Refactor

Signed-off-by: Per Goncalves da Silva <[email protected]>

Author: Per Goncalves da Silva

internal/operator-controller/rukpak/convert/installer_rbac.go

@@ -44,180 +44,116 @@ var (
     }
 )
 
-func GenerateInstallerRBAC(objs []client.Object, extensionName string, installNamespace string, watchNamespace string) []client.Object {
-    generatedObjs := getGeneratedObjs(objs)
-
-    var (
-        serviceAccountName     = extensionName + "-installer"
-        clusterRoleName        = extensionName + "-installer-clusterrole"
-        clusterRoleBindingName = extensionName + "-installer-clusterrole-binding"
-        roleName               = extensionName + "-installer-role"
-        roleBindingName        = extensionName + "-installer-role-binding"
-    )
-
-    rbacManifests := []client.Object{
-        // installer service account
-        ptr.To(newServiceAccount(
-            installNamespace,
-            serviceAccountName,
-        )),
-
-        // cluster scoped resources
-        ptr.To(newClusterRole(
-            clusterRoleName,
-            slices.Concat(
-                // finalizer rule
-                []rbacv1.PolicyRule{newClusterExtensionFinalizerPolicyRule(extensionName)},
-                // cluster scoped resource creation and management rules
-                generatePolicyRules(filter.Filter(objs, isClusterScopedResource)),
-                // controller rbac scope
-                collectRBACResourcePolicyRules(filter.Filter(generatedObjs, isClusterRole)),
-            ),
-        )),
-        ptr.To(newClusterRoleBinding(
-            clusterRoleBindingName,
-            clusterRoleName,
-            installNamespace,
-            serviceAccountName,
-        )),
-
-        // namespace scoped install namespace resources
-        ptr.To(newRole(
-            installNamespace,
-            roleName,
-            slices.Concat(
-                // namespace scoped resource creation and management rules
-                generatePolicyRules(filter.Filter(objs, filter.And(isNamespacedResource, inNamespace(installNamespace)))),
-                // controller rbac scope
-                collectRBACResourcePolicyRules(filter.Filter(generatedObjs, filter.And(isRole, inNamespace(installNamespace)))),
-            ),
-        )),
-        ptr.To(newRoleBinding(
-            installNamespace,
-            roleBindingName,
-            roleName,
-            installNamespace,
-            serviceAccountName,
-        )),
-
-        // namespace scoped watch namespace resources
-        ptr.To(newRole(
-            watchNamespace,
-            roleName,
-            slices.Concat(
-                // namespace scoped resource creation and management rules
-                generatePolicyRules(filter.Filter(objs, filter.And(isNamespacedResource, inNamespace(watchNamespace)))),
-                // controller rbac scope
-                collectRBACResourcePolicyRules(filter.Filter(generatedObjs, filter.And(isRole, inNamespace(watchNamespace)))),
-            ),
-        )),
-        ptr.To(newRoleBinding(
-            watchNamespace,
-            roleBindingName,
-            roleName,
-            installNamespace,
-            serviceAccountName,
-        )),
-    }
-
-    // remove any cluster/role(s) without any defined rules and pair cluster/role add manifests
-    return slices.DeleteFunc(rbacManifests, isNoRules)
+// GenerateResourceManagerClusterRole generates a ClusterRole with permissions to manage objs resources. The
+// permissions also aggregate any permissions from any ClusterRoles in objs allowing the holder to also assign
+// the RBAC therein to another service account. Note: currently assumes objs have been created by convert.Convert.
+func GenerateResourceManagerClusterRole(objs []client.Object) *rbacv1.ClusterRole {
+    return ptr.To(newClusterRole(
+        "",
+        slices.Concat(
+            // cluster scoped resource creation and management rules
+            generatePolicyRules(filter.Filter(objs, isClusterScopedResource)),
+            // controller rbac scope
+            collectRBACResourcePolicyRules(filter.Filter(objs, filter.And(isGeneratedResource, isOfKind("ClusterRole")))),
+        ),
+    ))
 }
 
-func isNoRules(object client.Object) bool {
-    switch obj := object.(type) {
-    case *rbacv1.ClusterRole:
-        return len(obj.Rules) == 0
-    case *rbacv1.Role:
-        return len(obj.Rules) == 0
+// GenerateClusterExtensionFinalizerPolicyRule generates a policy rule that allows the holder to update
+// finalizer for a ClusterExtension with clusterExtensionName.
+func GenerateClusterExtensionFinalizerPolicyRule(clusterExtensionName string) rbacv1.PolicyRule {
+    return rbacv1.PolicyRule{
+        APIGroups:     []string{"olm.operatorframework.io"},
+        Resources:     []string{"clusterextensions/finalizers"},
+        Verbs:         []string{"update"},
+        ResourceNames: []string{clusterExtensionName},
     }
-    return false
 }
 
-func getGeneratedObjs(plainObjs []client.Object) []client.Object {
-    return filter.Filter(plainObjs, func(obj client.Object) bool {
-        // this is a hack that abuses an internal implementation detail
-        // we should probably annotate the generated resources coming out of convert.Convert
-        _, ok := obj.(*unstructured.Unstructured)
-        return ok
-    })
+// GenerateResourceManagerRoles generates one or more Roles with permissions to manage objs resources in their
+// namespaces. The permissions also include any permissions defined in any Roles in objs within the namespace, allowing
+// the holder to also assign the RBAC therein to another service account.
+// Note: currently assumes objs have been created by convert.Convert.
+func GenerateResourceManagerRoles(objs []client.Object) []*rbacv1.Role {
+    return mapToSlice(filter.GroupBy(objs, namespaceName), generateRole)
 }
 
-var isNamespacedResource filter.Predicate[client.Object] = func(o client.Object) bool {
-    return slices.Contains(namespaceScopedResources, o.GetObjectKind().GroupVersionKind().Kind)
-}
-
-var isClusterScopedResource filter.Predicate[client.Object] = func(o client.Object) bool {
-    return slices.Contains(clusterScopedResources, o.GetObjectKind().GroupVersionKind().Kind)
-}
-
-var isClusterRole = isOfKind("ClusterRole")
-var isRole = isOfKind("Role")
-
-func isOfKind(kind string) filter.Predicate[client.Object] {
-    return func(o client.Object) bool {
-        return o.GetObjectKind().GroupVersionKind().Kind == kind
-    }
-}
-
-func inNamespace(namespace string) filter.Predicate[client.Object] {
-    return func(o client.Object) bool {
-        return o.GetNamespace() == namespace
-    }
+func generateRole(namespace string, namespaceObjs []client.Object) *rbacv1.Role {
+    return ptr.To(newRole(
+        namespace,
+        "",
+        slices.Concat(
+            // namespace scoped resource creation and management rules
+            generatePolicyRules(namespaceObjs),
+            // controller rbac scope
+            collectRBACResourcePolicyRules(filter.Filter(namespaceObjs, filter.And(isOfKind("Role"), isGeneratedResource))),
+        ),
+    ))
 }
 
 func generatePolicyRules(objs []client.Object) []rbacv1.PolicyRule {
-    resourceNameMap := groupResourceNamesByGroupKind(objs)
-    policyRules := make([]rbacv1.PolicyRule, 0, 2*len(resourceNameMap))
-    for groupKind, resourceNames := range resourceNameMap {
-        policyRules = append(policyRules, []rbacv1.PolicyRule{
-            newPolicyRule(groupKind, unnamedResourceVerbs),
-            newPolicyRule(groupKind, namedResourceVerbs, resourceNames...),
-        }...)
-    }
-    return policyRules
+    return slices.Concat(mapToSlice(filter.GroupBy(objs, groupKind), func(gk schema.GroupKind, resources []client.Object) []rbacv1.PolicyRule {
+        return []rbacv1.PolicyRule{
+            newPolicyRule(gk, unnamedResourceVerbs),
+            newPolicyRule(gk, namedResourceVerbs, filter.Map(resources, toResourceName)...),
+        }
+    })...)
 }
 
 func collectRBACResourcePolicyRules(objs []client.Object) []rbacv1.PolicyRule {
-    var policyRules []rbacv1.PolicyRule
-    for _, obj := range objs {
+    return slices.Concat(filter.Map(objs, func(obj client.Object) []rbacv1.PolicyRule {
         if cr, ok := obj.(*rbacv1.ClusterRole); ok {
-            policyRules = append(policyRules, cr.Rules...)
+            return cr.Rules
         } else if r, ok := obj.(*rbacv1.Role); ok {
-            policyRules = append(policyRules, r.Rules...)
+            return r.Rules
         } else {
             panic(fmt.Sprintf("unexpected type %T", obj))
         }
-    }
-    return policyRules
+    })...)
 }
 
-func newClusterExtensionFinalizerPolicyRule(clusterExtensionName string) rbacv1.PolicyRule {
+func newPolicyRule(groupKind schema.GroupKind, verbs []string, resourceNames ...string) rbacv1.PolicyRule {
     return rbacv1.PolicyRule{
-        APIGroups:     []string{"olm.operatorframework.io"},
-        Resources:     []string{"clusterextensions/finalizers"},
-        Verbs:         []string{"update"},
-        ResourceNames: []string{clusterExtensionName},
+        APIGroups:     []string{groupKind.Group},
+        Resources:     []string{fmt.Sprintf("%ss", strings.ToLower(groupKind.Kind))},
+        Verbs:         verbs,
+        ResourceNames: resourceNames,
     }
 }
 
-func groupResourceNamesByGroupKind(objs []client.Object) map[schema.GroupKind][]string {
-    resourceNames := map[schema.GroupKind][]string{}
-    for _, obj := range objs {
-        key := obj.GetObjectKind().GroupVersionKind().GroupKind()
-        if _, ok := resourceNames[key]; !ok {
-            resourceNames[key] = []string{}
-        }
-        resourceNames[key] = append(resourceNames[key], obj.GetName())
+func mapToSlice[K comparable, V any, R any](m map[K]V, fn func(k K, v V) R) []R {
+    out := make([]R, 0, len(m))
+    for k, v := range m {
+        out = append(out, fn(k, v))
     }
-    return resourceNames
+    return out
 }
 
-func newPolicyRule(groupKind schema.GroupKind, verbs []string, resourceNames ...string) rbacv1.PolicyRule {
-    return rbacv1.PolicyRule{
-        APIGroups:     []string{groupKind.Group},
-        Resources:     []string{fmt.Sprintf("%ss", strings.ToLower(groupKind.Kind))},
-        Verbs:         verbs,
-        ResourceNames: resourceNames,
+func isClusterScopedResource(o client.Object) bool {
+    return slices.Contains(clusterScopedResources, o.GetObjectKind().GroupVersionKind().Kind)
+}
+
+func isOfKind(kind string) filter.Predicate[client.Object] {
+    return func(o client.Object) bool {
+        return o.GetObjectKind().GroupVersionKind().Kind == kind
     }
 }
+
+func isGeneratedResource(o client.Object) bool {
+    // TODO: this is a hack that abuses an internal implementation detail
+    //       we should probably annotate the generated resources coming out of convert.Convert
+    _, ok := o.(*unstructured.Unstructured)
+    return ok
+}
+
+func groupKind(obj client.Object) schema.GroupKind {
+    return obj.GetObjectKind().GroupVersionKind().GroupKind()
+}
+
+func namespaceName(obj client.Object) string {
+    return obj.GetNamespace()
+}
+
+func toResourceName(o client.Object) string {
+    return o.GetName()
+}

internal/shared/util/filter/filter.go

@@ -5,6 +5,10 @@ import "slices"
 // Predicate returns true if the object should be kept when filtering
 type Predicate[T any] func(entity T) bool
 
+type Key[T any, K comparable] func(entity T) K
+
+type MapFn[S any, V any] func(S) V
+
 func And[T any](predicates ...Predicate[T]) Predicate[T] {
 	return func(obj T) bool {
 		for _, predicate := range predicates {
@@ -50,3 +54,20 @@ func Filter[T any](s []T, test Predicate[T]) []T {
 func InPlace[T any](s []T, test Predicate[T]) []T {
 	return slices.DeleteFunc(s, Not(test))
 }
+
+func GroupBy[T any, K comparable](s []T, key Key[T, K]) map[K][]T {
+	out := map[K][]T{}
+	for _, value := range s {
+		k := key(value)
+		out[k] = append(out[k], value)
+	}
+	return out
+}
+
+func Map[S, V any](s []S, mapper MapFn[S, V]) []V {
+	out := make([]V, len(s))
+	for i := 0; i < len(s); i++ {
+		out[i] = mapper(s[i])
+	}
+	return out
+}