From 6ede20c990b810795d6474fc3df13f9adc0a8c67 Mon Sep 17 00:00:00 2001 From: Leonardo Luz Almeida Date: Thu, 24 Oct 2024 09:18:47 -0700 Subject: [PATCH 1/2] fix: properly set the AccessRequest type on creation Signed-off-by: Leonardo Luz Almeida --- .../ephemeral-access_v1alpha1_accessbinding.yaml | 15 +++++++++++++++ .../ephemeral-access_v1alpha1_roletemplate.yaml | 11 +++++++++-- internal/backend/service.go | 5 +++++ 3 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 config/samples/ephemeral-access_v1alpha1_accessbinding.yaml diff --git a/config/samples/ephemeral-access_v1alpha1_accessbinding.yaml b/config/samples/ephemeral-access_v1alpha1_accessbinding.yaml new file mode 100644 index 0000000..b1f27b6 --- /dev/null +++ b/config/samples/ephemeral-access_v1alpha1_accessbinding.yaml @@ -0,0 +1,15 @@ +apiVersion: ephemeral-access.argoproj-labs.io/v1alpha1 +kind: AccessBinding +metadata: + labels: + app.kubernetes.io/name: argocd-ephemeral-access + app.kubernetes.io/managed-by: kustomize + name: some-access-binding +spec: + roleTemplateRef: + name: devops + subjects: + - group1 + if: "true" + ordinal: 1 + friendlyName: "Devops (AB)" diff --git a/config/samples/ephemeral-access_v1alpha1_roletemplate.yaml b/config/samples/ephemeral-access_v1alpha1_roletemplate.yaml index b83d08c..ff65261 100644 --- a/config/samples/ephemeral-access_v1alpha1_roletemplate.yaml +++ b/config/samples/ephemeral-access_v1alpha1_roletemplate.yaml @@ -4,6 +4,13 @@ metadata: labels: app.kubernetes.io/name: argocd-ephemeral-access app.kubernetes.io/managed-by: kustomize - name: roletemplate-sample + name: devops spec: - # TODO(user): Add fields here + description: write permission in application {{.Application}} + name: "DevOps (Write)" + policies: + - p, {{.Role}}, applications, sync, {{.Project}}/{{.Application}}, allow + - p, {{.Role}}, applications, get, {{.Project}}/{{.Application}}, deny + - p, {{.Role}}, applications, action/*, {{.Project}}/{{.Application}}, allow + - p, {{.Role}}, applications, delete/*/Pod/*, {{.Project}}/{{.Application}}, allow + - p, {{.Role}}, logs, get, {{.Project}}/{{.Namespace}}/{{.Application}}, allow diff --git a/internal/backend/service.go b/internal/backend/service.go index 51c393c..43ba1fc 100644 --- a/internal/backend/service.go +++ b/internal/backend/service.go @@ -164,6 +164,10 @@ func (s *DefaultService) matchSubject(subjects, groups []string) bool { func (s *DefaultService) CreateAccessRequest(ctx context.Context, key *AccessRequestKey, binding *api.AccessBinding) (*api.AccessRequest, error) { roleName := binding.Spec.RoleTemplateRef.Name ar := &api.AccessRequest{ + TypeMeta: metav1.TypeMeta{ + Kind: "AccessRequest", + APIVersion: "v1alpha1", + }, ObjectMeta: metav1.ObjectMeta{ Namespace: key.Namespace, GenerateName: getAccessRequestPrefix(key.Username, roleName), @@ -213,6 +217,7 @@ func getAccessRequestPrefix(username, roleName string) string { } func (s *DefaultService) GetApplication(ctx context.Context, name string, namespace string) (*unstructured.Unstructured, error) { + s.logger.Debug("Getting application", "name", name, "namespace", namespace) app, err := s.k8s.GetApplication(ctx, name, namespace) if err != nil { if apierrors.IsNotFound(err) { From 8499b1c2f950e9df8aa4774444b2b34049862db1 Mon Sep 17 00:00:00 2001 From: Leonardo Luz Almeida Date: Thu, 24 Oct 2024 10:26:40 -0700 Subject: [PATCH 2/2] fix test Signed-off-by: Leonardo Luz Almeida --- internal/backend/service.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/backend/service.go b/internal/backend/service.go index 43ba1fc..5c75a54 100644 --- a/internal/backend/service.go +++ b/internal/backend/service.go @@ -217,7 +217,7 @@ func getAccessRequestPrefix(username, roleName string) string { } func (s *DefaultService) GetApplication(ctx context.Context, name string, namespace string) (*unstructured.Unstructured, error) { - s.logger.Debug("Getting application", "name", name, "namespace", namespace) + s.logger.Debug(fmt.Sprintf("Getting application %s/%s", namespace, name)) app, err := s.k8s.GetApplication(ctx, name, namespace) if err != nil { if apierrors.IsNotFound(err) {