✨ Systems' read-only state is configurable (#322)

go 1.22.0 -> 1.22.5
Bankdata · Jul 10, 2024 · 87e866e · 87e866e
1 parent 4b477fe
commit 87e866e
Show file tree

Hide file tree

Showing 8 changed files with 261 additions and 110 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -96,8 +96,7 @@ available targets.
 The Makefile has targets for building and deploying the controller to a
 Kubernetes cluster.
 
-1. Set desired docker image name using the IMG environment variable: `export
-   IMG=docker-image-name`. This will be used across make targets that refer to
+1. Set desired docker image name using the IMG environment variable: `export IMG=docker-image-name`. This will be used across make targets that refer to
    image names.
 2. Build the controller docker image: `make docker-build`
 3. Push the controller docker image: `make docker-push`

diff --git a/api/config/v2alpha2/projectconfig_types.go b/api/config/v2alpha2/projectconfig_types.go
@@ -38,6 +38,9 @@ type ProjectConfig struct {
 	// protection if it is not set on the resource.
 	DeletionProtectionDefault bool `json:"deletionProtectionDefault"`
 
+	// ReadOnly sets the default values of ReadOnly for systems
+	ReadOnly bool `json:"readOnly"`
+
 	// DisableCRDWebhooks disables the CRD webhooks on the controller. If running
 	// multiple controllers in the same cluster, only one will need to have it's
 	// webhooks enabled.

diff --git a/config/default/config.yaml b/config/default/config.yaml
@@ -3,6 +3,7 @@ kind: ProjectConfig
 #controllerClass:
 #deletionProtectionDefault:
 #disableCRDWebhooks:
+readOnly: true
 enableMigrations: false
 #gitCredentials:
 logLevel: 0

diff --git a/docs/configuration.md b/docs/configuration.md
@@ -3,6 +3,7 @@ This document describes the different configuration options for the Styra Contro
 
 * `controllerClass`         
 * `deletionProtectionDefault`
+* `readOnly`
 * `disableCRDWebhooks`
 * `enableMigrations`
 * `gitCredentials`
@@ -94,6 +95,9 @@ The controller can be configured to add a prefix and a suffix to the Systems nam
 ## Delete Protection
 Custom Resources can have delete protection, means that they will not be deleted by the controller in Styra. The default can be configured by setting `deletionProtectionDefault`.
 
+## Read Only
+Styra Systems can be read-only, meaning they cannot be changed in the Styra GUI. This can be configured by setting `readOnly`.
+
 ## EnableMigrations
 An annotation that allows configuring Systems in Kubernetes to link to a specific system in Styra. The ID that the system in Kubernetes should link to is configured by setting `styra-contoller/migration-id: [styra system id]` annotation on Kubernetes system resource. Should only be set while migrating. 
 

diff --git a/go.mod b/go.mod
@@ -1,8 +1,6 @@
 module github.com/bankdata/styra-controller
 
-go 1.22.0
-
-toolchain go1.22.1
+go 1.22.5
 
 require (
 	github.com/ahmetb/gen-crd-api-reference-docs v0.3.0

diff --git a/internal/controller/styra/system_controller.go b/internal/controller/styra/system_controller.go
@@ -1087,7 +1087,7 @@ func (r *SystemReconciler) specToSystemConfig(system *v1beta1.System) *styra.Sys
 	cfg := &styra.SystemConfig{
 		Name:     system.DisplayName(r.Config.SystemPrefix, r.Config.SystemSuffix),
 		Type:     "custom",
-		ReadOnly: true,
+		ReadOnly: r.Config.ReadOnly,
 	}
 
 	if len(system.Spec.DecisionMappings) > 0 {
@@ -1156,6 +1156,11 @@ func (r *SystemReconciler) systemNeedsUpdate(log logr.Logger, system *v1beta1.Sy
 		return true
 	}
 
+	if cfg.ReadOnly != r.Config.ReadOnly {
+		log.Info("System needs update: read only is not equal")
+		return true
+	}
+
 	expectedModel := r.specToSystemConfig(system)
 	if !reflect.DeepEqual(expectedModel.SourceControl, cfg.SourceControl) {
 		log.Info("System needs update: source control is not equal")

diff --git a/test/integration/controller/controller_suite_test.go b/test/integration/controller/controller_suite_test.go
@@ -122,6 +122,7 @@ var _ = ginkgo.BeforeSuite(func() {
 				IdentityProvider: "AzureAD Bankdata",
 				JWTGroupsClaim:   "groups",
 			},
+			ReadOnly: true,
 		},
 	}