Topic permission 191 (#456)

* Add topicpermissions.rabbitmq.com

- issue #191

* Reconcile logic and sys tests for topic permission

- issue: #191

* Set github workflow to latest go to resolve vul scan errors

* Increase timeout when waiting for permissions

* Make exchange in topic permission CR required

* Update topic permission property description

* Remove unused generated sample file

Author: ChunyiLyu

.github/workflows/pr.yml

@@ -5,7 +5,7 @@ on:
     branches: [ main ]
 
 env:
-  GO_VERSION: '^1.19.0' # Require Go 1.19 and above, but lower than Go 2.0.0
+  GO_VERSION: '^1.19.1' # Require Go 1.19 and above, but lower than Go 2.0.0
 
 jobs:
 

PROJECT

@@ -105,4 +105,16 @@ resources:
   webhooks:
     validation: true
     webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: rabbitmq.com
+  group: rabbitmq.com
+  kind: TopicPermission
+  path: github.com/rabbitmq/messaging-topology-operator/api/v1beta1
+  version: v1beta1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 version: "3"

api/v1beta1/topicpermission_types.go

@@ -0,0 +1,83 @@
+package v1beta1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// TopicPermissionSpec defines the desired state of TopicPermission
+type TopicPermissionSpec struct {
+	// Name of an existing user; must provide user or userReference, else create/update will fail; cannot be updated.
+	User string `json:"user,omitempty"`
+	// Reference to an existing user.rabbitmq.com object; must provide user or userReference, else create/update will fail; cannot be updated.
+	UserReference *corev1.LocalObjectReference `json:"userReference,omitempty"`
+	// Name of an existing vhost; required property; cannot be updated.
+	// +kubebuilder:validation:Required
+	Vhost string `json:"vhost"`
+	// Permissions to grant to the user to a topic exchange; required property.
+	// +kubebuilder:validation:Required
+	Permissions TopicPermissionConfig `json:"permissions"`
+	// Reference to the RabbitmqCluster that both the provided user and vhost are.
+	// Required property.
+	// +kubebuilder:validation:Required
+	RabbitmqClusterReference RabbitmqClusterReference `json:"rabbitmqClusterReference"`
+}
+
+type TopicPermissionConfig struct {
+	// Name of a topic exchange; required property; cannot be updated.
+	// +kubebuilder:validation:Required
+	Exchange string `json:"exchange,omitempty"`
+	// +kubebuilder:validation:Optional
+	Read string `json:"read,omitempty"`
+	// +kubebuilder:validation:Optional
+	Write string `json:"write,omitempty"`
+}
+
+// TopicPermissionStatus defines the observed state of TopicPermission
+type TopicPermissionStatus struct {
+	// observedGeneration is the most recent successful generation observed for this TopicPermission. It corresponds to the
+	// TopicPermission's generation, which is updated on mutation by the API Server.
+	ObservedGeneration int64       `json:"observedGeneration,omitempty"`
+	Conditions         []Condition `json:"conditions,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// TopicPermission is the Schema for the topicpermissions API
+type TopicPermission struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   TopicPermissionSpec   `json:"spec,omitempty"`
+	Status TopicPermissionStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// TopicPermissionList contains a list of TopicPermission
+type TopicPermissionList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []TopicPermission `json:"items"`
+}
+
+func (t *TopicPermission) GroupResource() schema.GroupResource {
+	return schema.GroupResource{
+		Group:    t.GroupVersionKind().Group,
+		Resource: t.GroupVersionKind().Kind,
+	}
+}
+
+func (t *TopicPermission) RabbitReference() RabbitmqClusterReference {
+	return t.Spec.RabbitmqClusterReference
+}
+
+func (t *TopicPermission) SetStatusConditions(c []Condition) {
+	t.Status.Conditions = c
+}
+
+func init() {
+	SchemeBuilder.Register(&TopicPermission{}, &TopicPermissionList{})
+}

api/v1beta1/topicpermission_types_test.go

@@ -0,0 +1,80 @@
+package v1beta1
+
+import (
+	"context"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+var _ = Describe("TopicPermission", func() {
+	var (
+		namespace = "default"
+		ctx       = context.Background()
+	)
+
+	It("creates a topic permission when username is provided", func() {
+		permission := TopicPermission{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-permission-1",
+				Namespace: namespace,
+			},
+			Spec: TopicPermissionSpec{
+				User:  "test",
+				Vhost: "/test",
+				Permissions: TopicPermissionConfig{
+					Exchange: "some",
+					Read:     "^?",
+					Write:    ".*",
+				},
+				RabbitmqClusterReference: RabbitmqClusterReference{
+					Name: "some-cluster",
+				},
+			},
+		}
+		Expect(k8sClient.Create(ctx, &permission)).To(Succeed())
+		fetchedTopicPermission := &TopicPermission{}
+		Expect(k8sClient.Get(ctx, types.NamespacedName{
+			Name:      permission.Name,
+			Namespace: permission.Namespace,
+		}, fetchedTopicPermission)).To(Succeed())
+		Expect(fetchedTopicPermission.Spec.User).To(Equal("test"))
+		Expect(fetchedTopicPermission.Spec.Vhost).To(Equal("/test"))
+		Expect(fetchedTopicPermission.Spec.RabbitmqClusterReference.Name).To(Equal("some-cluster"))
+
+		Expect(fetchedTopicPermission.Spec.Permissions.Exchange).To(Equal("some"))
+		Expect(fetchedTopicPermission.Spec.Permissions.Write).To(Equal(".*"))
+		Expect(fetchedTopicPermission.Spec.Permissions.Read).To(Equal("^?"))
+	})
+
+	It("creates a permission object with user reference is provided", func() {
+		permission := TopicPermission{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "user-ref-permission",
+				Namespace: namespace,
+			},
+			Spec: TopicPermissionSpec{
+				UserReference: &corev1.LocalObjectReference{
+					Name: "a-created-user",
+				},
+				Vhost:       "/test",
+				Permissions: TopicPermissionConfig{},
+				RabbitmqClusterReference: RabbitmqClusterReference{
+					Name: "some-cluster",
+				},
+			},
+		}
+		Expect(k8sClient.Create(ctx, &permission)).To(Succeed())
+		fetchedTopicPermission := &TopicPermission{}
+		Expect(k8sClient.Get(ctx, types.NamespacedName{
+			Name:      permission.Name,
+			Namespace: permission.Namespace,
+		}, fetchedTopicPermission)).To(Succeed())
+		Expect(fetchedTopicPermission.Spec.UserReference.Name).To(Equal("a-created-user"))
+		Expect(fetchedTopicPermission.Spec.User).To(Equal(""))
+		Expect(fetchedTopicPermission.Spec.Vhost).To(Equal("/test"))
+		Expect(fetchedTopicPermission.Spec.RabbitmqClusterReference.Name).To(Equal("some-cluster"))
+	})
+})

