDViewerRole{} + +// CRD Viewer role scaffolds the config/rbca/_viewer_role.yaml +type CRDViewerRole struct { + input.Input + + // Resource is a resource in the API group + Resource *resource.Resource +} + +// GetInput implements input.File +func (g *CRDViewerRole) GetInput() (input.Input, error) { + if g.Path == "" { + g.Path = filepath.Join("config", "rbac", fmt.Sprintf("%s_viewer_role.yaml", strings.ToLower(g.Resource.Kind))) + } + + g.TemplateBody = crdRoleViewerTemplate + return g.Input, nil +} + +// Validate validates the values +func (g *CRDViewerRole) Validate() error { + return g.Resource.Validate() +} + +const crdRoleViewerTemplate = `# permissions to do viewer {{ .Resource.Resource }}. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ lower .Resource.Kind }}-viewer-role +rules: +- apiGroups: + - {{ .Resource.Group }}.{{ .Domain }} + resources: + - {{ .Resource.Resource }} + verbs: + - get + - list + - watch +- apiGroups: + - {{ .Resource.Group }}.{{ .Domain }} + resources: + - {{ .Resource.Resource }}/status + verbs: + - get +` diff --git a/test/e2e/v2/e2e_suite.go b/test/e2e/v2/e2e_suite.go index 79a51edd6d4..44263814d70 100644 --- a/test/e2e/v2/e2e_suite.go +++ b/test/e2e/v2/e2e_suite.go @@ -246,6 +246,20 @@ var _ = Describe("kubebuilder", func() { return err }, time.Minute, time.Second).Should(Succeed()) + By("applying CRD Editor Role") + crdEditorRole := filepath.Join("config", "rbac", fmt.Sprintf("%s_editor_role.yaml", strings.ToLower(kbc.Kind))) + Eventually(func() error { + _, err = kbc.Kubectl.Apply(true, "-f", crdEditorRole) + return err + }, time.Minute, time.Second).Should(Succeed()) + + By("applying CRD Viewer Role") + crdViewerRole := filepath.Join("config", "rbac", fmt.Sprintf("%s_viewer_role.yaml", strings.ToLower(kbc.Kind))) + Eventually(func() error { + _, err = kbc.Kubectl.Apply(true, "-f", crdViewerRole) + return err + }, time.Minute, time.Second).Should(Succeed()) + By("validate the created resource object gets reconciled in controller") managerContainerLogs := func() string { logOutput, err := kbc.Kubectl.Logs(controllerPodName, "-c", "manager") diff --git a/testdata/project-v2/config/rbac/admiral_editor_role.yaml b/testdata/project-v2/config/rbac/admiral_editor_role.yaml new file mode 100644 index 00000000000..145c42c13f7 --- /dev/null +++ b/testdata/project-v2/config/rbac/admiral_editor_role.yaml @@ -0,0 +1,26 @@ +# permissions to do edit admirals. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: admiral-editor-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - admirals + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crew.testproject.org + resources: + - admirals/status + verbs: + - get + - patch + - update diff --git a/testdata/project-v2/config/rbac/admiral_viewer_role.yaml b/testdata/project-v2/config/rbac/admiral_viewer_role.yaml new file mode 100644 index 00000000000..cc14e92bcfc --- /dev/null +++ b/testdata/project-v2/config/rbac/admiral_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions to do viewer admirals. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: admiral-viewer-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - admirals + verbs: + - get + - list + - watch +- apiGroups: + - crew.testproject.org + resources: + - admirals/status + verbs: + - get diff --git a/testdata/project-v2/config/rbac/captain_editor_role.yaml b/testdata/project-v2/config/rbac/captain_editor_role.yaml new file mode 100644 index 00000000000..0f09140a925 --- /dev/null +++ b/testdata/project-v2/config/rbac/captain_editor_role.yaml @@ -0,0 +1,26 @@ +# permissions to do edit captains. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: captain-editor-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - captains + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crew.testproject.org + resources: + - captains/status + verbs: + - get + - patch + - update diff --git a/testdata/project-v2/config/rbac/captain_viewer_role.yaml b/testdata/project-v2/config/rbac/captain_viewer_role.yaml new file mode 100644 index 00000000000..d3d4f2fb35e --- /dev/null +++ b/testdata/project-v2/config/rbac/captain_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions to do viewer captains. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: captain-viewer-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - captains + verbs: + - get + - list + - watch +- apiGroups: + - crew.testproject.org + resources: + - captains/status + verbs: + - get diff --git a/testdata/project-v2/config/rbac/firstmate_editor_role.yaml b/testdata/project-v2/config/rbac/firstmate_editor_role.yaml new file mode 100644 index 00000000000..07e6541ae02 --- /dev/null +++ b/testdata/project-v2/config/rbac/firstmate_editor_role.yaml @@ -0,0 +1,26 @@ +# permissions to do edit firstmates. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: firstmate-editor-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - firstmates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crew.testproject.org + resources: + - firstmates/status + verbs: + - get + - patch + - update diff --git a/testdata/project-v2/config/rbac/firstmate_viewer_role.yaml b/testdata/project-v2/config/rbac/firstmate_viewer_role.yaml new file mode 100644 index 00000000000..042b1f9ab3e --- /dev/null +++ b/testdata/project-v2/config/rbac/firstmate_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions to do viewer firstmates. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: firstmate-viewer-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - firstmates + verbs: + - get + - list + - watch +- apiGroups: + - crew.testproject.org + resources: + - firstmates/status + verbs: + - get