From dc093a8d8a258be57c3258e16f7684b4ef75b5a2 Mon Sep 17 00:00:00 2001 From: Matheus Cruz Date: Sat, 28 Sep 2024 21:32:11 -0300 Subject: [PATCH] Add decorator to remove namespace from ClusterRole and ClusterRoleBinding --- .../deployment/KubernetesCommonHelper.java | 5 ++++ ...espaceFromClusterRoleBindingDecorator.java | 28 +++++++++++++++++++ ...moveNamespaceFromClusterRoleDecorator.java | 28 +++++++++++++++++++ .../KubernetesWithRbacFullTest.java | 2 ++ 4 files changed, 63 insertions(+) create mode 100644 extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/RemoveNamespaceFromClusterRoleBindingDecorator.java create mode 100644 extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/RemoveNamespaceFromClusterRoleDecorator.java diff --git a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java index 00b288994d0ac..81fecce36a50b 100644 --- a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java +++ b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java @@ -291,6 +291,11 @@ private static Collection createRbacDecorators(String name, List effectiveServiceAccounts, List roleBindingsFromExtensions) { List result = new ArrayList<>(); + + // Cluster resources does not have namespace + result.add(new DecoratorBuildItem(target, new RemoveNamespaceFromClusterRoleBindingDecorator())); + result.add(new DecoratorBuildItem(target, new RemoveNamespaceFromClusterRoleDecorator())); + boolean kubernetesClientRequiresRbacGeneration = kubernetesClientConfiguration .map(KubernetesClientCapabilityBuildItem::isGenerateRbac).orElse(false); Set roles = new HashSet<>(); diff --git a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/RemoveNamespaceFromClusterRoleBindingDecorator.java b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/RemoveNamespaceFromClusterRoleBindingDecorator.java new file mode 100644 index 0000000000000..8674eb5386c44 --- /dev/null +++ b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/RemoveNamespaceFromClusterRoleBindingDecorator.java @@ -0,0 +1,28 @@ +package io.quarkus.kubernetes.deployment; + +import io.dekorate.kubernetes.decorator.Decorator; +import io.dekorate.kubernetes.decorator.NamedResourceDecorator; +import io.fabric8.kubernetes.api.model.ObjectMeta; +import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBindingBuilder; + +/** + * Decorator responsible for remove namespace from ClusterRoleBinding resource. + * + * This decorator executes after {@link AddNamespaceDecorator}. + */ +public class RemoveNamespaceFromClusterRoleBindingDecorator extends NamedResourceDecorator { + + @Override + public void andThenVisit(ClusterRoleBindingBuilder clusterRoleBindingBuilder, ObjectMeta objectMeta) { + clusterRoleBindingBuilder + .withNewMetadata() + .withNamespace(null) + .withName(objectMeta.getName()) + .endMetadata(); + } + + @Override + public Class[] after() { + return new Class[] { AddNamespaceDecorator.class }; + } +} diff --git a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/RemoveNamespaceFromClusterRoleDecorator.java b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/RemoveNamespaceFromClusterRoleDecorator.java new file mode 100644 index 0000000000000..38d46cdf6e089 --- /dev/null +++ b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/RemoveNamespaceFromClusterRoleDecorator.java @@ -0,0 +1,28 @@ +package io.quarkus.kubernetes.deployment; + +import io.dekorate.kubernetes.decorator.Decorator; +import io.dekorate.kubernetes.decorator.NamedResourceDecorator; +import io.fabric8.kubernetes.api.model.ObjectMeta; +import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBuilder; + +/** + * Decorator responsible for remove namespace from ClusterRole resource. + * + * This decorator executes after {@link AddNamespaceDecorator}. + */ +public class RemoveNamespaceFromClusterRoleDecorator extends NamedResourceDecorator { + + @Override + public void andThenVisit(ClusterRoleBuilder clusterRoleBuilder, ObjectMeta objectMeta) { + clusterRoleBuilder + .withNewMetadata() + .withNamespace(null) + .withName(objectMeta.getName()) + .endMetadata(); + } + + @Override + public Class[] after() { + return new Class[] { AddNamespaceDecorator.class }; + } +} diff --git a/integration-tests/kubernetes/quarkus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesWithRbacFullTest.java b/integration-tests/kubernetes/quarkus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesWithRbacFullTest.java index 83be5e5411d86..f7e59a029544e 100644 --- a/integration-tests/kubernetes/quarkus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesWithRbacFullTest.java +++ b/integration-tests/kubernetes/quarkus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesWithRbacFullTest.java @@ -84,6 +84,7 @@ public void assertGeneratedResources() throws IOException { // secret-reader assertions ClusterRole secretReaderRole = getClusterRoleByName(kubernetesList, "secret-reader"); + assertThat(secretReaderRole.getMetadata().getNamespace()).isEqualTo(null); assertThat(secretReaderRole.getRules()).satisfiesOnlyOnce(r -> { assertThat(r.getApiGroups()).containsExactly(""); assertThat(r.getResources()).containsExactly("secrets"); @@ -111,6 +112,7 @@ public void assertGeneratedResources() throws IOException { assertEquals("Group", clusterSubject.getKind()); assertEquals("manager", clusterSubject.getName()); assertEquals("rbac.authorization.k8s.io", clusterSubject.getApiGroup()); + assertThat(clusterRoleBinding.getMetadata().getNamespace()).isEqualTo(null); } private int lastIndexOfKind(String content, String... kinds) {