add permissions to check for deletion-blocking resources

Diaphteiros · Diaphteiros · commit dc9002dba213 · 2025-10-28T15:58:17.000+01:00
diff --git a/api/core/v1alpha1/groupversion_info.go b/api/core/v1alpha1/groupversion_info.go
@@ -8,9 +8,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/scheme"
 )
 
+const GroupName = "core.openmcp.cloud"
+
 var (
 	// GroupVersion is group version used to register these objects
-	GroupVersion = schema.GroupVersion{Group: "core.openmcp.cloud", Version: "v1alpha1"}
+	GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
diff --git a/cmd/project-workspace-operator/app/print.go b/cmd/project-workspace-operator/app/print.go
@@ -64,17 +64,7 @@ func (o *RunOptions) PrintRawOptions(cmd *cobra.Command) {
 	cmd.Println("########## RAW OPTIONS END ##########")
 }
 
-func (o *RunOptions) PrintCompleted(cmd *cobra.Command) {
-	raw := map[string]any{
-		// TODO add options or remove
-	}
-	data, err := yaml.Marshal(raw)
-	if err != nil {
-		cmd.Println(fmt.Errorf("error marshalling completed options: %w", err).Error())
-		return
-	}
-	cmd.Print(string(data))
-}
+func (o *RunOptions) PrintCompleted(cmd *cobra.Command) {}
 
 func (o *RunOptions) PrintCompletedOptions(cmd *cobra.Command) {
 	cmd.Println("########## COMPLETED OPTIONS START ##########")
diff --git a/cmd/project-workspace-operator/app/run.go b/cmd/project-workspace-operator/app/run.go
@@ -14,6 +14,7 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -230,38 +231,61 @@ func (o *RunOptions) Run(ctx context.Context) error {
 		WithInterval(10 * time.Second).
 		WithTimeout(30 * time.Minute)
 
-	onboardingCluster, err := clusterAccessManager.CreateAndWaitForCluster(ctx, clustersv1alpha1.PURPOSE_ONBOARDING, clustersv1alpha1.PURPOSE_ONBOARDING,
-		onboardingScheme, []clustersv1alpha1.PermissionsRequest{
-			{
-				Rules: []rbacv1.PolicyRule{
-					{
-						APIGroups: []string{"core.openmcp.cloud"},
-						Resources: []string{"projects", "projects/status", "workspaces", "workspaces/status", "memberoverrides"},
-						Verbs:     []string{"*"},
-					},
-					{
-						APIGroups: []string{"apiextensions.k8s.io"},
-						Resources: []string{"customresourcedefinitions"},
-						Verbs:     []string{"list", "get"},
-					},
-					{
-						APIGroups: []string{""},
-						Resources: []string{"namespaces"},
-						Verbs:     []string{"*"},
-					},
-					{
-						APIGroups: []string{"rbac.authorization.k8s.io"},
-						Resources: []string{"clusterroles", "clusterrolebindings", "rolebindings"},
-						Verbs:     []string{"*"},
-					},
-					{
-						APIGroups: []string{"authentication.k8s.io/v1"},
-						Resources: []string{"selfsubjectreviews"},
-						Verbs:     []string{"*"},
-					},
+	onboadingClusterPermissions := []clustersv1alpha1.PermissionsRequest{
+		{
+			Rules: []rbacv1.PolicyRule{
+				{
+					APIGroups: []string{pwv1alpha1.GroupName},
+					Resources: []string{"projects", "projects/status", "workspaces", "workspaces/status"},
+					Verbs:     []string{"*"},
+				},
+				{
+					APIGroups: []string{pwv1alpha1.GroupName},
+					Resources: []string{"*"},
+					Verbs:     []string{"list", "get"},
+				},
+				{
+					APIGroups: []string{"apiextensions.k8s.io"},
+					Resources: []string{"customresourcedefinitions"},
+					Verbs:     []string{"list", "get"},
+				},
+				{
+					APIGroups: []string{""},
+					Resources: []string{"namespaces"},
+					Verbs:     []string{"*"},
+				},
+				{
+					APIGroups: []string{"rbac.authorization.k8s.io"},
+					Resources: []string{"clusterroles", "clusterrolebindings", "rolebindings"},
+					Verbs:     []string{"*"},
+				},
+				{
+					APIGroups: []string{"authentication.k8s.io/v1"},
+					Resources: []string{"selfsubjectreviews"},
+					Verbs:     []string{"*"},
 				},
 			},
+		},
+	}
+	blockingAPIGroups := sets.New[string]()
+	for _, pb := range pwc.Spec.Project.ResourcesBlockingDeletion {
+		if pb.Group != pwv1alpha1.GroupName {
+			blockingAPIGroups.Insert(pb.Group)
+		}
+	}
+	for _, wsb := range pwc.Spec.Workspace.ResourcesBlockingDeletion {
+		if wsb.Group != pwv1alpha1.GroupName {
+			blockingAPIGroups.Insert(wsb.Group)
+		}
+	}
+	for _, bg := range sets.List(blockingAPIGroups) {
+		onboadingClusterPermissions[0].Rules = append(onboadingClusterPermissions[0].Rules, rbacv1.PolicyRule{
+			APIGroups: []string{bg},
+			Resources: []string{"*"},
+			Verbs:     []string{"list", "get"},
 		})
+	}
+	onboardingCluster, err := clusterAccessManager.CreateAndWaitForCluster(ctx, clustersv1alpha1.PURPOSE_ONBOARDING, clustersv1alpha1.PURPOSE_ONBOARDING, onboardingScheme, onboadingClusterPermissions)
 
 	if err != nil {
 		return fmt.Errorf("error creating/updating onboarding cluster: %w", err)
