feat: bind AccessRequest ServiceAccount to existing ClusterRole/Role

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.25.1
 	github.com/onsi/gomega v1.38.1
 	github.com/openmcp-project/cluster-provider-gardener/api v0.4.0
-	github.com/openmcp-project/openmcp-operator/api v0.11.1
+	github.com/openmcp-project/openmcp-operator/api v0.11.2
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/apimachinery v0.33.4
 	k8s.io/client-go v0.33.4

go.sum

@@ -103,8 +103,8 @@ github.com/openmcp-project/controller-utils v0.18.0 h1:9UESJdCuGkoXhsvRZ/gWPpJrd
 github.com/openmcp-project/controller-utils v0.18.0/go.mod h1:S4Ym/PWOR8hy8A4LN1hfLyIf9XTNGUrnryvGtFMiq/U=
 github.com/openmcp-project/controller-utils/api v0.18.0 h1:rXU3EG+tiZrm/UspD+XPO9TzjZKTx8XBXkdKI3IE6gY=
 github.com/openmcp-project/controller-utils/api v0.18.0/go.mod h1:BC6O8tLFI5PLycZvBlIub6dQRtPF+E9d7JA3MfTpyTU=
-github.com/openmcp-project/openmcp-operator/api v0.11.1 h1:T+nyerhtuEJeI34P/CDy+MWDzKeHStTtZ+AjKXVyk3A=
-github.com/openmcp-project/openmcp-operator/api v0.11.1/go.mod h1:hnJAhFhIezAVqoDvcQd8CzdKN0292yESQv1LIJukKdE=
+github.com/openmcp-project/openmcp-operator/api v0.11.2 h1:3fhsuTngcqelNX+MvF3mhJqyKgymrpNzuzt8mSf+syc=
+github.com/openmcp-project/openmcp-operator/api v0.11.2/go.mod h1:hnJAhFhIezAVqoDvcQd8CzdKN0292yESQv1LIJukKdE=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

internal/controllers/accessrequest/access.go

@@ -38,6 +38,11 @@ import (
 	"github.com/openmcp-project/cluster-provider-gardener/internal/controllers/shared"
 )
 
