Add ClusterRole for Users, Topics and Schema custom resource

RafalKorepta · RafalKorepta · commit ad564400af4a · 2024-11-09T20:06:42.000+01:00
Reference https://github.com/redpanda-data/redpanda-operator/blob/a1865c2b39cf6f147dff7e7fff947dae6fc39ded/operator/internal/controller/redpanda/user_controller.go#L37-L39 https://github.com/redpanda-data/redpanda-operator/blob/a1865c2b39cf6f147dff7e7fff947dae6fc39ded/operator/internal/controller/redpanda/topic_controller.go#L72-L74 https://github.com/redpanda-data/redpanda-operator/blob/a1865c2b39cf6f147dff7e7fff947dae6fc39ded/operator/internal/controller/redpanda/schema_controller.go#L33-L35
diff --git a/charts/operator/rbac.go b/charts/operator/rbac.go
@@ -318,7 +318,64 @@ func ClusterRole(dot *helmette.Dot) []rbacv1.ClusterRole {
 		}...)
 	}
 
-	return clusterRoles
+	return append(clusterRoles, rbacv1.ClusterRole{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "rbac.authorization.k8s.io/v1",
+			Kind:       "ClusterRole",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        Fullname(dot),
+			Labels:      Labels(dot),
+			Annotations: values.Annotations,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				Verbs:     []string{"get", "list", "patch", "update", "watch"},
+				APIGroups: []string{"cluster.redpanda.com"},
+				Resources: []string{"topics"},
+			},
+			{
+				Verbs:     []string{"update"},
+				APIGroups: []string{"cluster.redpanda.com"},
+				Resources: []string{"topics/finalizers"},
+			},
+			{
+				Verbs:     []string{"get", "patch", "update"},
+				APIGroups: []string{"cluster.redpanda.com"},
+				Resources: []string{"topics/status"},
+			},
+			{
+				Verbs:     []string{"get", "list", "patch", "update", "watch"},
+				APIGroups: []string{"cluster.redpanda.com"},
+				Resources: []string{"users"},
+			},
+			{
+				Verbs:     []string{"update"},
+				APIGroups: []string{"cluster.redpanda.com"},
+				Resources: []string{"users/finalizers"},
+			},
+			{
+				Verbs:     []string{"get", "patch", "update"},
+				APIGroups: []string{"cluster.redpanda.com"},
+				Resources: []string{"users/status"},
+			},
+			{
+				Verbs:     []string{"get", "list", "patch", "update", "watch"},
+				APIGroups: []string{"cluster.redpanda.com"},
+				Resources: []string{"schemas"},
+			},
+			{
+				Verbs:     []string{"update"},
+				APIGroups: []string{"cluster.redpanda.com"},
+				Resources: []string{"schemas/finalizers"},
+			},
+			{
+				Verbs:     []string{"get", "patch", "update"},
+				APIGroups: []string{"cluster.redpanda.com"},
+				Resources: []string{"schemas/status"},
+			},
+		},
+	})
 }
 
 func ClusterRoleBindings(dot *helmette.Dot) []rbacv1.ClusterRoleBinding {
@@ -355,7 +412,7 @@ func ClusterRoleBindings(dot *helmette.Dot) []rbacv1.ClusterRoleBinding {
 	}
 
 	if values.Scope == Cluster {
-		binding = append(binding, rbacv1.ClusterRoleBinding{
+		return append(binding, rbacv1.ClusterRoleBinding{
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: "rbac.authorization.k8s.io/v1",
 				Kind:       "ClusterRoleBinding",
@@ -432,7 +489,29 @@ func ClusterRoleBindings(dot *helmette.Dot) []rbacv1.ClusterRoleBinding {
 		})
 	}
 
-	return binding
+	return append(binding, rbacv1.ClusterRoleBinding{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "rbac.authorization.k8s.io/v1",
+			Kind:       "ClusterRoleBinding",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        Fullname(dot),
+			Labels:      Labels(dot),
+			Annotations: values.Annotations,
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     Fullname(dot),
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      ServiceAccountName(dot),
+				Namespace: dot.Release.Namespace,
+			},
+		},
+	})
 }
 
 func Roles(dot *helmette.Dot) []rbacv1.Role {
diff --git a/charts/operator/templates/_rbac.go.tpl b/charts/operator/templates/_rbac.go.tpl
@@ -23,7 +23,7 @@
 {{- $clusterRoles = (concat (default (list ) $clusterRoles) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") "additional-controllers") ))) "r") "labels" (get (fromJson (include "operator.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "get" "list" "watch") "apiGroups" (list "") "resources" (list "nodes") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "get" "list" "patch" "update" "watch" "delete") "apiGroups" (list "") "resources" (list "persistentvolumes") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "get" "list" "watch") "apiGroups" (list "") "resources" (list "secrets" "configmaps") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "get" "list" "watch") "apiGroups" (list "") "resources" (list "persistentvolumes") ))) ))))) -}}
 {{- end -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" $clusterRoles) | toJson -}}
+{{- (dict "r" (concat (default (list ) $clusterRoles) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "operator.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "get" "list" "patch" "update" "watch") "apiGroups" (list "cluster.redpanda.com") "resources" (list "topics") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "update") "apiGroups" (list "cluster.redpanda.com") "resources" (list "topics/finalizers") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "get" "patch" "update") "apiGroups" (list "cluster.redpanda.com") "resources" (list "topics/status") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "get" "list" "patch" "update" "watch") "apiGroups" (list "cluster.redpanda.com") "resources" (list "users") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "update") "apiGroups" (list "cluster.redpanda.com") "resources" (list "users/finalizers") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "get" "patch" "update") "apiGroups" (list "cluster.redpanda.com") "resources" (list "users/status") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "get" "list" "patch" "update" "watch") "apiGroups" (list "cluster.redpanda.com") "resources" (list "schemas") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "update") "apiGroups" (list "cluster.redpanda.com") "resources" (list "schemas/finalizers") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "verbs" (list "get" "patch" "update") "apiGroups" (list "cluster.redpanda.com") "resources" (list "schemas/status") ))) ))))) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- end -}}
@@ -40,7 +40,9 @@
 {{- end -}}
 {{- $binding := (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") "proxy-role") ))) "r") "labels" (get (fromJson (include "operator.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") "proxy-role") ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "operator.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) -}}
 {{- if (eq $values.scope "Cluster") -}}
-{{- $binding = (concat (default (list ) $binding) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "operator.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "operator.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) )))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $binding) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "operator.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "operator.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))))) | toJson -}}
+{{- break -}}
 {{- end -}}
 {{- if (and (eq $values.scope "Namespace") $values.rbac.createAdditionalControllerCRs) -}}
 {{- $binding = (concat (default (list ) $binding) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") "additional-controllers") ))) "r") "labels" (get (fromJson (include "operator.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") "additional-controllers") ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "operator.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) )))) -}}
@@ -49,7 +51,7 @@
 {{- $binding = (concat (default (list ) $binding) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") "rpk-bundle") ))) "r") "labels" (get (fromJson (include "operator.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") "rpk-bundle") ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "operator.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) )))) -}}
 {{- end -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" $binding) | toJson -}}
+{{- (dict "r" (concat (default (list ) $binding) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "operator.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot) ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "operator.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))))) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- end -}}
diff --git a/charts/operator/testdata/kustomization.yaml b/charts/operator/testdata/kustomization.yaml
@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - https://raw.githubusercontent.com/redpanda-data/redpanda-operator/rk/split-rbac-generation/operator/config/rbac/leader-election-role/role.yaml
-  - https://raw.githubusercontent.com/redpanda-data/redpanda-operator/rk/split-rbac-generation/operator/config/rbac/v2-manager-role/role.yaml
-  - https://raw.githubusercontent.com/redpanda-data/redpanda-operator/rk/split-rbac-generation/operator/config/rbac/bases/auth_proxy/auth_proxy_role.yaml
+  - https://raw.githubusercontent.com/redpanda-data/redpanda-operator/main/operator/config/rbac/leader-election-role/role.yaml
+  - https://raw.githubusercontent.com/redpanda-data/redpanda-operator/main/operator/config/rbac/v2-manager-role/role.yaml
+  - https://raw.githubusercontent.com/redpanda-data/redpanda-operator/main/operator/config/rbac/bases/auth_proxy/auth_proxy_role.yaml
 generatorOptions:
   disableNameSuffixHash: true
 namePrefix: redpanda-
diff --git a/charts/operator/testdata/template-cases.golden.txtar b/charts/operator/testdata/template-cases.golden.txtar
