Merge pull request #52 from fxiang1/feng-existingrole

mikeshng · web-flow · commit 11c3769bba9f · 2025-03-31T09:59:29.000-04:00
Support existing roles for ClusterPermission
diff --git a/api/v1alpha1/clusterpermission_types.go b/api/v1alpha1/clusterpermission_types.go
@@ -58,6 +58,14 @@ type ClusterRoleBinding struct {
 	// Besides the typical subject for a binding, a ManagedServiceAccount can be used as a subject as well.
 	// +required
 	rbacv1.Subject `json:"subject"`
+
+	// Name of the ClusterRoleBinding if a name different than the ClusterPermission name is used
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,4,opt,name=name"`
+
+	// RoleRef contains information that points to the ClusterRole being used
+	// +optional
+	RoleRef *rbacv1.RoleRef `json:"roleRef,omitempty"`
 }
 
 // Role represents the Role that is being created on the managed cluster
@@ -95,13 +103,25 @@ type RoleBinding struct {
 	// Note: the namespace must exists on the hub cluster
 	// +optional
 	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+
+	// Name of the RoleBinding if a name different than the ClusterPermission name is used
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,4,opt,name=name"`
 }
 
 // RoleRef contains information that points to the role being used
 type RoleRef struct {
 	// Kind is the type of resource being referenced
 	// +required
 	Kind string `json:"kind"`
+
+	// APIGroup is the group for the resource being referenced
+	// +optional
+	APIGroup string `json:"apiGroup" protobuf:"bytes,1,opt,name=apiGroup"`
+
+	// Name is the name of resource being referenced
+	// +optional
+	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
 }
 
