feat: initial invite implementation (#97)

* feat: initial invite implementation

* chore: review comments

* chore: test coverage

* chore: test coverage

* fix: handle error in JSON encoding for user response in TestSubroutineProcess

* chore: port PR to mcruntime

Author: aaronschweig

PROJECT

@@ -25,4 +25,11 @@ resources:
   kind: AuthorizationModel
   path: github.com/platform-mesh/security-operator/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+  domain: platform-mesh.io
+  group: core
+  kind: Invite
+  path: github.com/platform-mesh/security-operator/api/v1alpha1
+  version: v1alpha1
 version: "3"

api/v1alpha1/invite_types.go

@@ -0,0 +1,62 @@
+package v1alpha1
+
+import (
+	lifecycleapi "github.com/platform-mesh/golang-commons/controller/lifecycle/api"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// InviteSpec defines the desired state of Invite
+type InviteSpec struct {
+	Email string `json:"email"`
+}
+
+// InviteStatus defines the observed state of Invite.
+type InviteStatus struct {
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster
+
+// Invite is the Schema for the invites API
+type Invite struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is a standard object metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty,omitzero"`
+
+	// spec defines the desired state of Invite
+	// +required
+	Spec InviteSpec `json:"spec"`
+
+	// status defines the observed state of Invite
+	// +optional
+	Status InviteStatus `json:"status,omitempty,omitzero"`
+}
+
+// GetConditions implements api.RuntimeObjectConditions.
+func (in *Invite) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions implements api.RuntimeObjectConditions.
+func (in *Invite) SetConditions(c []metav1.Condition) {
+	in.Status.Conditions = c
+}
+
+// +kubebuilder:object:root=true
+
+// InviteList contains a list of Invite
+type InviteList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Invite `json:"items"`
+}
+
+var _ lifecycleapi.RuntimeObjectConditions = &Invite{}
+
+func init() {
+	SchemeBuilder.Register(&Invite{}, &InviteList{})
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -153,6 +153,10 @@ var operatorCmd = &cobra.Command{
 			log.Error().Err(err).Str("controller", "authorizationmodel").Msg("unable to create controller")
 			return err
 		}
+		if err = controller.NewInviteReconciler(ctx, mgr, &appCfg, log).SetupWithManager(mgr, defaultCfg, log); err != nil {
+			log.Error().Err(err).Str("controller", "invite").Msg("unable to create controller")
+			return err
+		}
 		// +kubebuilder:scaffold:builder
 
 		if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

cmd/operator.go

@@ -41,6 +41,9 @@ func init() {
 	if err := platformeshconfig.BindConfigToFlags(v, initializerCmd, &appCfg); err != nil {
 		panic(err)
 	}
+	if err := platformeshconfig.BindConfigToFlags(v, operatorCmd, &appCfg); err != nil {
+		panic(err)
+	}
 
 	cobra.OnInitialize(initLog)
 }

cmd/root.go

@@ -0,0 +1,113 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: invites.core.platform-mesh.io
+spec:
+  group: core.platform-mesh.io
+  names:
+    kind: Invite
+    listKind: InviteList
+    plural: invites
+    singular: invite
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Invite is the Schema for the invites API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of Invite
+            properties:
+              email:
+                type: string
+            required:
+            - email
+            type: object
+          status:
+            description: status defines the observed state of Invite
+            properties:
+              conditions:
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/crd/bases/core.platform-mesh.io_invites.yaml

@@ -4,6 +4,7 @@
 resources:
 - bases/core.platform-mesh.io_stores.yaml
 - bases/core.platform-mesh.io_authorizationmodels.yaml
+- bases/core.platform-mesh.io_invites.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:

config/crd/kustomization.yaml

@@ -0,0 +1,27 @@
+# This rule is not used by the project security-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants full permissions ('*') over core.platform-mesh.io.
+# This role is intended for users authorized to modify roles and bindings within the cluster,
+# enabling them to delegate specific permissions to other users or groups as needed.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: security-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: invite-admin-role
+rules:
+- apiGroups:
+  - core.platform-mesh.io
+  resources:
+  - invites
+  verbs:
+  - '*'
+- apiGroups:
+  - core.platform-mesh.io
+  resources:
+  - invites/status
+  verbs:
+  - get

config/rbac/invite_admin_role.yaml

@@ -0,0 +1,33 @@
+# This rule is not used by the project security-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants permissions to create, update, and delete resources within the core.platform-mesh.io.
+# This role is intended for users who need to manage these resources
+# but should not control RBAC or manage permissions for others.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: security-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: invite-editor-role
+rules:
+- apiGroups:
+  - core.platform-mesh.io
+  resources:
+  - invites
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - core.platform-mesh.io
+  resources:
+  - invites/status
+  verbs:
+  - get