Skip to content

Commit

Permalink
Add build item for extensions to contribute ClusterRoleBindings
Browse files Browse the repository at this point in the history
Signed-off-by: Chris Laprun <[email protected]>
  • Loading branch information
metacosm committed Sep 18, 2024
1 parent cddc49d commit 534e5e2
Show file tree
Hide file tree
Showing 9 changed files with 108 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
import io.quarkus.kubernetes.spi.DecoratorBuildItem;
import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
import io.quarkus.kubernetes.spi.KubernetesDeploymentTargetBuildItem;
Expand Down Expand Up @@ -132,14 +133,15 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
List<KubernetesClusterRoleBuildItem> clusterRoles,
List<KubernetesEffectiveServiceAccountBuildItem> serviceAccounts,
List<KubernetesRoleBindingBuildItem> roleBindings,
List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings,
Optional<CustomProjectRootBuildItem> customProjectRoot) {

return DevClusterHelper.createDecorators(KIND, KUBERNETES, applicationInfo, outputTarget, config, packageConfig,
metricsConfiguration, kubernetesClientConfiguration, namespaces, initContainers, jobs, annotations, labels,
envs,
baseImage, image, command, ports, portName,
livenessPath, readinessPath, startupPath,
roles, clusterRoles, serviceAccounts, roleBindings, customProjectRoot);
roles, clusterRoles, serviceAccounts, roleBindings, clusterRoleBindings, customProjectRoot);
}

@BuildStep
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
import io.quarkus.kubernetes.spi.DecoratorBuildItem;
import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
import io.quarkus.kubernetes.spi.KubernetesDeploymentTargetBuildItem;
Expand Down Expand Up @@ -127,14 +128,15 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
List<KubernetesClusterRoleBuildItem> clusterRoles,
List<KubernetesEffectiveServiceAccountBuildItem> serviceAccounts,
List<KubernetesRoleBindingBuildItem> roleBindings,
List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings,
Optional<CustomProjectRootBuildItem> customProjectRoot) {

return DevClusterHelper.createDecorators(MINIKUBE, KUBERNETES, applicationInfo, outputTarget, config, packageConfig,
metricsConfiguration, kubernetesClientConfiguration, namespaces, initContainers, jobs, annotations, labels,
envs,
baseImage, image, command, ports, portName,
livenessPath, readinessPath, startupPath,
roles, clusterRoles, serviceAccounts, roleBindings, customProjectRoot);
roles, clusterRoles, serviceAccounts, roleBindings, clusterRoleBindings, customProjectRoot);
}

@BuildStep
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
package io.quarkus.kubernetes.spi;

import java.util.Collections;
import java.util.Map;

/**
* Produce this build item to request the Kubernetes extension to generate
* a Kubernetes {@code ClusterRoleBinding} resource. The configuration here is limited;
* in particular, you can't specify subjects of the role binding. The role will always
* be bound to the application's service account.
*/
public final class KubernetesClusterRoleBindingBuildItem extends BaseTargetable {
/**
* Name of the generated {@code RoleBinding} resource.
* Can be {@code null}, in which case the resource name is autogenerated.
*/
private final String name;
/**
* RoleRef configuration.
*/
private final RoleRef roleRef;
/**
* The target subjects.
*/
private final Subject[] subjects;

/**
* The labels of the cluster role resource.
*/
private final Map<String, String> labels;

public KubernetesClusterRoleBindingBuildItem(String role, boolean clusterWide) {
this(null, role, clusterWide, null);
}

public KubernetesClusterRoleBindingBuildItem(String name, String role, boolean clusterWide) {
this(name, role, clusterWide, null);
}

public KubernetesClusterRoleBindingBuildItem(String name, String role, boolean clusterWide, String target) {
this(name, target, Collections.emptyMap(),
new RoleRef(role, clusterWide),
new Subject("", "ServiceAccount", name, null));
}

public KubernetesClusterRoleBindingBuildItem(String name, String target, Map<String, String> labels, RoleRef roleRef,
Subject... subjects) {
super(target);
this.name = name;
this.labels = labels;
this.roleRef = roleRef;
this.subjects = subjects;
}

