feat: Introduce new IAM roles (viewer, editor, admin) and define the ResourceIndexPolicy protected resource.

Author: JoseSzycho

config/milo/iam/resources/kustomization.yaml

@@ -3,3 +3,4 @@ kind: Component
 
 resources:
   - searchqueries.yaml
+  - resourceindexpolicies.yaml

config/milo/iam/resources/resourceindexpolicies.yaml

@@ -0,0 +1,18 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: search.miloapis.com-resourceindexpolicies
+spec:
+  serviceRef:
+    name: "search.miloapis.com"
+  kind: ResourceIndexPolicy
+  plural: resourceindexpolicies
+  singular: resourceindexpolicy
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch

config/milo/iam/resources/searchqueries.yaml

@@ -1,8 +1,3 @@
-# TEMPLATE NOTE: This is an example of integrating with Milo IAM
-# Milo provides IAM capabilities for Kubernetes APIs
-# See https://github.com/datum-cloud/milo for more information
-#
-# This ProtectedResource grants permissions for SearchQuery objects
 apiVersion: iam.miloapis.com/v1alpha1
 kind: ProtectedResource
 metadata:
@@ -12,17 +7,6 @@ spec:
     name: "search.miloapis.com"
   kind: SearchQuery
   plural: searchqueries
-  singular: exampleresource
+  singular: searchquery
   permissions:
     - create
-    - get
-    - list
-    - update
-    - delete
-  parentResources:
-    - apiGroup: resourcemanager.miloapis.com
-      kind: Organization
-    - apiGroup: resourcemanager.miloapis.com
-      kind: Project
-    - apiGroup: iam.miloapis.com
-      kind: User

config/milo/iam/roles/admin.yaml

@@ -0,0 +1,15 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: search.miloapis.com-admin
+  namespace: milo-system
+  labels:
+    app.kubernetes.io/name: admin
+    app.kubernetes.io/part-of: search.miloapis.com
+spec:
+  launchStage: Beta
+  inheritedRoles:
+    - name: search.miloapis.com-editor
+      namespace: milo-system
+  includedPermissions:
+    - search.miloapis.com/resourceindexpolicies.delete

config/milo/iam/roles/editor.yaml

@@ -0,0 +1,17 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: search.miloapis.com-editor
+  namespace: milo-system
+  labels:
+    app.kubernetes.io/name: editor
+    app.kubernetes.io/part-of: search.miloapis.com
+spec:
+  launchStage: Beta
+  inheritedRoles:
+    - name: search.miloapis.com-viewer
+      namespace: milo-system
+  includedPermissions:
+    - search.miloapis.com/resourceindexpolicies.create
+    - search.miloapis.com/resourceindexpolicies.update
+    - search.miloapis.com/resourceindexpolicies.patch

config/milo/iam/roles/kustomization.yaml

@@ -3,3 +3,6 @@ kind: Component
 
 resources:
   - searcher.yaml
+  - viewer.yaml
+  - editor.yaml
+  - admin.yaml

config/milo/iam/roles/searcher.yaml

@@ -3,7 +3,10 @@ kind: Role
 metadata:
   name: search.miloapis.com-searcher
   namespace: milo-system
+  labels:
+    app.kubernetes.io/name: searcher
+    app.kubernetes.io/part-of: search.miloapis.com
 spec:
-  launchStage: Alpha
+  launchStage: Beta
   includedPermissions:
     - search.miloapis.com/searchqueries.create

config/milo/iam/roles/viewer.yaml

@@ -0,0 +1,17 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: search.miloapis.com-viewer
+  namespace: milo-system
+  labels:
+    app.kubernetes.io/name: viewer
+    app.kubernetes.io/part-of: search.miloapis.com
+spec:
+  launchStage: Beta
+  inheritedRoles:
+    - name: search.miloapis.com-searcher
+      namespace: milo-system
+  includedPermissions:
+    - search.miloapis.com/resourceindexpolicies.get
+    - search.miloapis.com/resourceindexpolicies.list
+    - search.miloapis.com/resourceindexpolicies.watch