 // ClusterPermissionStatus defines the observed state of ClusterPermission
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/chart/crds/rbac.open-cluster-management.io_clusterpermissions.yaml b/chart/crds/rbac.open-cluster-management.io_clusterpermissions.yaml
@@ -101,6 +101,30 @@ spec:
                 description: ClusterRoleBinding represents the ClusterRoleBinding
                   that is being created on the managed cluster
                 properties:
+                  name:
+                    description: Name of the ClusterRoleBinding if a name different
+                      than the ClusterPermission name is used
+                    type: string
+                  roleRef:
+                    description: RoleRef contains information that points to the ClusterRole
+                      being used
+                    properties:
+                      apiGroup:
+                        description: APIGroup is the group for the resource being
+                          referenced
+                        type: string
+                      kind:
+                        description: Kind is the type of resource being referenced
+                        type: string
+                      name:
+                        description: Name is the name of resource being referenced
+                        type: string
+                    required:
+                    - apiGroup
+                    - kind
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
                   subject:
                     description: |-
                       Subject contains a reference to the object or user identities a ClusterPermission binding applies to.
@@ -140,6 +164,10 @@ spec:
                   description: RoleBinding represents the RoleBinding that is being
                     created on the managed cluster
                   properties:
+                    name:
+                      description: Name of the RoleBinding if a name different than
+                        the ClusterPermission name is used
+                      type: string
                     namespace:
                       description: Namespace of the Role for that is being created
                         on the managed cluster
@@ -196,9 +224,16 @@ spec:
                       description: RoleRef contains information that points to the
                         role being used
                       properties:
+                        apiGroup:
+                          description: APIGroup is the group for the resource being
+                            referenced
+                          type: string
                         kind:
                           description: Kind is the type of resource being referenced
                           type: string
+                        name:
+                          description: Name is the name of resource being referenced
+                          type: string
                       required:
                       - kind
                       type: object
diff --git a/config/crds/rbac.open-cluster-management.io_clusterpermissions.yaml b/config/crds/rbac.open-cluster-management.io_clusterpermissions.yaml
@@ -101,6 +101,30 @@ spec:
                 description: ClusterRoleBinding represents the ClusterRoleBinding
                   that is being created on the managed cluster
                 properties:
+                  name:
+                    description: Name of the ClusterRoleBinding if a name different
+                      than the ClusterPermission name is used
+                    type: string
+                  roleRef:
+                    description: RoleRef contains information that points to the ClusterRole
+                      being used
+                    properties:
+                      apiGroup:
+                        description: APIGroup is the group for the resource being
+                          referenced
+                        type: string
+                      kind:
+                        description: Kind is the type of resource being referenced
+                        type: string
+                      name:
+                        description: Name is the name of resource being referenced
+                        type: string
+                    required:
+                    - apiGroup
+                    - kind
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
                   subject:
                     description: |-
                       Subject contains a reference to the object or user identities a ClusterPermission binding applies to.
@@ -140,6 +164,10 @@ spec:
                   description: RoleBinding represents the RoleBinding that is being
                     created on the managed cluster
                   properties:
+                    name:
+                      description: Name of the RoleBinding if a name different than
+                        the ClusterPermission name is used
+                      type: string
                     namespace:
                       description: Namespace of the Role for that is being created
                         on the managed cluster
@@ -196,9 +224,16 @@ spec:
                       description: RoleRef contains information that points to the
                         role being used
                       properties:
+                        apiGroup:
+                          description: APIGroup is the group for the resource being
+                            referenced
+                          type: string
                         kind:
                           description: Kind is the type of resource being referenced
                           type: string
+                        name:
+                          description: Name is the name of resource being referenced
+                          type: string
                       required:
                       - kind
                       type: object
diff --git a/config/samples/clusterpermission_existing_roles.yaml b/config/samples/clusterpermission_existing_roles.yaml
@@ -0,0 +1,36 @@
+apiVersion: rbac.open-cluster-management.io/v1alpha1
+kind: ClusterPermission
+metadata:
+  name: clusterpermission-existing-role-sample
+spec:
+  roleBindings:
+    - name: default-rb-cluster1
+      namespace: default
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: argocd-application-controller-1
+      subject:
+        namespace: openshift-gitops
+        kind: ServiceAccount
+        name: sa-sample-existing
+    - name: kubevirt-rb-cluster1
+      namespace: kubevirt
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: Role
+        name: argocd-application-controller-2
+      subject:
+        apiGroup: rbac.authorization.k8s.io
+        kind: User
+        name: user1
+  clusterRoleBinding:
+      name: crb-cluster1-argo-app-con-3
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: argocd-application-controller-3
+      subject:
+        apiGroup: rbac.authorization.k8s.io
+        kind: Group
+        name: group1
diff --git a/controllers/clusterpermission_controller.go b/controllers/clusterpermission_controller.go
@@ -82,18 +82,19 @@ func (r *ClusterPermissionReconciler) Reconcile(ctx context.Context, req ctrl.Re
 	log.Info("validating ClusterPermission")
 
 	/* Validations */
-	if clusterPermission.Spec.ClusterRole == nil && clusterPermission.Spec.Roles == nil {
-		log.Info("no roles defined for ClusterPermission")
+	if clusterPermission.Spec.ClusterRoleBinding == nil && clusterPermission.Spec.RoleBindings == nil {
+		log.Info("no bindings defined for ClusterPermission")
 
 		err := r.updateStatus(ctx, &clusterPermission, &metav1.Condition{
 			Type:    cpv1alpha1.ConditionTypeValidation,
 			Status:  metav1.ConditionFalse,
-			Reason:  "FailedValidationNoRolesDefined",
-			Message: "no roles defined",
+			Reason:  "FailedValidationNoBindingsDefined",
+			Message: "no bindings defined",
 		})
 
 		return ctrl.Result{}, err
 	}
+
 	// verify the ClusterPermission namespace is in a ManagedCluster namespace
 	var managedCluster clusterv1.ManagedCluster
 	if err := r.Get(ctx, types.NamespacedName{Name: clusterPermission.Namespace}, &managedCluster); err != nil {
@@ -260,19 +261,31 @@ func (r *ClusterPermissionReconciler) generateManifestWorkPayload(ctx context.Co
 			return nil, nil, nil, nil, err
 		}
 
+		// default to ClusterPermission name unless using custom name
+		clusterRoleBindingName := clusterPermission.Name
+		if clusterPermission.Spec.ClusterRoleBinding.Name != "" {
+			clusterRoleBindingName = clusterPermission.Spec.ClusterRoleBinding.Name
+		}
+
+		// default to creating a ClusterRole unless using existing ClusterRole
+		clusterRoleBindingRoleRef := rbacv1.RoleRef{
+			APIGroup: rbacv1.GroupName,
+			Kind:     "ClusterRole",
+			Name:     clusterPermission.Name,
+		}
+		if clusterPermission.Spec.ClusterRoleBinding.RoleRef != nil {
+			clusterRoleBindingRoleRef = *clusterPermission.Spec.ClusterRoleBinding.RoleRef
+		}
+
 		clusterRoleBinding = &rbacv1.ClusterRoleBinding{
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: rbacv1.SchemeGroupVersion.String(),
 				Kind:       "ClusterRoleBinding",
 			},
 			ObjectMeta: metav1.ObjectMeta{
-				Name: clusterPermission.Name,
-			},
-			RoleRef: rbacv1.RoleRef{
-				APIGroup: rbacv1.GroupName,
-				Kind:     "ClusterRole",
-				Name:     clusterPermission.Name,
+				Name: clusterRoleBindingName,
 			},
+			RoleRef:  clusterRoleBindingRoleRef,
 			Subjects: []rbacv1.Subject{subject},
 		}
 	}
@@ -398,20 +411,40 @@ func (r *ClusterPermissionReconciler) generateManifestWorkPayload(ctx context.Co
 					return nil, nil, nil, nil, err
 				}
 
+				roleBindingName := clusterPermission.Name
+				if roleBinding.Name != "" {
+					roleBindingName = roleBinding.Name
+				}
+
+				roleBindingRoleRef := rbacv1.RoleRef{
+					APIGroup: rbacv1.GroupName,
+					Kind:     roleBinding.RoleRef.Kind,
+					Name:     clusterPermission.Name,
+				}
+				if roleBinding.RoleRef.APIGroup != "" && roleBinding.RoleRef.Name != "" {
+					roleBindingRoleRef = rbacv1.RoleRef{
+						APIGroup: roleBinding.RoleRef.APIGroup,
+						Kind:     roleBinding.RoleRef.Kind,
+						Name:     roleBinding.RoleRef.Name,
+					}
+				} else if roleBinding.RoleRef.APIGroup == "" && roleBinding.RoleRef.Name != "" {
+					return nil, nil, nil, nil,
+						errors.New("the RoleBinding for Namespace " + roleBinding.Namespace + " missing APIGroup for the RoleRef")
+				} else if roleBinding.RoleRef.APIGroup != "" && roleBinding.RoleRef.Name == "" {
+					return nil, nil, nil, nil,
+						errors.New("the RoleBinding for Namespace " + roleBinding.Namespace + " missing Name for the RoleRef")
+				}
+
 				roleBindings = append(roleBindings, rbacv1.RoleBinding{
 					TypeMeta: metav1.TypeMeta{
 						APIVersion: rbacv1.SchemeGroupVersion.String(),
 						Kind:       "RoleBinding",
 					},
 					ObjectMeta: metav1.ObjectMeta{
-						Name:      clusterPermission.Name,
+						Name:      roleBindingName,
 						Namespace: roleBinding.Namespace,
 					},
-					RoleRef: rbacv1.RoleRef{
-						APIGroup: rbacv1.GroupName,
-						Kind:     roleBinding.RoleRef.Kind,
-						Name:     clusterPermission.Name,
-					},
+					RoleRef:  roleBindingRoleRef,
 					Subjects: []rbacv1.Subject{subject},
 				})
 			}
diff --git a/controllers/clusterpermission_controller_test.go b/controllers/clusterpermission_controller_test.go
