feat: add manifest loaders for the gwapi cluster roles

shaneutt · openshift-merge-bot[bot] · commit ca112b7def49 · 2025-04-03T07:26:06.000Z
Signed-off-by: Shane Utt &lt;shaneutt@linux.com&gt;
diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go
@@ -42,11 +42,13 @@ const (
 	CanaryServiceAsset   = "assets/canary/service.yaml"
 	CanaryRouteAsset     = "assets/canary/route.yaml"
 
-	GatewayClassCRDAsset   = "assets/gateway-api/gateway.networking.k8s.io_gatewayclasses.yaml"
-	GatewayCRDAsset        = "assets/gateway-api/gateway.networking.k8s.io_gateways.yaml"
-	GRPCRouteCRDAsset      = "assets/gateway-api/gateway.networking.k8s.io_grpcroutes.yaml"
-	HTTPRouteCRDAsset      = "assets/gateway-api/gateway.networking.k8s.io_httproutes.yaml"
-	ReferenceGrantCRDAsset = "assets/gateway-api/gateway.networking.k8s.io_referencegrants.yaml"
+	GatewayClassCRDAsset            = "assets/gateway-api/gateway.networking.k8s.io_gatewayclasses.yaml"
+	GatewayCRDAsset                 = "assets/gateway-api/gateway.networking.k8s.io_gateways.yaml"
+	GRPCRouteCRDAsset               = "assets/gateway-api/gateway.networking.k8s.io_grpcroutes.yaml"
+	HTTPRouteCRDAsset               = "assets/gateway-api/gateway.networking.k8s.io_httproutes.yaml"
+	ReferenceGrantCRDAsset          = "assets/gateway-api/gateway.networking.k8s.io_referencegrants.yaml"
+	GatewayAPIAdminClusterRoleAsset = "assets/gateway-api/aggregated-cluster-roles/admin-cluster-role.yaml"
+	GatewayAPIViewClusterRoleAsset  = "assets/gateway-api/aggregated-cluster-roles/view-cluster-role.yaml"
 
 	// Annotation used to inform the certificate generation service to
 	// generate a cluster-signed certificate and populate the secret.
@@ -296,6 +298,22 @@ func ReferenceGrantCRD() *apiextensionsv1.CustomResourceDefinition {
 	return crd
 }
 
+func GatewayAPIAdminClusterRole() *rbacv1.ClusterRole {
+	clusterRole, err := NewClusterRole(MustAssetReader(GatewayAPIAdminClusterRoleAsset))
+	if err != nil {
+		panic(err)
+	}
+	return clusterRole
+}
+
+func GatewayAPIViewClusterRole() *rbacv1.ClusterRole {
+	clusterRole, err := NewClusterRole(MustAssetReader(GatewayAPIViewClusterRoleAsset))
+	if err != nil {
+		panic(err)
+	}
+	return clusterRole
+}
+
 func NewServiceAccount(manifest io.Reader) (*corev1.ServiceAccount, error) {
 	sa := corev1.ServiceAccount{}
 	if err := yaml.NewYAMLOrJSONDecoder(manifest, 100).Decode(&sa); err != nil {
diff --git a/pkg/manifests/manifests_test.go b/pkg/manifests/manifests_test.go
@@ -1,6 +1,8 @@
 package manifests
 
 import (
+	"slices"
+	"strings"
 	"testing"
 
 	operatorv1 "github.com/openshift/api/operator/v1"
@@ -50,6 +52,19 @@ func TestManifests(t *testing.T) {
 	HTTPRouteCRD()
 	ReferenceGrantCRD()
 
+	adminOnlyVerbs := []string{"create", "update", "patch", "delete", "deletecollection"}
+	GatewayAPIAdminClusterRole()
+	viewClusterRole := GatewayAPIViewClusterRole()
+	for _, policyRule := range viewClusterRole.Rules {
+		for _, adminOnlyVerb := range adminOnlyVerbs {
+			if slices.ContainsFunc(policyRule.Verbs, func(verb string) bool {
+				return strings.EqualFold(verb, adminOnlyVerb)
+			}) {
+				t.Errorf("view role %s should only contain read verbs, found: %s", viewClusterRole.Name, adminOnlyVerb)
+			}
+		}
+	}
+
 	MustAsset(CustomResourceDefinitionManifest)
 	MustAsset(NamespaceManifest)
 }
