rolebinding -> role

On-behalf-of: @SAP [email protected]
Signed-off-by: Artem Shcherbatiuk <[email protected]>

Author: vertex451

gateway/resolver/relationships.go

@@ -0,0 +1,223 @@
+package resolver
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/graphql-go/graphql"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/openmfp/golang-commons/logger"
+)
+
+// RelationshipResolver handles resolution of relationships between Kubernetes resources
+type RelationshipResolver struct {
+	log           *logger.Logger
+	runtimeClient client.WithWatch
+	groupNames    map[string]string
+}
+
+// RelationshipRef represents a reference to another Kubernetes resource
+type RelationshipRef struct {
+	Kind         string `json:"kind,omitempty"`
+	GroupVersion string `json:"groupVersion,omitempty"`
+	Name         string `json:"name"`
+	Namespace    string `json:"namespace,omitempty"`
+}
+
+// NewRelationshipResolver creates a new relationship resolver
+func NewRelationshipResolver(log *logger.Logger, runtimeClient client.WithWatch, groupNames map[string]string) *RelationshipResolver {
+	return &RelationshipResolver{
+		log:           log,
+		runtimeClient: runtimeClient,
+		groupNames:    groupNames,
+	}
+}
+
+// IsRelationshipField checks if a field name follows the relationship convention (<kind>Ref)
+func IsRelationshipField(fieldName string) bool {
+	return strings.HasSuffix(fieldName, "Ref")
+}
+
+// ExtractTargetKind extracts the target kind from a relationship field name
+// e.g., "roleRef" -> "Role"
+func ExtractTargetKind(fieldName string) string {
+	if !IsRelationshipField(fieldName) {
+		return ""
+	}
+
+	// Remove "Ref" suffix and capitalize first letter
+	kindName := strings.TrimSuffix(fieldName, "Ref")
+	if len(kindName) == 0 {
+		return ""
+	}
+
+	return strings.ToUpper(kindName[:1]) + kindName[1:]
+}
+
+// CreateRelationshipResolver creates a GraphQL field resolver for relationship fields
+func (r *RelationshipResolver) CreateRelationshipResolver(sourceGVK schema.GroupVersionKind, fieldName string, targetKind string) graphql.FieldResolveFn {
+	return func(p graphql.ResolveParams) (interface{}, error) {
+		ctx, span := otel.Tracer("").Start(p.Context, "ResolveRelationship",
+			trace.WithAttributes(
+				attribute.String("sourceKind", sourceGVK.Kind),
+				attribute.String("fieldName", fieldName),
+				attribute.String("targetKind", targetKind),
+			))
+		defer span.End()
+
+		// Get the source object from the parent resolver
+		sourceObj, ok := p.Source.(map[string]interface{})
+		if !ok {
+			return nil, fmt.Errorf("expected source to be map[string]interface{}, got %T", p.Source)
+		}
+
+		// Extract the relationship reference from the source object
+		refValue, found, err := unstructured.NestedFieldNoCopy(sourceObj, fieldName)
+		if err != nil {
+			return nil, fmt.Errorf("error accessing field %s: %v", fieldName, err)
+		}
+		if !found {
+			return nil, nil // Field not present
+		}
+
+		refMap, ok := refValue.(map[string]interface{})
+		if !ok {
+			return nil, fmt.Errorf("expected %s to be map[string]interface{}, got %T", fieldName, refValue)
+		}
+
+		// Parse the relationship reference
+		ref, err := r.parseRelationshipRef(refMap)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing relationship ref: %v", err)
+		}
+
+		// If no kind specified in ref, use the target kind from field name
+		if ref.Kind == "" {
+			ref.Kind = targetKind
+		}
+
+		// Resolve the target GVK
+		targetGVK, err := r.resolveTargetGVK(ref, sourceGVK)
+		if err != nil {
