Merge pull request #2043 from FabianKramm/main

feat: importer, translate patches & generic sync

Author: FabianKramm

chart/templates/_rbac.tpl

@@ -34,6 +34,8 @@
     (eq (toString .Values.sync.fromHost.csiDrivers.enabled) "true")
     (eq (toString .Values.sync.fromHost.csiStorageCapacities.enabled) "true")
     .Values.sync.fromHost.nodes.enabled
+    .Values.sync.toHost.customResourceDefinitions
+    .Values.sync.fromHost.customResourceDefinitions
     .Values.integrations.kubeVirt.enabled
     (and .Values.integrations.metricsServer.enabled .Values.integrations.metricsServer.nodes)
     .Values.experimental.multiNamespaceMode.enabled -}}
@@ -122,6 +124,36 @@
 {{- end }}
 {{- end -}}
 
+{{/*
+  Role rules defined in generic syncer
+*/}}
+{{- define "vcluster.customResourceDefinitions.roleExtraRules" -}}
+{{- if .Values.sync.toHost.customResourceDefinitions }}
+{{- range $crdName, $rule := .Values.sync.toHost.customResourceDefinitions }}
+{{- if $rule.enabled }}
+- resources: [ "{{ (splitn "." 2 $crdName)._0 }}" ]
+  apiGroups: [ "{{ (splitn "." 2 $crdName)._1 }}" ]
+  verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{/*
+  Cluster role rules defined in generic syncer
+*/}}
+{{- define "vcluster.customResourceDefinitions.clusterRoleExtraRules" -}}
+{{- if .Values.sync.fromHost.customResourceDefinitions }}
+{{- range $crdName, $rule := .Values.sync.fromHost.customResourceDefinitions }}
+{{- if $rule.enabled }}
+- resources: [ "{{ (splitn "." 2 $crdName)._0 }}" ]
+  apiGroups: [ "{{ (splitn "." 2 $crdName)._1 }}" ]
+  verbs: ["get", "list", "watch"]
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
 {{/*
   Cluster role rules defined in generic syncer
 */}}

chart/templates/clusterrole.yaml

@@ -112,16 +112,17 @@ rules:
     resources: ["nodes"]
     verbs: ["get", "list"]
   {{- end }}
-  {{- if .Values.integrations.kubeVirt.enabled }}
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["get", "list", "watch"]
-  {{- end }}
   {{- if and .Values.integrations.kubeVirt.enabled .Values.integrations.kubeVirt.webhook.enabled }}
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
     verbs: ["get", "list", "watch"]
   {{- end }}
+  {{- if or .Values.integrations.kubeVirt.enabled .Values.sync.toHost.customResourceDefinitions .Values.sync.fromHost.customResourceDefinitions }}
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  {{- end }}
+  {{- include "vcluster.customResourceDefinitions.clusterRoleExtraRules" . | indent 2 }}
   {{- include "vcluster.plugin.clusterRoleExtraRules" . | indent 2 }}
   {{- include "vcluster.generic.clusterRoleExtraRules" . | indent 2 }}
   {{- include "vcluster.rbac.clusterRoleExtraRules" . | indent 2 }}

chart/templates/role.yaml

@@ -94,6 +94,7 @@ rules:
     resources: ["virtualmachines", "virtualmachines/status", "virtualmachineinstances", "virtualmachineinstances/status", "virtualmachineinstancemigrations", "virtualmachineinstancemigrations/status"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
   {{- end }}
+  {{- include "vcluster.customResourceDefinitions.roleExtraRules" . | indent 2 }}
   {{- include "vcluster.plugin.roleExtraRules" . | indent 2 }}
   {{- include "vcluster.generic.roleExtraRules" . | indent 2 }}
   {{- include "vcluster.rbac.roleExtraRules" . | indent 2 }}

chart/tests/clusterrole_test.yaml

@@ -323,3 +323,55 @@ tests:
             apiGroups: ["admissionregistration.k8s.io"]
             resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
             verbs: ["get", "list", "watch"]
+
+  - it: crd sync to host
+    set:
+      sync:
+        toHost:
+          customResourceDefinitions:
+            test.test-group:
+              enabled: true
+    release:
+      name: my-release
+      namespace: my-namespace
+    asserts:
+      - hasDocuments:
+          count: 1
+      - lengthEqual:
+          path: rules
+          count: 1
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "apiextensions.k8s.io" ]
+            resources: [ "customresourcedefinitions" ]
+            verbs: [ "get", "list", "watch" ]
+
+  - it: crd sync from host
+    set:
+      sync:
+        fromHost:
+          customResourceDefinitions:
+            test.test-group:
+              enabled: true
+    release:
+      name: my-release
+      namespace: my-namespace
+    asserts:
+      - hasDocuments:
+          count: 1
+      - lengthEqual:
+          path: rules
+          count: 2
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "test-group" ]
+            resources: [ "test" ]
+            verbs: [ "get", "list", "watch" ]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "apiextensions.k8s.io" ]
+            resources: [ "customresourcedefinitions" ]
+            verbs: [ "get", "list", "watch" ]

chart/tests/role_test.yaml

@@ -213,3 +213,74 @@ tests:
             apiGroups: [ "pool.kubevirt.io" ]
             resources: [ "virtualmachinepools", "virtualmachinepools/status" ]
             verbs: [ "create", "delete", "patch", "update", "get", "list", "watch" ]
+
+  - it: crd sync
+    set:
+      sync:
+        toHost:
+          customResourceDefinitions:
+            test.my-group:
+              enabled: false
+            test.my-group-2:
+              enabled: true
+            tests.my-group-3.com:
+              enabled: true
+    release:
+      name: my-release
+      namespace: my-namespace
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: kind
+          value: Role
+      - lengthEqual:
+          path: rules
+          count: 7
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "my-group-2" ]
+            resources: [ "test" ]
+            verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
+      - contains:
+          path: rules
+          content:
+            apiGroups: [ "my-group-3.com" ]
+            resources: [ "tests" ]
+            verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
+
+  - it: translate
+    set:
+      sync:
+        toHost:
+          customResourceDefinitions:
+            test.my-group-2:
+              enabled: true
+              translate:
+                - path: "test"
+                  expression:
+                    toHost: "test"
+    release:
+      name: my-release
+      namespace: my-namespace
+    asserts:
+      - notFailedTemplate: {}
+
+  - it: translate 2
+    set:
+      sync:
+        toHost:
+          customResourceDefinitions:
+            test.my-group-2:
+              enabled: true
+              translate:
+                - path: "test"
+                  reference:
+                    apiVersion: "v1"
+                    kind: "Secret"
+    release:
+      name: my-release
+      namespace: my-namespace
+    asserts:
+      - notFailedTemplate: {}