feat: Implement AppProject role management

Signed-off-by: Leonardo Luz Almeida <[email protected]>

PROJECT

@@ -5,6 +5,7 @@
 domain: argoproj-labs.io
 layout:
 - go.kubebuilder.io/v4
+multigroup: true
 projectName: argocd-ephemeral-access
 repo: github.com/argoproj-labs/ephemeral-access
 resources:

api/argoproj/v1alpha1/appproject.go

@@ -0,0 +1,55 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// AppProject provides a logical grouping of applications, providing controls for:
+// * who can access these applications (roles, OIDC group claims bindings)
+// * and what they can do (RBAC policies)
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=appprojects,shortName=appproj;appprojs
+type AppProject struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata" protobuf:"bytes,1,opt,name=metadata"`
+	Spec              AppProjectSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+}
+
+// AppProjectSpec is the specification of an AppProject
+type AppProjectSpec struct {
+	// Roles are user defined RBAC roles associated with this project
+	Roles []ProjectRole `json:"roles,omitempty" protobuf:"bytes,1,rep,name=roles"`
+}
+
+// ProjectRole represents a role that has access to a project
+type ProjectRole struct {
+	// Name is a name for this role
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// Description is a description of the role
+	Description string `json:"description,omitempty" protobuf:"bytes,2,opt,name=description"`
+	// Policies Stores a list of casbin formatted strings that define access policies for the role in the project
+	Policies []string `json:"policies,omitempty" protobuf:"bytes,3,rep,name=policies"`
+	// JWTTokens are a list of generated JWT tokens bound to this role
+	JWTTokens []JWTToken `json:"jwtTokens,omitempty" protobuf:"bytes,4,rep,name=jwtTokens"`
+	// Groups are a list of OIDC group claims bound to this role
+	Groups []string `json:"groups,omitempty" protobuf:"bytes,5,rep,name=groups"`
+}
+
+// JWTToken holds the issuedAt and expiresAt values of a token
+type JWTToken struct {
+	IssuedAt  int64  `json:"iat" protobuf:"int64,1,opt,name=iat"`
+	ExpiresAt int64  `json:"exp,omitempty" protobuf:"int64,2,opt,name=exp"`
+	ID        string `json:"id,omitempty" protobuf:"bytes,3,opt,name=id"`
+}
+
+// AccessRequestList contains a list of AccessRequest
+// +kubebuilder:object:root=true
+type AppProjectList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AppProject `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&AppProject{}, &AppProjectList{})
+}

api/argoproj/v1alpha1/groupversion_info.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2024.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the Argo CD AppProject resource
+// +kubebuilder:skip
+// +kubebuilder:object:generate=true
+// +groupName=argoproj.io
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "argoproj.io", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

cmd/main.go

@@ -35,6 +35,7 @@ import (
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
+	appprojectv1alpha1 "github.com/argoproj-labs/ephemeral-access/api/argoproj/v1alpha1"
 	ephemeralaccessv1alpha1 "github.com/argoproj-labs/ephemeral-access/api/v1alpha1"
 	"github.com/argoproj-labs/ephemeral-access/internal/controller"
 	// +kubebuilder:scaffold:imports
@@ -47,8 +48,8 @@ var (
 
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
-
 	utilruntime.Must(ephemeralaccessv1alpha1.AddToScheme(scheme))
+	utilruntime.Must(appprojectv1alpha1.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }
 

config/samples/ephemeral-access_v1alpha1_accessrequest.yaml

@@ -4,6 +4,13 @@ metadata:
   labels:
     app.kubernetes.io/name: argocd-ephemeral-access
     app.kubernetes.io/managed-by: kustomize
-  name: accessrequest-sample
+  name: some-application-username
+  namespace: ephemeral
 spec:
-  # TODO(user): Add fields here
+  duration: '1m'
+  targetRoleName: ephemeral-write-access
+  appProject: 
+    name: some-argocd-appproject
+    namespace: some-namespace
+  subjects:
+    - username: [email protected]

config/samples/kustomization.yaml

@@ -1,4 +1,5 @@
 ## Append samples of your project ##
 resources:
 - ephemeral-access_v1alpha1_accessrequest.yaml
+- argoproj.io_appproject.yaml
 # +kubebuilder:scaffold:manifestskustomizesamples

internal/controller/accessrequest_controller.go

@@ -28,7 +28,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
-	argocd "github.com/argoproj-labs/ephemeral-access/api/appproject/v1alpha1"
+	argocd "github.com/argoproj-labs/ephemeral-access/api/argoproj/v1alpha1"
 	api "github.com/argoproj-labs/ephemeral-access/api/v1alpha1"
 	"github.com/argoproj-labs/ephemeral-access/internal/log"
 )