+			return nil, fmt.Errorf("error resolving target GVK: %v", err)
+		}
+
+		// Fetch the referenced resource
+		return r.fetchReferencedResource(ctx, ref, targetGVK)
+	}
+}
+
+// parseRelationshipRef parses a relationship reference from a map
+func (r *RelationshipResolver) parseRelationshipRef(refMap map[string]interface{}) (*RelationshipRef, error) {
+	ref := &RelationshipRef{}
+
+	if kind, ok := refMap["kind"].(string); ok {
+		ref.Kind = kind
+	}
+
+	if groupVersion, ok := refMap["groupVersion"].(string); ok {
+		ref.GroupVersion = groupVersion
+	}
+
+	if apiGroup, ok := refMap["apiGroup"].(string); ok {
+		// Handle RBAC-style references where apiGroup is specified separately
+		if apiGroup != "" {
+			// For RBAC, we need to construct the groupVersion
+			// Default to v1 if no version specified in the groupVersion field
+			if ref.GroupVersion == "" {
+				ref.GroupVersion = apiGroup + "/v1"
+			}
+		} else {
+			// Empty apiGroup means core/v1
+			ref.GroupVersion = "v1"
+		}
+	}
+
+	name, ok := refMap["name"].(string)
+	if !ok {
+		return nil, fmt.Errorf("name is required in relationship reference")
+	}
+	ref.Name = name
+
+	if namespace, ok := refMap["namespace"].(string); ok {
+		ref.Namespace = namespace
+	}
+
+	return ref, nil
+}
+
+// resolveTargetGVK resolves the target GroupVersionKind from the relationship reference
+func (r *RelationshipResolver) resolveTargetGVK(ref *RelationshipRef, sourceGVK schema.GroupVersionKind) (schema.GroupVersionKind, error) {
+	targetGVK := schema.GroupVersionKind{
+		Kind: ref.Kind,
+	}
+
+	if ref.GroupVersion != "" {
+		// Parse group and version from groupVersion
+		parts := strings.Split(ref.GroupVersion, "/")
+		if len(parts) == 2 {
+			targetGVK.Group = parts[0]
+			targetGVK.Version = parts[1]
+		} else if len(parts) == 1 {
+			// Could be just version (for core resources) or just group
+			if ref.GroupVersion == "v1" || strings.HasPrefix(ref.GroupVersion, "v") {
+				targetGVK.Group = ""
+				targetGVK.Version = ref.GroupVersion
+			} else {
+				targetGVK.Group = ref.GroupVersion
+				targetGVK.Version = "v1" // Default version
+			}
+		} else {
+			return targetGVK, fmt.Errorf("invalid groupVersion format: %s", ref.GroupVersion)
+		}
+	} else {
+		// If no groupVersion specified, inherit from source or use defaults
+		targetGVK.Group = sourceGVK.Group
+		targetGVK.Version = sourceGVK.Version
+	}
+
+	return targetGVK, nil
+}
+
+// fetchReferencedResource fetches the referenced Kubernetes resource
+func (r *RelationshipResolver) fetchReferencedResource(ctx context.Context, ref *RelationshipRef, targetGVK schema.GroupVersionKind) (interface{}, error) {
+	// Create an unstructured object to hold the result
+	obj := &unstructured.Unstructured{}
+	obj.SetGroupVersionKind(targetGVK)
+
+	key := client.ObjectKey{
+		Name: ref.Name,
+	}
+
+	// If namespace is specified in the ref, use it
+	if ref.Namespace != "" {
+		key.Namespace = ref.Namespace
+	}
+
+	// Get the object using the runtime client
+	if err := r.runtimeClient.Get(ctx, key, obj); err != nil {
+		r.log.Error().Err(err).
+			Str("name", ref.Name).
+			Str("namespace", ref.Namespace).
+			Str("gvk", targetGVK.String()).
+			Msg("Unable to get referenced object")
+		return nil, err
+	}
+
+	return obj.Object, nil
+}
+
+// getOriginalGroupName converts sanitized group name back to original
+func (r *RelationshipResolver) getOriginalGroupName(groupName string) string {
+	if originalName, ok := r.groupNames[groupName]; ok {
+		return originalName
+	}
+	return groupName
+}

gateway/resolver/resolver.go

@@ -30,6 +30,7 @@ type Provider interface {
 	CustomQueriesProvider
 	CommonResolver() graphql.FieldResolveFn
 	SanitizeGroupName(string) string
+	GetRelationshipResolver() *RelationshipResolver
 }
 
 type CrudProvider interface {
@@ -50,16 +51,22 @@ type CustomQueriesProvider interface {
 type Service struct {
 	log *logger.Logger
 	// groupNames stores relation between sanitized group names and original group names that are used in the Kubernetes API
-	groupNames    map[string]string // map[sanitizedGroupName]originalGroupName
-	runtimeClient client.WithWatch
+	groupNames           map[string]string // map[sanitizedGroupName]originalGroupName
+	runtimeClient        client.WithWatch
+	relationshipResolver *RelationshipResolver
 }
 
 func New(log *logger.Logger, runtimeClient client.WithWatch) *Service {
-	return &Service{
+	service := &Service{
 		log:           log,
 		groupNames:    make(map[string]string),
 		runtimeClient: runtimeClient,
 	}
+
+	// Initialize relationship resolver
+	service.relationshipResolver = NewRelationshipResolver(log, runtimeClient, service.groupNames)
+
+	return service
 }
 
 // ListItems returns a GraphQL CommonResolver function that lists Kubernetes resources of the given GroupVersionKind.
@@ -397,6 +404,10 @@ func (r *Service) getOriginalGroupName(groupName string) string {
 	return groupName
 }
 
+func (r *Service) GetRelationshipResolver() *RelationshipResolver {
+	return r.relationshipResolver
+}
+
 func compareUnstructured(a, b unstructured.Unstructured, fieldPath string) int {
 	segments := strings.Split(fieldPath, ".")
 

gateway/resolver/subscription.go

@@ -79,6 +79,16 @@ func (r *Service) runWatch(
 
 	fieldsToWatch := extractRequestedFields(p.Info)
 
+	// Extract relationship watches (for future implementation)
+	relationshipWatches := r.extractRelationshipWatches(fieldsToWatch, gvk)
+	if len(relationshipWatches) > 0 {
+		r.log.Debug().
+			Int("relationshipCount", len(relationshipWatches)).
+			Str("sourceGVK", gvk.String()).
+			Msg("Detected relationships in subscription - multiple watches not yet implemented")
+		// TODO: Implement multiple watches for relationships
+	}
+
 	list := &unstructured.UnstructuredList{}
 	list.SetGroupVersionKind(schema.GroupVersionKind{
 		Group: gvk.Group, Version: gvk.Version, Kind: gvk.Kind + "List",
@@ -356,3 +366,75 @@ func CreateSubscriptionResolver(isSingle bool) graphql.FieldResolveFn {
 		return source, nil
 	}
 }
+
+// RelationshipWatch represents a relationship that needs to be watched
+type RelationshipWatch struct {
+	FieldPath   string
+	TargetGVK   schema.GroupVersionKind
+	TargetScope v1.ResourceScope
+}
+
+// extractRelationshipWatches analyzes requested fields to identify relationships that need additional watches
+func (r *Service) extractRelationshipWatches(fieldsToWatch []string, sourceGVK schema.GroupVersionKind) []RelationshipWatch {
+	var relationshipWatches []RelationshipWatch
+
+	for _, fieldPath := range fieldsToWatch {
+		// Check if this field path contains a relationship field
+		pathParts := strings.Split(fieldPath, ".")
+		for i, part := range pathParts {
+			if IsRelationshipField(part) {
+				targetKind := ExtractTargetKind(part)
+				if targetKind != "" {
+					// Try to resolve the target GVK
+					// For now, we'll make some assumptions about common relationships
+					targetGVK := r.resolveTargetGVK(targetKind, sourceGVK)
+					if targetGVK != (schema.GroupVersionKind{}) {
+						// TODO: Determine target scope - for now assume same as source
+						relationshipWatches = append(relationshipWatches, RelationshipWatch{
+							FieldPath:   strings.Join(pathParts[:i+1], "."),
+							TargetGVK:   targetGVK,
+							TargetScope: v1.NamespaceScoped, // Default assumption
+						})
+					}
+				}
+			}
+		}
+	}
+
+	return relationshipWatches
+}
+
+// resolveTargetGVK attempts to resolve the target GVK for a relationship
+func (r *Service) resolveTargetGVK(targetKind string, sourceGVK schema.GroupVersionKind) schema.GroupVersionKind {
+	// Handle common RBAC relationships
+	switch targetKind {
+	case "Role":
+		return schema.GroupVersionKind{
+			Group:   "rbac.authorization.k8s.io",
+			Version: "v1",
+			Kind:    "Role",
+		}
+	case "ClusterRole":
+		return schema.GroupVersionKind{
+			Group:   "rbac.authorization.k8s.io",
+			Version: "v1",
+			Kind:    "ClusterRole",
+		}
+	case "ServiceAccount":
+		return schema.GroupVersionKind{
+			Group:   "",
+			Version: "v1",
+			Kind:    "ServiceAccount",
+		}
+	case "User", "Group":
+		// These are not Kubernetes resources, so we can't watch them
+		return schema.GroupVersionKind{}
+	default:
+		// For other kinds, assume same group/version as source
+		return schema.GroupVersionKind{
+			Group:   sourceGVK.Group,
+			Version: sourceGVK.Version,
+			Kind:    targetKind,
+		}
+	}
+}