[DBAAS-161] implicitly determine service admins

Signed-off-by: Tommy Hughes <tohughes@redhat.com>
rewantsoni · Dec 13, 2021 · 9e17d62 · 9e17d62
1 parent 2677174
commit 9e17d62
Show file tree

Hide file tree

Showing 24 changed files with 1,218 additions and 950 deletions.
diff --git a/api/v1alpha1/dbaastenant_types.go b/api/v1alpha1/dbaastenant_types.go
@@ -27,17 +27,9 @@ import (
 type DBaaSTenantSpec struct {
 	// Namespace to watch for DBaaSInventories
 	// +kubebuilder:validation:Required
-	InventoryNamespace string     `json:"inventoryNamespace"`
-	Authz              DBaasAuthz `json:"authz,omitempty"`
-}
-
-// DBaasAuthz designates the level of authorization for Tenant personas
-type DBaasAuthz struct {
+	InventoryNamespace string `json:"inventoryNamespace"`
 	// Specify a Tenant’s default Developers for DBaaSInventory “viewer” access
-	Developer DBaasUsersGroups `json:"developer,omitempty"`
-
-	// Specify a Tenant’s Service Admins for DBaaSTenant “viewer” access
-	ServiceAdmin DBaasUsersGroups `json:"serviceAdmin,omitempty"`
+	Authz DBaasUsersGroups `json:"authz,omitempty"`
 }
 
 // DBaaSTenantStatus defines the observed state of DBaaSTenant
@@ -47,6 +39,8 @@ type DBaaSTenantStatus struct {
 }
 
 //+kubebuilder:object:root=true
+//+kubebuilder:printcolumn:name="Inventory_NS",type=string,JSONPath=`.spec.inventoryNamespace`
+//+kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 //+kubebuilder:subresource:status
 //+kubebuilder:resource:scope=Cluster
 

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/dbaas-operator.clusterserviceversion.yaml b/bundle/manifests/dbaas-operator.clusterserviceversion.yaml
@@ -228,6 +228,18 @@ spec:
     spec:
       clusterPermissions:
       - rules:
+        - apiGroups:
+          - ""
+          - authorization.openshift.io
+          resources:
+          - localresourceaccessreviews
+          - localsubjectaccessreviews
+          - resourceaccessreviews
+          - selfsubjectrulesreviews
+          - subjectaccessreviews
+          - subjectrulesreviews
+          verbs:
+          - create
         - apiGroups:
           - apps
           resources:
@@ -366,6 +378,8 @@ spec:
           resources:
           - clusterrolebindings/finalizers
           - clusterroles/finalizers
+          - rolebindings/finalizers
+          - roles/finalizers
           verbs:
           - update
         - apiGroups:
@@ -380,13 +394,6 @@ spec:
           - patch
           - update
           - watch
-        - apiGroups:
-          - rbac.authorization.k8s.io
-          resources:
-          - rolebindings/finalizers
-          - roles/finalizers
-          verbs:
-          - update
         - apiGroups:
           - authentication.k8s.io
           resources:
@@ -460,7 +467,7 @@ spec:
                 resources:
                   limits:
                     cpu: 100m
-                    memory: 250Mi
+                    memory: 500Mi
                   requests:
                     cpu: 100m
                     memory: 100Mi

diff --git a/bundle/manifests/dbaas.redhat.com_dbaastenants.yaml b/bundle/manifests/dbaas.redhat.com_dbaastenants.yaml
@@ -14,7 +14,14 @@ spec:
     singular: dbaastenant
   scope: Cluster
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.inventoryNamespace
+      name: Inventory_NS
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: DBaaSTenant is the Schema for the dbaastenants API
@@ -36,35 +43,17 @@ spec:
               authorizations
             properties:
               authz:
-                description: DBaasAuthz designates the level of authorization for
-                  Tenant personas
+                description: Specify a Tenant’s default Developers for DBaaSInventory
+                  “viewer” access
                 properties:
-                  developer:
-                    description: Specify a Tenant’s default Developers for DBaaSInventory
-                      “viewer” access
-                    properties:
-                      groups:
-                        items:
-                          type: string
-                        type: array
-                      users:
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  serviceAdmin:
-                    description: Specify a Tenant’s Service Admins for DBaaSTenant
-                      “viewer” access
-                    properties:
-                      groups:
-                        items:
-                          type: string
-                        type: array
-                      users:
-                        items:
-                          type: string
-                        type: array
-                    type: object
+                  groups:
+                    items:
+                      type: string
+                    type: array
+                  users:
+                    items:
+                      type: string
+                    type: array
                 type: object
               inventoryNamespace:
                 description: Namespace to watch for DBaaSInventories

diff --git a/config/crd/bases/dbaas.redhat.com_dbaastenants.yaml b/config/crd/bases/dbaas.redhat.com_dbaastenants.yaml
@@ -16,7 +16,14 @@ spec:
     singular: dbaastenant
   scope: Cluster
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.inventoryNamespace
+      name: Inventory_NS
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: DBaaSTenant is the Schema for the dbaastenants API
@@ -38,35 +45,17 @@ spec:
               authorizations
             properties:
               authz:
-                description: DBaasAuthz designates the level of authorization for
-                  Tenant personas
+                description: Specify a Tenant’s default Developers for DBaaSInventory
+                  “viewer” access
                 properties:
-                  developer:
-                    description: Specify a Tenant’s default Developers for DBaaSInventory
-                      “viewer” access
-                    properties:
-                      groups:
-                        items:
-                          type: string
-                        type: array
-                      users:
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  serviceAdmin:
-                    description: Specify a Tenant’s Service Admins for DBaaSTenant
-                      “viewer” access
-                    properties:
-                      groups:
-                        items:
-                          type: string
-                        type: array
-                      users:
-                        items:
-                          type: string
-                        type: array
-                    type: object
+                  groups:
+                    items:
+                      type: string
+                    type: array
+                  users:
+                    items:
+                      type: string
+                    type: array
                 type: object
               inventoryNamespace:
                 description: Namespace to watch for DBaaSInventories

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -53,7 +53,7 @@ spec:
         resources:
           limits:
             cpu: 100m
-            memory: 250Mi
+            memory: 500Mi
           requests:
             cpu: 100m
             memory: 100Mi

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -6,6 +6,18 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  - authorization.openshift.io
+  resources:
+  - localresourceaccessreviews
+  - localsubjectaccessreviews
+  - resourceaccessreviews
+  - selfsubjectrulesreviews
+  - subjectaccessreviews
+  - subjectrulesreviews
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:
@@ -144,6 +156,8 @@ rules:
   resources:
   - clusterrolebindings/finalizers
   - clusterroles/finalizers
+  - rolebindings/finalizers
+  - roles/finalizers
   verbs:
   - update
 - apiGroups:
@@ -158,10 +172,3 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - rolebindings/finalizers
-  - roles/finalizers
-  verbs:
-  - update