CLOUDP-283292. AtlasCustomRole CRDs (#3450)

Co-authored-by: Helder Santana <[email protected]>

build/ci/library_owners.json

@@ -1,63 +1,64 @@
 {
-	"cloud.google.com/go/kms": "apix-2",
-	"github.com/AlecAivazis/survey/v2": "apix-2",
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore": "apix-2",
-	"github.com/Azure/azure-sdk-for-go/sdk/azidentity": "apix-2",
-	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys": "apix-2",
-	"github.com/Masterminds/semver/v3": "apix-2",
-	"github.com/PaesslerAG/jsonpath": "apix-2",
-	"github.com/aws/aws-sdk-go-v2": "apix-2",
-	"github.com/aws/aws-sdk-go-v2/config": "apix-2",
-	"github.com/aws/aws-sdk-go-v2/credentials": "apix-2",
-	"github.com/aws/aws-sdk-go-v2/service/kms": "apix-2",
-	"github.com/briandowns/spinner": "apix-2",
-	"github.com/evergreen-ci/shrub": "apix-2",
-	"github.com/go-test/deep": "apix-2",
-	"github.com/golang-jwt/jwt/v4": "apix-2",
-	"github.com/golang/mock": "apix-2",
-	"github.com/google/go-github/v61": "apix-2",
-	"github.com/google/uuid": "atlas_kubernetes_team",
-	"github.com/klauspost/compress": "apix-2",
-	"github.com/mattn/go-isatty": "apix-2",
-	"github.com/mongodb-forks/digest": "apix-2",
-	"github.com/mongodb-labs/cobra2snooty": "apix-2",
-	"github.com/pelletier/go-toml": "apix-2",
-	"github.com/Netflix/go-expect": "apix-2",
-	"github.com/creack/pty": "apix-2",
-	"github.com/hinshun/vt10x": "apix-2",
-	"github.com/pkg/browser": "apix-2",
-	"github.com/spf13/afero": "apix-2",
-	"github.com/spf13/cobra": "apix-2",
-	"github.com/spf13/pflag": "apix-2",
-	"github.com/spf13/viper": "apix-2",
-	"github.com/stretchr/testify": "apix-2",
-	"github.com/tangzero/inflector": "apix-2",
-	"go.mongodb.org/atlas": "apix-2",
-	"go.mongodb.org/atlas-sdk/v20241113004": "apix-2",
-	"go.mongodb.org/atlas-sdk/v20240530005": "apix-2",
-	"go.mongodb.org/mongo-driver": "apix-2",
-	"golang.org/x/sys": "apix-2",
-	"golang.org/x/tools": "apix-2",
-	"google.golang.org/api": "apix-2",
-	"google.golang.org/protobuf": "apix-2",
-	"golang.org/x/mod": "apix-2",
-	"gopkg.in/yaml.v3": "apix-2",
-	"github.com/mongodb/mongodb-atlas-kubernetes/v2": "atlas_kubernetes_team",
-	"k8s.io/api": "atlas_kubernetes_team",
-	"k8s.io/apimachinery": "atlas_kubernetes_team",
-	"k8s.io/apiserver": "atlas_kubernetes_team",
-	"k8s.io/client-go": "atlas_kubernetes_team",
-	"k8s.io/apiextensions-apiserver": "atlas_kubernetes_team",
-	"sigs.k8s.io/yaml": "atlas_kubernetes_team",
-	"sigs.k8s.io/controller-runtime": "atlas_kubernetes_team",
-	"sigs.k8s.io/kind": "atlas_kubernetes_team",
-	"golang.org/x/exp": "atlas_kubernetes_team",
-	"github.com/denisbrodbeck/machineid": "apix-2",
-	"github.com/shirou/gopsutil/v4": "apix-2",
-	"go.opentelemetry.io/otel": "apix-2",
-	"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc": "apix-2",
-	"go.opentelemetry.io/otel/sdk": "apix-2",
-	"go.opentelemetry.io/otel/trace": "apix-2",
-	"google.golang.org/grpc": "apix-2",
-	"github.com/mholt/archives": "apix-2"
+  "cloud.google.com/go/kms": "apix-2",
+  "github.com/AlecAivazis/survey/v2": "apix-2",
+  "github.com/Azure/azure-sdk-for-go/sdk/azcore": "apix-2",
+  "github.com/Azure/azure-sdk-for-go/sdk/azidentity": "apix-2",
+  "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys": "apix-2",
+  "github.com/Masterminds/semver/v3": "apix-2",
+  "github.com/PaesslerAG/jsonpath": "apix-2",
+  "github.com/aws/aws-sdk-go-v2": "apix-2",
+  "github.com/aws/aws-sdk-go-v2/config": "apix-2",
+  "github.com/aws/aws-sdk-go-v2/credentials": "apix-2",
+  "github.com/aws/aws-sdk-go-v2/service/kms": "apix-2",
+  "github.com/briandowns/spinner": "apix-2",
+  "github.com/evergreen-ci/shrub": "apix-2",
+  "github.com/go-test/deep": "apix-2",
+  "github.com/golang-jwt/jwt/v4": "apix-2",
+  "github.com/golang/mock": "apix-2",
+  "github.com/google/go-github/v61": "apix-2",
+  "github.com/google/uuid": "atlas_kubernetes_team",
+  "github.com/klauspost/compress": "apix-2",
+  "github.com/mattn/go-isatty": "apix-2",
+  "github.com/mongodb-forks/digest": "apix-2",
+  "github.com/mongodb-labs/cobra2snooty": "apix-2",
+  "github.com/pelletier/go-toml": "apix-2",
+  "github.com/Netflix/go-expect": "apix-2",
+  "github.com/creack/pty": "apix-2",
+  "github.com/hinshun/vt10x": "apix-2",
+  "github.com/pkg/browser": "apix-2",
+  "github.com/spf13/afero": "apix-2",
+  "github.com/spf13/cobra": "apix-2",
+  "github.com/spf13/pflag": "apix-2",
+  "github.com/spf13/viper": "apix-2",
+  "github.com/stretchr/testify": "apix-2",
+  "github.com/tangzero/inflector": "apix-2",
+  "go.mongodb.org/atlas": "apix-2",
+  "go.mongodb.org/atlas-sdk/v20241113004": "apix-2",
+  "go.mongodb.org/atlas-sdk/v20240530005": "apix-2",
+  "go.mongodb.org/atlas-sdk/v20241113001": "apix-2",
+  "go.mongodb.org/mongo-driver": "apix-2",
+  "golang.org/x/sys": "apix-2",
+  "golang.org/x/tools": "apix-2",
+  "google.golang.org/api": "apix-2",
+  "google.golang.org/protobuf": "apix-2",
+  "golang.org/x/mod": "apix-2",
+  "gopkg.in/yaml.v3": "apix-2",
+  "github.com/mongodb/mongodb-atlas-kubernetes/v2": "atlas_kubernetes_team",
+  "k8s.io/api": "atlas_kubernetes_team",
+  "k8s.io/apimachinery": "atlas_kubernetes_team",
+  "k8s.io/apiserver": "atlas_kubernetes_team",
+  "k8s.io/client-go": "atlas_kubernetes_team",
+  "k8s.io/apiextensions-apiserver": "atlas_kubernetes_team",
+  "sigs.k8s.io/yaml": "atlas_kubernetes_team",
+  "sigs.k8s.io/controller-runtime": "atlas_kubernetes_team",
+  "sigs.k8s.io/kind": "atlas_kubernetes_team",
+  "golang.org/x/exp": "atlas_kubernetes_team",
+  "github.com/denisbrodbeck/machineid": "apix-2",
+  "github.com/shirou/gopsutil/v4": "apix-2",
+  "go.opentelemetry.io/otel": "apix-2",
+  "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc": "apix-2",
+  "go.opentelemetry.io/otel/sdk": "apix-2",
+  "go.opentelemetry.io/otel/trace": "apix-2",
+  "google.golang.org/grpc": "apix-2",
+  "github.com/mholt/archives": "apix-2"
 }

