add auth CRD

add auth to gvk

use auth as default and clean up rolebinding

remove suffix

add proper role creation

add pregenerated files and check for changes

clean up files

fixes after rebasing

add e2e tests

only create the default group if none exist

run make api-docs

run make generate manifests

comment feedback and lint fixes

run make api-docs

fix ownership on default auth, fix dsci unit tests, move auth defaults to instantiation

use actions/deploy and add requisite permissions

remove cleanup function no longer needed, and remove copy pasted function not needed

add a comment around expectations for the copyGroups function

watch auth deletion and recreate, remove unneccessary list

add aptch permissions for auths to admingroup

add cluster role for admins to have auth permissions

fix for linter

add missing bundle resources

dont replace image

fix e2e test

PROJECT

@@ -1,3 +1,7 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: opendatahub.io
 layout:
 - go.kubebuilder.io/v3
@@ -127,4 +131,16 @@ resources:
   kind: Monitoring
   path: github.com/opendatahub-io/opendatahub-operator/v2/apis/services/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1alpha1
+  controller: true
+  domain: platform.opendatahub.io
+  group: services
+  kind: Auth
+  path: github.com/opendatahub-io/opendatahub-operator/v2/apis/services/v1alpha1
+  version: v1alpha1
+- domain: opendatahub.io
+  group: services
+  kind: Auth
+  version: v1alpha1
 version: "3"

apis/services/v1alpha1/auth_types.go

@@ -0,0 +1,76 @@
+/*
+Copyright 2023.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"github.com/opendatahub-io/opendatahub-operator/v2/apis/common"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	AuthServiceName  = "auth"
+	AuthInstanceName = "auth"
+	AuthKind         = "Auth"
+)
+
+// AuthSpec defines the desired state of Auth
+type AuthSpec struct {
+	AdminGroups   []string `json:"adminGroups"`
+	AllowedGroups []string `json:"allowedGroups"`
+}
+
+// AuthStatus defines the observed state of Auth
+type AuthStatus struct {
+	common.Status `json:",inline"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster
+// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'auth'",message="Auth name must be auth"
+// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`,description="Ready"
+// +kubebuilder:printcolumn:name="Reason",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`,description="Reason"
+
+// Auth is the Schema for the auths API
+type Auth struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   AuthSpec   `json:"spec,omitempty"`
+	Status AuthStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// AuthList contains a list of Auth
+type AuthList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Auth `json:"items"`
+}
+
+func (m *Auth) GetDevFlags() *common.DevFlags {
+	return nil
+}
+
+func (m *Auth) GetStatus() *common.Status {
+	return &m.Status.Status
+}
+
+func init() {
+	SchemeBuilder.Register(&Auth{}, &AuthList{})
+}

bundle/manifests/opendatahub-operator.clusterserviceversion.yaml

@@ -106,7 +106,7 @@ metadata:
     categories: AI/Machine Learning, Big Data
     certified: "False"
     containerImage: quay.io/opendatahub/opendatahub-operator:v2.21.0
-    createdAt: "2024-12-16T13:35:31Z"
+    createdAt: "2024-12-19T13:46:17Z"
     olm.skipRange: '>=1.0.0 <2.21.0'
     operators.operatorframework.io/builder: operator-sdk-v1.31.0
     operators.operatorframework.io/internal-objects: '["featuretrackers.features.opendatahub.io",
@@ -124,6 +124,11 @@ spec:
   apiservicedefinitions: {}
   customresourcedefinitions:
     owned:
+    - description: Auth is the Schema for the auths API
+      displayName: Auth
+      kind: Auth
+      name: auths.services.platform.opendatahub.io
+      version: v1alpha1
     - description: CodeFlare is the Schema for the codeflares API
       displayName: Code Flare
       kind: CodeFlare
@@ -1106,6 +1111,7 @@ spec:
         - apiGroups:
           - services.platform.opendatahub.io
           resources:
+          - auths
           - monitorings
           verbs:
           - create
@@ -1118,12 +1124,14 @@ spec:
         - apiGroups:
           - services.platform.opendatahub.io
           resources:
+          - auths/finalizers
           - monitorings/finalizers
           verbs:
           - update
         - apiGroups:
           - services.platform.opendatahub.io
           resources:
+          - auths/status
           - monitorings/status
           verbs:
           - get

bundle/manifests/services.platform.opendatahub.io_auths.yaml

@@ -0,0 +1,144 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  creationTimestamp: null
+  name: auths.services.platform.opendatahub.io
+spec:
+  group: services.platform.opendatahub.io
+  names:
+    kind: Auth
+    listKind: AuthList
+    plural: auths
+    singular: auth
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - description: Ready
+      jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - description: Reason
+      jsonPath: .status.conditions[?(@.type=="Ready")].reason
+      name: Reason
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Auth is the Schema for the auths API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AuthSpec defines the desired state of Auth
+            properties:
+              adminGroups:
+                items:
+                  type: string
+                type: array
+              allowedGroups:
+                items:
+                  type: string
+                type: array
+            required:
+            - adminGroups
+            - allowedGroups
+            type: object
+          status:
+            description: AuthStatus defines the observed state of Auth
+            properties:
+              conditions:
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+              observedGeneration:
+                format: int64
+                type: integer
+              phase:
+                type: string
+            type: object
+        type: object
+        x-kubernetes-validations:
+        - message: Auth name must be auth
+          rule: self.metadata.name == 'auth'
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null