api/v1beta1/topicpermission_webhook.go

@@ -0,0 +1,95 @@
+package v1beta1
+
+import (
+	"fmt"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+)
+
+// log is for logging in this package.
+var topicpermissionlog = logf.Log.WithName("topicpermission-resource")
+
+func (r *TopicPermission) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}
+
+//+kubebuilder:webhook:path=/validate-rabbitmq-com-v1beta1-topicpermission,mutating=false,failurePolicy=fail,sideEffects=None,groups=rabbitmq.com,resources=topicpermissions,verbs=create;update,versions=v1beta1,name=vtopicpermission.kb.io,admissionReviewVersions={v1,v1beta1}
+
+var _ webhook.Validator = &TopicPermission{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (p *TopicPermission) ValidateCreate() error {
+	var errorList field.ErrorList
+	if p.Spec.User == "" && p.Spec.UserReference == nil {
+		errorList = append(errorList, field.Required(field.NewPath("spec", "user and userReference"),
+			"must specify either spec.user or spec.userReference"))
+		return apierrors.NewInvalid(GroupVersion.WithKind("Permission").GroupKind(), p.Name, errorList)
+	}
+
+	if p.Spec.User != "" && p.Spec.UserReference != nil {
+		errorList = append(errorList, field.Required(field.NewPath("spec", "user and userReference"),
+			"cannot specify spec.user and spec.userReference at the same time"))
+		return apierrors.NewInvalid(GroupVersion.WithKind("Permission").GroupKind(), p.Name, errorList)
+	}
+	return p.Spec.RabbitmqClusterReference.ValidateOnCreate(p.GroupResource(), p.Name)
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (p *TopicPermission) ValidateUpdate(old runtime.Object) error {
+	oldPermission, ok := old.(*TopicPermission)
+	if !ok {
+		return apierrors.NewBadRequest(fmt.Sprintf("expected a permission but got a %T", old))
+	}
+
+	var errorList field.ErrorList
+	if p.Spec.User == "" && p.Spec.UserReference == nil {
+		errorList = append(errorList, field.Required(field.NewPath("spec", "user and userReference"),
+			"must specify either spec.user or spec.userReference"))
+		return apierrors.NewInvalid(GroupVersion.WithKind("TopicPermission").GroupKind(), p.Name, errorList)
+	}
+
+	if p.Spec.User != "" && p.Spec.UserReference != nil {
+		errorList = append(errorList, field.Required(field.NewPath("spec", "user and userReference"),
+			"cannot specify spec.user and spec.userReference at the same time"))
+		return apierrors.NewInvalid(GroupVersion.WithKind("TopicPermission").GroupKind(), p.Name, errorList)
+	}
+
+	detailMsg := "updates on exchange, user, userReference, vhost and rabbitmqClusterReference are all forbidden"
+	if p.Spec.Permissions.Exchange != oldPermission.Spec.Permissions.Exchange {
+		return apierrors.NewForbidden(p.GroupResource(), p.Name,
+			field.Forbidden(field.NewPath("spec", "permissions", "exchange"), detailMsg))
+	}
+
+	if p.Spec.User != oldPermission.Spec.User {
+		return apierrors.NewForbidden(p.GroupResource(), p.Name,
+			field.Forbidden(field.NewPath("spec", "user"), detailMsg))
+	}
+
+	if userReferenceUpdated(p.Spec.UserReference, oldPermission.Spec.UserReference) {
+		return apierrors.NewForbidden(p.GroupResource(), p.Name,
+			field.Forbidden(field.NewPath("spec", "userReference"), detailMsg))
+	}
+
+	if p.Spec.Vhost != oldPermission.Spec.Vhost {
+		return apierrors.NewForbidden(p.GroupResource(), p.Name,
+			field.Forbidden(field.NewPath("spec", "vhost"), detailMsg))
+	}
+
+	if !oldPermission.Spec.RabbitmqClusterReference.Matches(&p.Spec.RabbitmqClusterReference) {
+		return apierrors.NewForbidden(p.GroupResource(), p.Name,
+			field.Forbidden(field.NewPath("spec", "rabbitmqClusterReference"), detailMsg))
+	}
+	return nil
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+func (r *TopicPermission) ValidateDelete() error {
+	return nil
+}