+const (
+	KindRole        = "Role"
+	KindClusterRole = "ClusterRole"
+)
+
 // This map is meant for testing purposes only.
 // When the AdminKubeconfigRequest sent to the garden cluster returns a kubeconfig,
 // it tries to find the raw bytes as a key in this map.
@@ -203,7 +208,7 @@ func (r *AccessRequestReconciler) cleanupRoles(ctx context.Context, sac *shootAc
 	for _, role := range roles.Items {
 		keepThis := false
 		for _, k := range keep {
-			if k.GetName() == role.Name && k.GetNamespace() == role.Namespace && k.GetObjectKind().GroupVersionKind().Kind == "Role" {
+			if k.GetName() == role.Name && k.GetNamespace() == role.Namespace && k.GetObjectKind().GroupVersionKind().Kind == KindRole {
 				log.Debug("Keeping Role", "resourceName", role.Name, "resourceNamespace", role.Namespace)
 				keepThis = true
 				break
@@ -237,7 +242,7 @@ func (r *AccessRequestReconciler) cleanupClusterRoles(ctx context.Context, sac *
 	for _, cr := range crs.Items {
 		keepThis := false
 		for _, k := range keep {
-			if k.GetName() == cr.Name && k.GetObjectKind().GroupVersionKind().Kind == "ClusterRole" {
+			if k.GetName() == cr.Name && k.GetObjectKind().GroupVersionKind().Kind == KindClusterRole {
 				log.Debug("Keeping ClusterRole", "resourceName", cr.Name)
 				keepThis = true
 				break
@@ -364,7 +369,7 @@ func (r *AccessRequestReconciler) renewToken(ctx context.Context, ar *clustersv1
 	for i, permission := range ar.Spec.Permissions {
 		roleName := permission.Name
 		if roleName == "" {
-			roleName = fmt.Sprintf("openmcp:%s:%d", ctrlutils.K8sNameUUIDUnsafe(shared.Environment(), shared.ProviderName(), ar.Namespace, ar.Name), i)
+			roleName = fmt.Sprintf("openmcp:permission:%s:%d", ctrlutils.K8sNameUUIDUnsafe(shared.Environment(), shared.ProviderName(), ar.Namespace, ar.Name), i)
 		}
 		if permission.Namespace != "" {
 			// ensure role + binding
@@ -379,7 +384,7 @@ func (r *AccessRequestReconciler) renewToken(ctx context.Context, ar *clustersv1
 			}
 			keep = append(keep, rb)
 			if r.GroupVersionKind().Kind == "" {
-				r.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind("Role"))
+				r.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind(KindRole))
 			}
 			keep = append(keep, r)
 		} else {
@@ -395,11 +400,40 @@ func (r *AccessRequestReconciler) renewToken(ctx context.Context, ar *clustersv1
 			}
 			keep = append(keep, crb)
 			if cr.GroupVersionKind().Kind == "" {
-				cr.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind("ClusterRole"))
+				cr.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind(KindClusterRole))
 			}
 			keep = append(keep, cr)
 		}
 	}
+
+	// ensure ServiceAccount is bound to (Cluster)Roles
+	for i, roleRef := range ar.Spec.RoleRefs {
+		roleBindingName := fmt.Sprintf("openmcp:roleref:%s:%d", ctrlutils.K8sNameUUIDUnsafe(shared.Environment(), shared.ProviderName(), ar.Namespace, ar.Name), i)
+		if roleRef.Kind == KindRole {
+			// Role
+			rb, err := clusteraccess.EnsureRoleBinding(ctx, sac.Client, roleBindingName, roleRef.Namespace, roleRef.Name, subjects, expectedLabels...)
+			if err != nil {
+				errs.Append(errutils.WithReason(fmt.Errorf("error ensuring rolebinding '%s/%s' in shoot '%s/%s': %w", roleRef.Namespace, roleBindingName, sac.Shoot.Namespace, sac.Shoot.Name, err), cconst.ReasonShootClusterInteractionProblem))
+				continue
+			}
+			if rb.GroupVersionKind().Kind == "" {
+				rb.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind("RoleBinding"))
+			}
+			keep = append(keep, rb)
+		} else {
+			// ClusterRole
+			crb, err := clusteraccess.EnsureClusterRoleBinding(ctx, sac.Client, roleBindingName, roleRef.Name, subjects, expectedLabels...)
+			if err != nil {
+				errs.Append(errutils.WithReason(fmt.Errorf("error ensuring clusterrolebinding '%s' in shoot '%s/%s': %w", roleBindingName, sac.Shoot.Namespace, sac.Shoot.Name, err), cconst.ReasonShootClusterInteractionProblem))
+				continue
+			}
+			if crb.GroupVersionKind().Kind == "" {
+				crb.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind("ClusterRoleBinding"))
+			}
+			keep = append(keep, crb)
+		}
+	}
+
 	if err := errs.Aggregate(); err != nil {
 		rr.ReconcileError = err
 		return nil, rr
@@ -509,7 +543,7 @@ func (r *AccessRequestReconciler) ensureOIDCAccess(ctx context.Context, ar *clus
 					continue
 				}
 				if r.GroupVersionKind().Kind == "" {
-					r.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind("Role"))
+					r.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind(KindRole))
 				}
 				keep = append(keep, r)
 			} else {
@@ -520,7 +554,7 @@ func (r *AccessRequestReconciler) ensureOIDCAccess(ctx context.Context, ar *clus
 					continue
 				}
 				if cr.GroupVersionKind().Kind == "" {
-					cr.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind("ClusterRole"))
+					cr.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind(KindClusterRole))
 				}
 				keep = append(keep, cr)
 			}
@@ -545,7 +579,7 @@ func (r *AccessRequestReconciler) ensureOIDCAccess(ctx context.Context, ar *clus
 			// ensure (Cluster)RoleBindings
 			for j, roleRef := range roleBinding.RoleRefs {
 				roleBindingName := fmt.Sprintf("openmcp:%s:%d:%d", ctrlutils.K8sNameUUIDUnsafe(shared.Environment(), shared.ProviderName(), ar.Namespace, ar.Name), i, j)
-				if roleRef.Kind == "Role" {
+				if roleRef.Kind == KindRole {
 					log.Debug("Ensuring RoleBinding", "roleBindingName", roleBindingName, "namespace", roleRef.Namespace)
 					rb, err := clusteraccess.EnsureRoleBinding(ctx, sac.Client, roleBindingName, roleRef.Namespace, roleRef.Name, subjects, expectedLabels...)
 					if err != nil {
@@ -556,7 +590,7 @@ func (r *AccessRequestReconciler) ensureOIDCAccess(ctx context.Context, ar *clus
 						rb.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind("RoleBinding"))
 					}
 					keep = append(keep, rb)
-				} else if roleRef.Kind == "ClusterRole" {
+				} else if roleRef.Kind == KindClusterRole {
 					log.Debug("Ensuring ClusterRoleBinding", "roleBindingName", roleBindingName)
 					crb, err := clusteraccess.EnsureClusterRoleBinding(ctx, sac.Client, roleBindingName, roleRef.Name, subjects, expectedLabels...)
 					if err != nil {

internal/controllers/accessrequest/controller.go

@@ -342,7 +342,7 @@ func (r *AccessRequestReconciler) getClusterAndProfile(ctx context.Context, ar *
 	log.Debug("Fetching Cluster resource", "clusterName", c.Name, "clusterNamespace", c.Namespace)
 	if err := r.PlatformCluster.Client().Get(ctx, client.ObjectKeyFromObject(c), c); err != nil {
 		if apierrors.IsNotFound(err) {
-			return nil, nil, errutils.WithReason(fmt.Errorf("Cluster '%s/%s' not found", c.Namespace, c.Name), clusterconst.ReasonInvalidReference) // nolint:staticcheck
+			return nil, nil, errutils.WithReason(fmt.Errorf("cluster '%s/%s' not found", c.Namespace, c.Name), clusterconst.ReasonInvalidReference) // nolint:staticcheck
 		}
 		return nil, nil, errutils.WithReason(fmt.Errorf("unable to get Cluster '%s/%s': %w", c.Namespace, c.Name, err), clusterconst.ReasonPlatformClusterInteractionProblem)
 	}

internal/controllers/accessrequest/controller_test.go

@@ -54,6 +54,7 @@ func defaultTestSetup(testDirPathSegments ...string) (*accessrequest.AccessReque
 		WithFakeClient(shootCluster, shootScheme).
 		WithInitObjectPath(platformCluster, append(testDirPathSegments, "platform")...).
 		WithInitObjectPath(gardenCluster, append(testDirPathSegments, "garden")...).
+		WithInitObjectPath(shootCluster, append(testDirPathSegments, "shoot")...).
 		WithFakeClientBuilderCall(gardenCluster, "WithInterceptorFuncs", interceptor.Funcs{
 			SubResourceCreate: func(ctx context.Context, c client.Client, subResourceName string, obj, subResource client.Object, opts ...client.SubResourceCreateOption) error {
 				switch subResourceName {
@@ -242,30 +243,62 @@ var _ = Describe("AccessRequest Controller", func() {
 			Expect(cr.Rules).To(BeEquivalentTo(ar.Spec.Permissions[0].Rules))
 			crbl := &rbacv1.ClusterRoleBindingList{}
 			Expect(env.Client(shootCluster).List(env.Ctx, crbl, labelSelector)).To(Succeed())
-			Expect(crbl.Items).To(HaveLen(1))
-			crb := &crbl.Items[0]
-			Expect(crb.RoleRef.Name).To(Equal(cr.Name))
-			Expect(crb.Subjects).To(HaveLen(1))
-			Expect(crb.Subjects[0].Kind).To(Equal(rbacv1.ServiceAccountKind))
-			Expect(crb.Subjects[0].Name).To(Equal(sa.Name))
-			Expect(crb.Subjects[0].Namespace).To(Equal(sa.Namespace))
-
-			// role + binding
-			rl := &rbacv1.RoleList{}
-			Expect(env.Client(shootCluster).List(env.Ctx, rl, labelSelector, client.InNamespace(ar.Spec.Permissions[1].Namespace))).To(Succeed())
-			Expect(rl.Items).To(HaveLen(1))
-			r := &rl.Items[0]
-			Expect(r.Rules).To(BeEquivalentTo(ar.Spec.Permissions[1].Rules))
-			rbl := &rbacv1.RoleBindingList{}
-			Expect(env.Client(shootCluster).List(env.Ctx, rbl, labelSelector, client.InNamespace(ar.Spec.Permissions[1].Namespace))).To(Succeed())
-			Expect(r.Name).To(Equal(ar.Spec.Permissions[1].Name))
-			Expect(rbl.Items).To(HaveLen(1))
-			rb := &rbl.Items[0]
-			Expect(rb.RoleRef.Name).To(Equal(r.Name))
-			Expect(rb.Subjects).To(HaveLen(1))
-			Expect(rb.Subjects[0].Kind).To(Equal(rbacv1.ServiceAccountKind))
-			Expect(rb.Subjects[0].Name).To(Equal(sa.Name))
-			Expect(rb.Subjects[0].Namespace).To(Equal(sa.Namespace))
+			Expect(crbl.Items).To(HaveLen(2))
+			// check bindings from permissions field
+			{
+				crb := &crbl.Items[0]
+				Expect(crb.RoleRef.Name).To(Equal(cr.Name))
+				Expect(crb.Subjects).To(HaveLen(1))
+				Expect(crb.Subjects[0].Kind).To(Equal(rbacv1.ServiceAccountKind))
+				Expect(crb.Subjects[0].Name).To(Equal(sa.Name))
+				Expect(crb.Subjects[0].Namespace).To(Equal(sa.Namespace))
+			}
+			// check bindings from roleRefs field
+			{
+				crb := &crbl.Items[1]
+				Expect(crb.RoleRef.Name).To(Equal("cluster-admin"))
+				Expect(crb.Subjects).To(HaveLen(1))
+				Expect(crb.Subjects[0].Kind).To(Equal(rbacv1.ServiceAccountKind))
+				Expect(crb.Subjects[0].Name).To(Equal(sa.Name))
+				Expect(crb.Subjects[0].Namespace).To(Equal(sa.Namespace))
+			}
+			// --------------------------------------------------------------------------------
+
+			// role + binding from permissions field
+			{
+				rl := &rbacv1.RoleList{}
+				Expect(env.Client(shootCluster).List(env.Ctx, rl, labelSelector, client.InNamespace(ar.Spec.Permissions[1].Namespace))).To(Succeed())
+				Expect(rl.Items).To(HaveLen(1))
+				r := &rl.Items[0]
+				Expect(r.Rules).To(BeEquivalentTo(ar.Spec.Permissions[1].Rules))
+				rbl := &rbacv1.RoleBindingList{}
+				Expect(env.Client(shootCluster).List(env.Ctx, rbl, labelSelector, client.InNamespace(ar.Spec.Permissions[1].Namespace))).To(Succeed())
+				Expect(r.Name).To(Equal(ar.Spec.Permissions[1].Name))
+				Expect(rbl.Items).To(HaveLen(1))
+				rb := &rbl.Items[0]
+				Expect(rb.RoleRef.Name).To(Equal(r.Name))
+				Expect(rb.Subjects).To(HaveLen(1))
+				Expect(rb.Subjects[0].Kind).To(Equal(rbacv1.ServiceAccountKind))
+				Expect(rb.Subjects[0].Name).To(Equal(sa.Name))
+				Expect(rb.Subjects[0].Namespace).To(Equal(sa.Namespace))
+			}
+			// role + binding from roleRefs field
+			{
+				rl := &rbacv1.RoleList{}
+				Expect(env.Client(shootCluster).List(env.Ctx, rl, client.InNamespace("default"))).To(Succeed())
+				Expect(rl.Items).To(HaveLen(1))
+				r := &rl.Items[0]
+				Expect(r.Rules).ToNot(BeEmpty())
+				rbl := &rbacv1.RoleBindingList{}
+				Expect(env.Client(shootCluster).List(env.Ctx, rbl, labelSelector, client.InNamespace("default"))).To(Succeed())
+				Expect(rbl.Items).To(HaveLen(1))
+				rb := &rbl.Items[0]
+				Expect(rb.RoleRef.Name).To(Equal("secret-viewer"))
+				Expect(rb.Subjects).To(HaveLen(1))
+				Expect(rb.Subjects[0].Kind).To(Equal(rbacv1.ServiceAccountKind))
+				Expect(rb.Subjects[0].Name).To(Equal(sa.Name))
+				Expect(rb.Subjects[0].Namespace).To(Equal(sa.Namespace))
+			}
 		})
 
 		It("should remove all resources again when the accessrequest is deleted", func() {

internal/controllers/cluster/testdata/test-05/platform/accessrequest.yaml

@@ -24,4 +24,9 @@ spec:
       - "*"
       verbs:
       - "*"
-
+  roleRefs:
+  - kind: Role
+    name: secret-viewer
+    namespace: default
+  - kind: ClusterRole
+    name: cluster-admin

internal/controllers/cluster/testdata/test-05/shoot/role.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-viewer
+  namespace: default
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch