diff --git a/api/v1beta2/owner.go b/api/v1beta2/owner.go index 75956f3a..7fe7bcf8 100644 --- a/api/v1beta2/owner.go +++ b/api/v1beta2/owner.go @@ -13,6 +13,10 @@ type OwnerSpec struct { ClusterRoles []string `json:"clusterRoles,omitempty"` // Proxy settings for tenant owner. ProxyOperations []ProxySettings `json:"proxySettings,omitempty"` + // Additional Labels for the synchronized rolebindings + Labels map[string]string `json:"labels,omitempty"` + // Additional Annotations for the synchronized rolebindings + Annotations map[string]string `json:"annotations,omitempty"` } // +kubebuilder:validation:Enum=User;Group;ServiceAccount diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go index 377e0e51..f90228c7 100644 --- a/api/v1beta2/zz_generated.deepcopy.go +++ b/api/v1beta2/zz_generated.deepcopy.go @@ -462,6 +462,20 @@ func (in *OwnerSpec) DeepCopyInto(out *OwnerSpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.Labels != nil { + in, out := &in.Labels, &out.Labels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Annotations != nil { + in, out := &in.Annotations, &out.Annotations + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OwnerSpec. diff --git a/charts/capsule/crds/capsule.clastix.io_tenants.yaml b/charts/capsule/crds/capsule.clastix.io_tenants.yaml index 55dd1391..dc327c28 100644 --- a/charts/capsule/crds/capsule.clastix.io_tenants.yaml +++ b/charts/capsule/crds/capsule.clastix.io_tenants.yaml @@ -68,8 +68,18 @@ spec: the RoleBinding for the given ClusterRole. Optional. items: properties: + annotations: + additionalProperties: + type: string + description: Additional Annotations for the synchronized rolebindings + type: object clusterRoleName: type: string + labels: + additionalProperties: + type: string + description: Additional Labels for the synchronized rolebindings + type: object subjects: description: kubebuilder:validation:Minimum=1 items: @@ -1099,8 +1109,18 @@ spec: the RoleBinding for the given ClusterRole. Optional. items: properties: + annotations: + additionalProperties: + type: string + description: Additional Annotations for the synchronized rolebindings + type: object clusterRoleName: type: string + labels: + additionalProperties: + type: string + description: Additional Labels for the synchronized rolebindings + type: object subjects: description: kubebuilder:validation:Minimum=1 items: @@ -2026,6 +2046,11 @@ spec: Optional items: properties: + annotations: + additionalProperties: + type: string + description: Additional Annotations for the synchronized rolebindings + type: object clusterRoles: default: - admin @@ -2043,6 +2068,11 @@ spec: - Group - ServiceAccount type: string + labels: + additionalProperties: + type: string + description: Additional Labels for the synchronized rolebindings + type: object name: description: Name of tenant owner. type: string diff --git a/controllers/tenant/rolebindings.go b/controllers/tenant/rolebindings.go index bbc7ce56..17185fe9 100644 --- a/controllers/tenant/rolebindings.go +++ b/controllers/tenant/rolebindings.go @@ -45,6 +45,8 @@ func (r *Manager) ownerClusterRoleBindings(owner capsulev1beta2.OwnerSpec, clust Subjects: []rbacv1.Subject{ subject, }, + Labels: owner.Labels, + Annotations: owner.Annotations, } } @@ -129,17 +131,26 @@ func (r *Manager) syncAdditionalRoleBinding(ctx context.Context, tenant *capsule var res controllerutil.OperationResult res, err = controllerutil.CreateOrUpdate(ctx, r.Client, target, func() error { - if target.Labels == nil { - target.Labels = map[string]string{} + target.Labels = map[string]string{} + target.Annotations = map[string]string{} + + if roleBinding.Labels != nil { + target.Labels = roleBinding.Labels } target.Labels[tenantLabel] = tenant.Name target.Labels[roleBindingLabel] = roleBindingHashLabel + + if roleBinding.Annotations != nil { + target.Annotations = roleBinding.Annotations + } + target.RoleRef = rbacv1.RoleRef{ APIGroup: rbacv1.GroupName, Kind: "ClusterRole", Name: roleBinding.ClusterRoleName, } + target.Subjects = roleBinding.Subjects return controllerutil.SetControllerReference(tenant, target, r.Scheme()) diff --git a/pkg/api/additional_role_bindings.go b/pkg/api/additional_role_bindings.go index 3631c219..9c9315db 100644 --- a/pkg/api/additional_role_bindings.go +++ b/pkg/api/additional_role_bindings.go @@ -11,4 +11,8 @@ type AdditionalRoleBindingsSpec struct { ClusterRoleName string `json:"clusterRoleName"` // kubebuilder:validation:Minimum=1 Subjects []rbacv1.Subject `json:"subjects"` + // Additional Labels for the synchronized rolebindings + Labels map[string]string `json:"labels,omitempty"` + // Additional Annotations for the synchronized rolebindings + Annotations map[string]string `json:"annotations,omitempty"` } diff --git a/pkg/api/zz_generated.deepcopy.go b/pkg/api/zz_generated.deepcopy.go index 759b3d4c..811c84d3 100644 --- a/pkg/api/zz_generated.deepcopy.go +++ b/pkg/api/zz_generated.deepcopy.go @@ -85,6 +85,20 @@ func (in *AdditionalRoleBindingsSpec) DeepCopyInto(out *AdditionalRoleBindingsSp *out = make([]rbacv1.Subject, len(*in)) copy(*out, *in) } + if in.Labels != nil { + in, out := &in.Labels, &out.Labels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Annotations != nil { + in, out := &in.Annotations, &out.Annotations + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdditionalRoleBindingsSpec.