Merge pull request #15 from ifireball/resource-permissions

fix(RHTAPWATCH-817): Missing resource permissions
konflux-ci · Mar 19, 2024 · d32c210 · d32c210
2 parents 974c242 + 60cbef7
commit d32c210
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 1 deletion.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,51 @@
+# Contributing to this project
+
+## Manual testing with CRC
+
+Login to CRC as *kubeadmin*. The password would be displayed when bringing up
+CRC.
+
+    oc login -u kubeadmin https://api.crc.testing:6443
+
+Add the Application and Controller CRDs to the cluster by cloning the
+[application-api repository][api]. Then load the CRDs to the cluster:
+
+    oc apply -f $PATH_TO_APPLICATION_API/config/crd/bases/appstudio.redhat.com_applications.yaml
+    oc apply -f $PATH_TO_APPLICATION_API/config/crd/bases/appstudio.redhat.com_components.yaml
+
+[api]: https://github.com/redhat-appstudio/application-api/
+
+Create the `project-controller-system` namespace and go into it:
+
+    oc create namespace project-controller-system
+    oc project project-controller-system
+
+Create an image stream for the controller image, then build and push it to the
+cluster:
+
+    oc create imagestream project-controller
+    make docker-build \
+        IMG=default-route-openshift-image-registry.apps-crc.testing/project-controller-system/project-controller
+    docker push --tls-verify=false \
+        default-route-openshift-image-registry.apps-crc.testing/project-controller-system/project-controller
+
+Deploy the controller:
+
+    make deploy \
+        IMG=default-route-openshift-image-registry.apps-crc.testing/project-controller-system/project-controller
+
+Start viewing the controller logs:
+
+    oc logs -n project-controller-system -l control-plane=controller-manager -f
+
+Create a namespace to test the controller with:
+
+    oc create namespace testns
+    oc project testns
+
+Create a project, a template and a development stream:
+
+    oc apply -f config/samples/projctl_v1beta1_project.yaml
+    oc apply -f config/samples/projctl_v1beta1_projectdevelopmentstreamtemplate.yaml
+
+Monitor the logs to see if the controller reconcile loop runs successfully.
diff --git a/Dockerfile b/Dockerfile
@@ -14,7 +14,7 @@ RUN go mod download
 # Copy the go source
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
-COPY internal/controller/ internal/controller/
+COPY internal/ internal/
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command

diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -1,2 +1,7 @@
 resources:
 - manager.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: controller
+  newName: default-route-openshift-image-registry.apps-crc.testing/project-controller-system/project-controller
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -4,6 +4,30 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - appstudio.redhat.com
+  resources:
+  - applications
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - appstudio.redhat.com
+  resources:
+  - components
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - projctl.konflux.dev
   resources:
@@ -30,3 +54,19 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - projctl.konflux.dev
+  resources:
+  - projectdevelopmentstreamtemplates
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - projctl.konflux.dev
+  resources:
+  - projects
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/internal/controller/projectdevelopmentstream_controller.go b/internal/controller/projectdevelopmentstream_controller.go
@@ -45,6 +45,9 @@ type ProjectDevelopmentStreamReconciler struct {
 //+kubebuilder:rbac:groups=projctl.konflux.dev,resources=projectdevelopmentstreams/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=projctl.konflux.dev,resources=projectdevelopmentstreams/finalizers,verbs=update
 
+//+kubebuilder:rbac:groups=projctl.konflux.dev,resources=projects,verbs=get;list;watch
+//+kubebuilder:rbac:groups=projctl.konflux.dev,resources=projectdevelopmentstreamtemplates,verbs=get;list;watch
+
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
 // TODO(user): Modify the Reconcile function to compare the state specified by

diff --git a/internal/template/resources.go b/internal/template/resources.go
@@ -13,6 +13,9 @@ import (
 	apischema "k8s.io/apimachinery/pkg/runtime/schema"
 )
 
+//+kubebuilder:rbac:groups=appstudio.redhat.com,resources=applications,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=appstudio.redhat.com,resources=components,verbs=get;list;watch;create;update;patch;delete
+
 // List of resource types supported by templates and various details about how
 // to instantiate resources of those types. The list order determines the order
 // in which resources are created, which can be significant for e.g. creating