implement role template rendering logic

Signed-off-by: Leonardo Luz Almeida <[email protected]>
leoluz · Aug 14, 2024 · 26180ed · 26180ed
1 parent 83cf62f
commit 26180ed
Show file tree

Hide file tree

Showing 8 changed files with 246 additions and 67 deletions.
diff --git a/api/argoproj/v1alpha1/appproject.go b/api/argoproj/v1alpha1/appproject.go
@@ -70,6 +70,19 @@ type ApplicationSpec struct {
 	// Project is a reference to the project this application belongs to.
 	// The empty string means that application belongs to the 'default' project.
 	Project string `json:"project" protobuf:"bytes,1,name=project"`
+	// Destination is a reference to the target Kubernetes server and namespace
+	Destination ApplicationDestination `json:"destination" protobuf:"bytes,2,name=destination"`
+}
+
+// ApplicationDestination holds information about the application's destination
+type ApplicationDestination struct {
+	// Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set.
+	Server string `json:"server,omitempty" protobuf:"bytes,1,opt,name=server"`
+	// Namespace specifies the target namespace for the application's resources.
+	// The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,2,opt,name=namespace"`
+	// Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set.
+	Name string `json:"name,omitempty" protobuf:"bytes,3,opt,name=name"`
 }
 
 // ApplicationList contains a list of Applications

diff --git a/api/argoproj/v1alpha1/zz_generated.deepcopy.go b/api/argoproj/v1alpha1/zz_generated.deepcopy.go
diff --git a/api/ephemeral-access/v1alpha1/accessrequest_types.go b/api/ephemeral-access/v1alpha1/accessrequest_types.go
@@ -81,10 +81,11 @@ type Subject struct {
 
 // AccessRequestStatus defines the observed state of AccessRequest
 type AccessRequestStatus struct {
-	RequestState  Status                 `json:"requestState,omitempty"`
-	TargetProject string                 `json:"targetProject,omitempty"`
-	ExpiresAt     *metav1.Time           `json:"expiresAt,omitempty"`
-	History       []AccessRequestHistory `json:"history,omitempty"`
+	RequestState     Status                 `json:"requestState,omitempty"`
+	TargetProject    string                 `json:"targetProject,omitempty"`
+	ExpiresAt        *metav1.Time           `json:"expiresAt,omitempty"`
+	RoleTemplateHash string                 `json:"roleTemplateHash,omitempty"`
+	History          []AccessRequestHistory `json:"history,omitempty"`
 }
 
 // AccessRequestHistory contain the history of all status transitions associated
@@ -118,11 +119,11 @@ type AccessRequest struct {
 	Status AccessRequestStatus `json:"status,omitempty"`
 }
 
-// UpdateStatus will update this AccessRequest status field based on
-// the given status and details. This function should only depend on the
+// UpdateStatusHistory will update this AccessRequest status and history fields
+// based on the given status and details. This function should only depend on the
 // objects provided by this package. If any additional dependency is needed
 // than this function should be moved to another package.
-func (ar *AccessRequest) UpdateStatus(newStatus Status, details string) {
+func (ar *AccessRequest) UpdateStatusHistory(newStatus Status, details string) {
 	status := ar.Status.DeepCopy()
 	status.RequestState = newStatus
 

diff --git a/api/ephemeral-access/v1alpha1/roletemplate_types.go b/api/ephemeral-access/v1alpha1/roletemplate_types.go
@@ -17,6 +17,10 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"fmt"
+	"strings"
+	"text/template"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -53,6 +57,60 @@ type RoleTemplateStatus struct {
 	SyncHash string `json:"syncHash"`
 }
 
+func (rt *RoleTemplate) Render(projName, appName, appNs, destinationNs string) (*RoleTemplate, error) {
+	rendered := rt.DeepCopy()
+	descTmpl, err := template.New("description").Parse(rt.Spec.Description)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing RoleTemplate description: %w", err)
+	}
+	desc, err := rt.execTemplate(descTmpl, projName, appName, appNs, destinationNs)
+	if err != nil {
+		return nil, fmt.Errorf("error rendering RoleTemplate description: %w", err)
+	}
+	rendered.Spec.Description = desc
+
+	policiesStr := strings.Join(rt.Spec.Policies, "\n")
+	policiesTmpl, err := template.New("policies").Parse(policiesStr)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing RoleTemplate policies: %w", err)
+	}
+	p, err := rt.execTemplate(policiesTmpl, projName, appName, appNs, destinationNs)
+	if err != nil {
+		return nil, fmt.Errorf("error rendering RoleTemplate policies: %w", err)
+	}
+	rendered.Spec.Policies = strings.Split(p, "\n")
+
+	return rendered, nil
+}
+
+func (rt *RoleTemplate) execTemplate(tmpl *template.Template, projName, appName, appNs, destinationNs string) (string, error) {
+	type vars struct {
+		Role        string
+		Project     string
+		Application string
+		Namespace   string
+	}
+	roleName := rt.AppProjectRoleName(appName, appNs)
+	v := vars{
+		Role:        fmt.Sprintf("proj:%s:%s", projName, roleName),
+		Project:     projName,
+		Application: appName,
+		Namespace:   destinationNs,
+	}
+	var s strings.Builder
+	err := tmpl.Execute(&s, v)
+	if err != nil {
+		return "", err
+	}
+	return s.String(), nil
+}
+
+// roleName will return the role name to be used in the AppProject
+func (rt *RoleTemplate) AppProjectRoleName(appName, namespace string) string {
+	roleName := rt.Spec.Name
+	return fmt.Sprintf("ephemeral-%s-%s-%s", namespace, appName, roleName)
+}
+
 func init() {
 	SchemeBuilder.Register(&RoleTemplate{}, &RoleTemplateList{})
 }
diff --git a/config/crd/bases/ephemeral-access.argoproj-labs.io_accessrequests.yaml b/config/crd/bases/ephemeral-access.argoproj-labs.io_accessrequests.yaml
@@ -143,6 +143,8 @@ spec:
                 - expired
                 - denied
                 type: string
+              roleTemplateHash:
+                type: string
               targetProject:
                 type: string
             type: object

diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.22.0
 toolchain go1.22.3
 
 require (
+	github.com/cnf/structhash v0.0.0-20201127153200-e1b16c1ebc08
 	github.com/go-logr/logr v1.4.1
 	github.com/onsi/ginkgo/v2 v2.17.1
 	github.com/onsi/gomega v1.32.0

diff --git a/go.sum b/go.sum
@@ -5,6 +5,8 @@ github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/cnf/structhash v0.0.0-20201127153200-e1b16c1ebc08 h1:ox2F0PSMlrAAiAdknSRMDrAr8mfxPCfSZolH+/qQnyQ=
+github.com/cnf/structhash v0.0.0-20201127153200-e1b16c1ebc08/go.mod h1:pCxVEbcm3AMg7ejXyorUXi6HQCzOIBf7zEDVPtw0/U4=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=