Skip to content

Commit 4be4e35

Browse files
DiaphteirosDiaphteiros
committed
add permissions to check for deletion-blocking resources
1 parent 8ce47a2 commit 4be4e35

File tree

3 files changed

+57
-41
lines changed

3 files changed

+57
-41
lines changed

api/core/v1alpha1/groupversion_info.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,11 @@ import (
88
"sigs.k8s.io/controller-runtime/pkg/scheme"
99
)
1010

11+
const GroupName = "core.openmcp.cloud"
12+
1113
var (
1214
// GroupVersion is group version used to register these objects
13-
GroupVersion = schema.GroupVersion{Group: "core.openmcp.cloud", Version: "v1alpha1"}
15+
GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
1416

1517
// SchemeBuilder is used to add go types to the GroupVersionKind scheme
1618
SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

cmd/project-workspace-operator/app/print.go

Lines changed: 1 addition & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -64,17 +64,7 @@ func (o *RunOptions) PrintRawOptions(cmd *cobra.Command) {
6464
cmd.Println("########## RAW OPTIONS END ##########")
6565
}
6666

67-
func (o *RunOptions) PrintCompleted(cmd *cobra.Command) {
68-
raw := map[string]any{
69-
// TODO add options or remove
70-
}
71-
data, err := yaml.Marshal(raw)
72-
if err != nil {
73-
cmd.Println(fmt.Errorf("error marshalling completed options: %w", err).Error())
74-
return
75-
}
76-
cmd.Print(string(data))
77-
}
67+
func (o *RunOptions) PrintCompleted(cmd *cobra.Command) {}
7868

7969
func (o *RunOptions) PrintCompletedOptions(cmd *cobra.Command) {
8070
cmd.Println("########## COMPLETED OPTIONS START ##########")

cmd/project-workspace-operator/app/run.go

Lines changed: 53 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ import (
1414
rbacv1 "k8s.io/api/rbac/v1"
1515
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
1616
"k8s.io/apimachinery/pkg/runtime"
17+
"k8s.io/apimachinery/pkg/util/sets"
1718
ctrl "sigs.k8s.io/controller-runtime"
1819
"sigs.k8s.io/controller-runtime/pkg/certwatcher"
1920
"sigs.k8s.io/controller-runtime/pkg/client"
@@ -230,38 +231,61 @@ func (o *RunOptions) Run(ctx context.Context) error {
230231
WithInterval(10 * time.Second).
231232
WithTimeout(30 * time.Minute)
232233

233-
onboardingCluster, err := clusterAccessManager.CreateAndWaitForCluster(ctx, clustersv1alpha1.PURPOSE_ONBOARDING, clustersv1alpha1.PURPOSE_ONBOARDING,
234-
onboardingScheme, []clustersv1alpha1.PermissionsRequest{
235-
{
236-
Rules: []rbacv1.PolicyRule{
237-
{
238-
APIGroups: []string{"core.openmcp.cloud"},
239-
Resources: []string{"projects", "projects/status", "workspaces", "workspaces/status", "memberoverrides"},
240-
Verbs: []string{"*"},
241-
},
242-
{
243-
APIGroups: []string{"apiextensions.k8s.io"},
244-
Resources: []string{"customresourcedefinitions"},
245-
Verbs: []string{"list", "get"},
246-
},
247-
{
248-
APIGroups: []string{""},
249-
Resources: []string{"namespaces"},
250-
Verbs: []string{"*"},
251-
},
252-
{
253-
APIGroups: []string{"rbac.authorization.k8s.io"},
254-
Resources: []string{"clusterroles", "clusterrolebindings", "rolebindings"},
255-
Verbs: []string{"*"},
256-
},
257-
{
258-
APIGroups: []string{"authentication.k8s.io/v1"},
259-
Resources: []string{"selfsubjectreviews"},
260-
Verbs: []string{"*"},
261-
},
234+
onboadingClusterPermissions := []clustersv1alpha1.PermissionsRequest{
235+
{
236+
Rules: []rbacv1.PolicyRule{
237+
{
238+
APIGroups: []string{pwv1alpha1.GroupName},
239+
Resources: []string{"projects", "projects/status", "workspaces", "workspaces/status"},
240+
Verbs: []string{"*"},
241+
},
242+
{
243+
APIGroups: []string{pwv1alpha1.GroupName},
244+
Resources: []string{"*"},
245+
Verbs: []string{"list", "get"},
246+
},
247+
{
248+
APIGroups: []string{"apiextensions.k8s.io"},
249+
Resources: []string{"customresourcedefinitions"},
250+
Verbs: []string{"list", "get"},
251+
},
252+
{
253+
APIGroups: []string{""},
254+
Resources: []string{"namespaces"},
255+
Verbs: []string{"*"},
256+
},
257+
{
258+
APIGroups: []string{"rbac.authorization.k8s.io"},
259+
Resources: []string{"clusterroles", "clusterrolebindings", "rolebindings"},
260+
Verbs: []string{"*"},
261+
},
262+
{
263+
APIGroups: []string{"authentication.k8s.io/v1"},
264+
Resources: []string{"selfsubjectreviews"},
265+
Verbs: []string{"*"},
262266
},
263267
},
268+
},
269+
}
270+
blockingAPIGroups := sets.New[string]()
271+
for _, pb := range pwc.Spec.Project.ResourcesBlockingDeletion {
272+
if pb.Group != pwv1alpha1.GroupName {
273+
blockingAPIGroups.Insert(pb.Group)
274+
}
275+
}
276+
for _, wsb := range pwc.Spec.Workspace.ResourcesBlockingDeletion {
277+
if wsb.Group != pwv1alpha1.GroupName {
278+
blockingAPIGroups.Insert(wsb.Group)
279+
}
280+
}
281+
for _, bg := range sets.List(blockingAPIGroups) {
282+
onboadingClusterPermissions[0].Rules = append(onboadingClusterPermissions[0].Rules, rbacv1.PolicyRule{
283+
APIGroups: []string{bg},
284+
Resources: []string{"*"},
285+
Verbs: []string{"list", "get"},
264286
})
287+
}
288+
onboardingCluster, err := clusterAccessManager.CreateAndWaitForCluster(ctx, clustersv1alpha1.PURPOSE_ONBOARDING, clustersv1alpha1.PURPOSE_ONBOARDING, onboardingScheme, onboadingClusterPermissions)
265289

266290
if err != nil {
267291
return fmt.Errorf("error creating/updating onboarding cluster: %w", err)

0 commit comments

Comments
 (0)