public String getName() {
return this.name;
}

public Map<String, String> getLabels() {
return labels;
}

public RoleRef getRoleRef() {
return roleRef;
}

public Subject[] getSubjects() {
return subjects;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
* in particular, you can't specify subjects of the role binding. The role will always
* be bound to the application's service account.
* <p>
* Note that this can't be used to generate a {@code ClusterRoleBinding}.
* Use {@link KubernetesClusterRoleBindingBuildItem} to generate a {@code ClusterRoleBinding}.
*/
public final class KubernetesRoleBindingBuildItem extends BaseTargetable {
/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
import io.quarkus.kubernetes.spi.DecoratorBuildItem;
import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
import io.quarkus.kubernetes.spi.KubernetesEffectiveServiceAccountBuildItem;
Expand Down Expand Up @@ -86,6 +87,7 @@ public static List<DecoratorBuildItem> createDecorators(String clusterKind,
List<KubernetesClusterRoleBuildItem> clusterRoles,
List<KubernetesEffectiveServiceAccountBuildItem> serviceAccounts,
List<KubernetesRoleBindingBuildItem> roleBindings,
List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings,
Optional<CustomProjectRootBuildItem> customProjectRoot) {

String name = ResourceNameUtil.getResourceName(config, applicationInfo);
Expand All @@ -100,7 +102,8 @@ public static List<DecoratorBuildItem> createDecorators(String clusterKind,
KubernetesCommonHelper.createDecorators(project, clusterKind, name, namespace, config,
metricsConfiguration, kubernetesClientConfiguration,
annotations, labels, image, command,
port, livenessPath, readinessPath, startupPath, roles, clusterRoles, serviceAccounts, roleBindings));
port, livenessPath, readinessPath, startupPath, roles, clusterRoles, serviceAccounts, roleBindings,
clusterRoleBindings));

image.ifPresent(
i -> result.add(new DecoratorBuildItem(clusterKind, new ApplyContainerImageDecorator(name, i.getImage()))));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@
import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
import io.quarkus.kubernetes.spi.DecoratorBuildItem;
import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
import io.quarkus.kubernetes.spi.KubernetesDeploymentTargetBuildItem;
Expand Down Expand Up @@ -167,6 +168,7 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
List<KubernetesClusterRoleBuildItem> clusterRoles,
List<KubernetesEffectiveServiceAccountBuildItem> serviceAccounts,
List<KubernetesRoleBindingBuildItem> roleBindings,
List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings,
Optional<CustomProjectRootBuildItem> customProjectRoot,
List<KubernetesDeploymentTargetBuildItem> targets) {

Expand All @@ -187,7 +189,7 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
result.addAll(KubernetesCommonHelper.createDecorators(project, KNATIVE, name, namespace, config,
metricsConfiguration, kubernetesClientConfiguration, annotations,
labels, image, command, port, livenessPath, readinessPath, startupProbePath,
roles, clusterRoles, serviceAccounts, roleBindings));
roles, clusterRoles, serviceAccounts, roleBindings, clusterRoleBindings));

image.ifPresent(i -> result.add(new DecoratorBuildItem(KNATIVE, new ApplyContainerImageDecorator(name, i.getImage()))));
result.add(new DecoratorBuildItem(KNATIVE, new ApplyImagePullPolicyDecorator(name, config.getImagePullPolicy())));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@
import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
import io.quarkus.kubernetes.spi.DecoratorBuildItem;
import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
import io.quarkus.kubernetes.spi.KubernetesEffectiveServiceAccountBuildItem;
Expand Down Expand Up @@ -246,7 +247,8 @@ public static List<DecoratorBuildItem> createDecorators(Optional<Project> projec
List<KubernetesRoleBuildItem> roles,
List<KubernetesClusterRoleBuildItem> clusterRoles,
List<KubernetesEffectiveServiceAccountBuildItem> serviceAccounts,
List<KubernetesRoleBindingBuildItem> roleBindings) {
List<KubernetesRoleBindingBuildItem> roleBindings,
List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings) {
List<DecoratorBuildItem> result = new ArrayList<>();

result.addAll(createLabelDecorators(target, name, config, labels));
Expand Down Expand Up @@ -279,7 +281,7 @@ public static List<DecoratorBuildItem> createDecorators(Optional<Project> projec

// Handle RBAC
result.addAll(createRbacDecorators(name, target, config, kubernetesClientConfiguration, roles, clusterRoles,
serviceAccounts, roleBindings));
serviceAccounts, roleBindings, clusterRoleBindings));
return result;
}

Expand All @@ -289,7 +291,8 @@ private static Collection<DecoratorBuildItem> createRbacDecorators(String name,
List<KubernetesRoleBuildItem> rolesFromExtensions,
List<KubernetesClusterRoleBuildItem> clusterRolesFromExtensions,
List<KubernetesEffectiveServiceAccountBuildItem> effectiveServiceAccounts,
List<KubernetesRoleBindingBuildItem> roleBindingsFromExtensions) {
List<KubernetesRoleBindingBuildItem> roleBindingsFromExtensions,
List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindingsFromExtensions) {
List<DecoratorBuildItem> result = new ArrayList<>();
boolean kubernetesClientRequiresRbacGeneration = kubernetesClientConfiguration
.map(KubernetesClientCapabilityBuildItem::isGenerateRbac).orElse(false);
Expand Down Expand Up @@ -410,6 +413,15 @@ private static Collection<DecoratorBuildItem> createRbacDecorators(String name,
subjects.toArray(new Subject[0]))));
}

// Add cluster role bindings from extensions
Targetable.filteredByTarget(clusterRoleBindingsFromExtensions, target)
.map(rb -> new DecoratorBuildItem(target, new AddClusterRoleBindingResourceDecorator(name,
Strings.isNotNullOrEmpty(rb.getName()) ? rb.getName() : name + "-" + rb.getRoleRef().getName(),
rb.getLabels(),
rb.getRoleRef(),
rb.getSubjects())))
.forEach(result::add);

// Add cluster role bindings from configuration
for (Map.Entry<String, ClusterRoleBindingConfig> rb : config.getRbacConfig().clusterRoleBindings.entrySet()) {
String rbName = rb.getValue().name.orElse(rb.getKey());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@
import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
import io.quarkus.kubernetes.spi.DecoratorBuildItem;
import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
import io.quarkus.kubernetes.spi.KubernetesDeploymentTargetBuildItem;
Expand Down Expand Up @@ -207,6 +208,7 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
List<KubernetesClusterRoleBuildItem> clusterRoles,
List<KubernetesEffectiveServiceAccountBuildItem> serviceAccounts,
List<KubernetesRoleBindingBuildItem> roleBindings,
List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings,
Optional<CustomProjectRootBuildItem> customProjectRoot,
List<KubernetesDeploymentTargetBuildItem> targets) {

Expand All @@ -226,7 +228,8 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
result.addAll(KubernetesCommonHelper.createDecorators(project, OPENSHIFT, name, namespace, config,
metricsConfiguration, kubernetesClientConfiguration,
annotations, labels, image, command,
port, livenessPath, readinessPath, startupPath, roles, clusterRoles, serviceAccounts, roleBindings));
port, livenessPath, readinessPath, startupPath, roles, clusterRoles, serviceAccounts, roleBindings,
clusterRoleBindings));

if (config.flavor == v3) {
//Openshift 3.x doesn't recognize 'app.kubernetes.io/name', it uses 'app' instead.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
import io.quarkus.kubernetes.spi.DecoratorBuildItem;
import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
import io.quarkus.kubernetes.spi.KubernetesDeploymentTargetBuildItem;
Expand Down Expand Up @@ -164,7 +165,9 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
List<KubernetesRoleBuildItem> roles,
List<KubernetesClusterRoleBuildItem> clusterRoles,
List<KubernetesEffectiveServiceAccountBuildItem> serviceAccounts,
List<KubernetesRoleBindingBuildItem> roleBindings, Optional<CustomProjectRootBuildItem> customProjectRoot,
List<KubernetesRoleBindingBuildItem> roleBindings,
List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings,
Optional<CustomProjectRootBuildItem> customProjectRoot,
List<KubernetesDeploymentTargetBuildItem> targets) {

final List<DecoratorBuildItem> result = new ArrayList<>();
Expand All @@ -182,7 +185,7 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
result.addAll(KubernetesCommonHelper.createDecorators(project, KUBERNETES, name, namespace, config,
metricsConfiguration, kubernetesClientConfiguration, annotations, labels, image, command, port,
livenessPath, readinessPath, startupPath,
roles, clusterRoles, serviceAccounts, roleBindings));
roles, clusterRoles, serviceAccounts, roleBindings, clusterRoleBindings));

DeploymentResourceKind deploymentKind = config.getDeploymentResourceKind(capabilities);
if (deploymentKind != DeploymentResourceKind.Deployment) {
Expand Down

0 comments on commit 534e5e2

Please sign in to comment.