internal/kubernetes/operator/config_exporter.go

@@ -123,7 +123,6 @@ func (e *ConfigExporter) WithIndependentResources(enabled bool) *ConfigExporter
 	e.independentResources = enabled
 	return e
 }
-
 func (e *ConfigExporter) Run() (string, error) {
 	// TODO: Add REST to OPERATOR entities matcher
 	output := bytes.NewBufferString(yamlSeparator)
@@ -184,6 +183,7 @@ func (e *ConfigExporter) Run() (string, error) {
 	return output.String(), nil
 }
 
+//nolint:gocyclo
 func (e *ConfigExporter) exportProject() ([]runtime.Object, string, error) {
 	atlasProject, err := e.dataProvider.Project(e.projectID)
 	if err != nil {
@@ -256,6 +256,26 @@ func (e *ConfigExporter) exportProject() ([]runtime.Object, string, error) {
 		}
 	}
 
+	// Independent custom roles (AtlasCustomRole CR)
+	if e.featureValidator.IsResourceSupported(features.ResourceAtlasCustomRole) {
+		roles, err := project.BuildCustomRoles(e.dataProvider, project.CustomRolesRequest{
+			ProjectID:       e.projectID,
+			ProjectName:     projectData.Project.Name,
+			TargetNamespace: e.targetNamespace,
+			Version:         e.operatorVersion,
+			Credentials:     credentialsName,
+			IsIndependent:   e.independentResources,
+			Dict:            e.dictionaryForAtlasNames,
+		})
+		if err != nil {
+			return nil, "", err
+		}
+
+		for i := range len(roles) {
+			r = append(r, &roles[i])
+		}
+	}
+
 	// DB users
 	usersData, relatedSecrets, err := dbusers.BuildDBUsers(
 		e.dataProvider,

internal/kubernetes/operator/features/crds.go

@@ -42,6 +42,7 @@ const (
 	ResourceAtlasStreamConnection       = "atlasstreamconnections"
 	ResourceAtlasBackupCompliancePolicy = "atlasbackupcompliancepolicies"
 	ResourceAtlasPrivateEndpoint        = "atlasprivateendpoints"
+	ResourceAtlasCustomRole             = "atlascustomroles"
 )
 
 var (
@@ -92,6 +93,7 @@ var (
 			resource{ResourceAtlasStreamConnection, NopPatcher()},
 			resource{ResourceAtlasBackupCompliancePolicy, NopPatcher()},
 			resource{ResourceAtlasPrivateEndpoint, NopPatcher()},
+			resource{ResourceAtlasCustomRole, NopPatcher()},
 		},
 	}
 )

internal/kubernetes/operator/features/validator.go

@@ -18,5 +18,5 @@ package features
 
 type FeatureValidator interface {
 	IsResourceSupported(resourceName string) bool
-	FeatureExist(resourceName, version string) bool
+	FeatureExist(resourceName, path string) bool
 }

internal/kubernetes/operator/project/customroles.go

@@ -0,0 +1,124 @@
+// Copyright 2024 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package project
+
+import (
+	"fmt"
+
+	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/kubernetes/operator/features"
+	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/kubernetes/operator/resources"
+	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/pointer"
+	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/store"
+	akoapi "github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api"
+	akov2 "github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api/v1"
+	akov2common "github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api/v1/common"
+	akov2status "github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api/v1/status"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type CustomRolesRequest struct {
+	ProjectName     string
+	ProjectID       string
+	TargetNamespace string
+	Credentials     string
+	Version         string
+	IsIndependent   bool
+	Dict            map[string]string
+}
+
+func BuildCustomRoles(provider store.DatabaseRoleLister, request CustomRolesRequest) ([]akov2.AtlasCustomRole, error) {
+	roles, err := provider.DatabaseRoles(request.ProjectID)
+	if err != nil {
+		return nil, err
+	}
+	if roles == nil {
+		return nil, nil
+	}
+
+	result := make([]akov2.AtlasCustomRole, 0, len(roles))
+
+	for rIdx := range roles {
+		role := &roles[rIdx]
+
+		inhRoles := make([]akov2.Role, 0, len(role.GetInheritedRoles()))
+		for _, rl := range role.GetInheritedRoles() {
+			inhRoles = append(inhRoles, akov2.Role{
+				Name:     rl.Role,
+				Database: rl.Db,
+			})
+		}
+
+		actions := make([]akov2.Action, 0, len(role.GetActions()))
+		for _, action := range role.GetActions() {
+			r := make([]akov2.Resource, 0, len(action.GetResources()))
+			for _, res := range action.GetResources() {
+				r = append(r, akov2.Resource{
+					Cluster:    pointer.Get(res.Cluster),
+					Database:   pointer.Get(res.Db),
+					Collection: pointer.Get(res.Collection),
+				})
+			}
+			actions = append(actions, akov2.Action{
+				Name:      action.Action,
+				Resources: r,
+			})
+		}
+
+		akoRole := akov2.AtlasCustomRole{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "AtlasCustomRole",
+				APIVersion: "atlas.mongodb.com/v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: resources.NormalizeAtlasName(
+					fmt.Sprintf("%s-custom-role-%s",
+						request.ProjectName,
+						role.RoleName),
+					request.Dict),
+				Namespace: request.TargetNamespace,
+				Labels: map[string]string{
+					features.ResourceVersion: request.Version,
+				},
+			},
+			Spec: akov2.AtlasCustomRoleSpec{
+				Role: akov2.CustomRole{
+					Name:           role.RoleName,
+					InheritedRoles: inhRoles,
+					Actions:        actions,
+				},
+			},
+			Status: akov2status.AtlasCustomRoleStatus{
+				Common: akoapi.Common{Conditions: []akoapi.Condition{}},
+			},
+		}
+		if request.IsIndependent {
+			akoRole.Spec.ExternalProjectIDRef = &akov2.ExternalProjectReference{
+				ID: request.ProjectID,
+			}
+			akoRole.Spec.LocalCredentialHolder = akoapi.LocalCredentialHolder{
+				ConnectionSecret: &akoapi.LocalObjectReference{
+					Name: resources.NormalizeAtlasName(request.Credentials, request.Dict),
+				},
+			}
+		} else {
+			akoRole.Spec.ProjectRef = &akov2common.ResourceRefNamespaced{
+				Name:      request.ProjectName,
+				Namespace: request.TargetNamespace,
+			}
+		}
+		result = append(result, akoRole)
+	}
+	return result, nil
+}