[3.15] Add build item for extensions to contribute ClusterRoleBindings

extensions/kubernetes/kind/deployment/src/main/java/io/quarkus/kind/deployment/KindProcessor.java

@@ -35,6 +35,7 @@
 import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
 import io.quarkus.kubernetes.spi.DecoratorBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
+import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesDeploymentTargetBuildItem;
@@ -120,13 +121,14 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
             List<KubernetesClusterRoleBuildItem> clusterRoles,
             List<KubernetesServiceAccountBuildItem> serviceAccounts,
             List<KubernetesRoleBindingBuildItem> roleBindings,
+            List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings,
             Optional<CustomProjectRootBuildItem> customProjectRoot) {
 
         return DevClusterHelper.createDecorators(KIND, applicationInfo, outputTarget, config, packageConfig,
                 metricsConfiguration, kubernetesClientConfiguration, initContainers, jobs, annotations, labels, envs,
                 baseImage, image, command, ports, portName,
                 livenessPath, readinessPath, startupPath,
-                roles, clusterRoles, serviceAccounts, roleBindings, customProjectRoot);
+                roles, clusterRoles, serviceAccounts, roleBindings, clusterRoleBindings, customProjectRoot);
     }
 
     @BuildStep

extensions/kubernetes/minikube/deployment/src/main/java/io/quarkus/minikube/deployment/MinikubeProcessor.java

@@ -32,6 +32,7 @@
 import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
 import io.quarkus.kubernetes.spi.DecoratorBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
+import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesDeploymentTargetBuildItem;
@@ -116,13 +117,14 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
             List<KubernetesClusterRoleBuildItem> clusterRoles,
             List<KubernetesServiceAccountBuildItem> serviceAccounts,
             List<KubernetesRoleBindingBuildItem> roleBindings,
+            List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings,
             Optional<CustomProjectRootBuildItem> customProjectRoot) {
 
         return DevClusterHelper.createDecorators(MINIKUBE, applicationInfo, outputTarget, config, packageConfig,
                 metricsConfiguration, kubernetesClientConfiguration, initContainers, jobs, annotations, labels, envs,
                 baseImage, image, command, ports, portName,
                 livenessPath, readinessPath, startupPath,
-                roles, clusterRoles, serviceAccounts, roleBindings, customProjectRoot);
+                roles, clusterRoles, serviceAccounts, roleBindings, clusterRoleBindings, customProjectRoot);
     }
 
     @BuildStep

extensions/kubernetes/spi/src/main/java/io/quarkus/kubernetes/spi/KubernetesClusterRoleBindingBuildItem.java

@@ -0,0 +1,80 @@
+package io.quarkus.kubernetes.spi;
+
+import java.util.Collections;
+import java.util.Map;
+
+import io.quarkus.builder.item.MultiBuildItem;
+
+/**
+ * Produce this build item to request the Kubernetes extension to generate
+ * a Kubernetes {@code ClusterRoleBinding} resource. The configuration here is limited;
+ * in particular, you can't specify subjects of the role binding. The role will always
+ * be bound to the application's service account.
+ */
+public final class KubernetesClusterRoleBindingBuildItem extends MultiBuildItem {
+    /**
+     * Name of the generated {@code RoleBinding} resource.
+     * Can be {@code null}, in which case the resource name is autogenerated.
+     */
+    private final String name;
+    /**
+     * RoleRef configuration.
+     */
+    private final RoleRef roleRef;
+    /**
+     * The target manifest that should include this role.
+     */
+    private final String target;
+    /**
+     * The target subjects.
+     */
+    private final Subject[] subjects;
+
+    /**
+     * The labels of the cluster role resource.
+     */
+    private final Map<String, String> labels;
+
+    public KubernetesClusterRoleBindingBuildItem(String role, boolean clusterWide) {
+        this(null, role, clusterWide, null);
+    }
+
+    public KubernetesClusterRoleBindingBuildItem(String name, String role, boolean clusterWide) {
+        this(name, role, clusterWide, null);
+    }
+
+    public KubernetesClusterRoleBindingBuildItem(String name, String role, boolean clusterWide, String target) {
+        this(name, target, Collections.emptyMap(),
+                new RoleRef(role, clusterWide),
+                new Subject("", "ServiceAccount", name, null));
+    }
+
+    public KubernetesClusterRoleBindingBuildItem(String name, String target, Map<String, String> labels, RoleRef roleRef,
+            Subject... subjects) {
+        this.name = name;
+        this.target = target;
+        this.labels = labels;
+        this.roleRef = roleRef;
+        this.subjects = subjects;
+    }
+
+    public String getName() {
+        return this.name;
+    }
+
+    public String getTarget() {
+        return target;
+    }
+
+    public Map<String, String> getLabels() {
+        return labels;
+    }
+
+    public RoleRef getRoleRef() {
+        return roleRef;
+    }
+
+    public Subject[] getSubjects() {
+        return subjects;
+    }
+}

extensions/kubernetes/spi/src/main/java/io/quarkus/kubernetes/spi/KubernetesRoleBindingBuildItem.java

@@ -11,7 +11,7 @@
  * in particular, you can't specify subjects of the role binding. The role will always
  * be bound to the application's service account.
  * <p>
- * Note that this can't be used to generate a {@code ClusterRoleBinding}.
+ * Use {@link KubernetesClusterRoleBindingBuildItem} to generate a {@code ClusterRoleBinding}.
  */
 public final class KubernetesRoleBindingBuildItem extends MultiBuildItem {
     /**

extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/DevClusterHelper.java

@@ -39,6 +39,7 @@
 import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
 import io.quarkus.kubernetes.spi.DecoratorBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
+import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesEnvBuildItem;
@@ -58,6 +59,7 @@ public class DevClusterHelper {
 
     public static final String DEFAULT_HASH_ALGORITHM = "SHA-256";
 
+    @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
     public static List<DecoratorBuildItem> createDecorators(String clusterKind,
             ApplicationInfoBuildItem applicationInfo,
             OutputTargetBuildItem outputTarget,
@@ -82,6 +84,7 @@ public static List<DecoratorBuildItem> createDecorators(String clusterKind,
             List<KubernetesClusterRoleBuildItem> clusterRoles,
             List<KubernetesServiceAccountBuildItem> serviceAccounts,
             List<KubernetesRoleBindingBuildItem> roleBindings,
+            List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings,
             Optional<CustomProjectRootBuildItem> customProjectRoot) {
 
         List<DecoratorBuildItem> result = new ArrayList<>();
@@ -93,7 +96,8 @@ public static List<DecoratorBuildItem> createDecorators(String clusterKind,
         result.addAll(KubernetesCommonHelper.createDecorators(project, clusterKind, name, config,
                 metricsConfiguration, kubernetesClientConfiguration,
                 annotations, labels, image, command,
-                port, livenessPath, readinessPath, startupPath, roles, clusterRoles, serviceAccounts, roleBindings));
+                port, livenessPath, readinessPath, startupPath, roles, clusterRoles, serviceAccounts, roleBindings,
+                clusterRoleBindings));
 
         image.ifPresent(i -> {
             result.add(new DecoratorBuildItem(clusterKind, new ApplyContainerImageDecorator(name, i.getImage())));

extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KnativeProcessor.java

@@ -66,6 +66,7 @@
 import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
 import io.quarkus.kubernetes.spi.DecoratorBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
+import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesDeploymentTargetBuildItem;
@@ -155,6 +156,7 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
             List<KubernetesClusterRoleBuildItem> clusterRoles,
             List<KubernetesServiceAccountBuildItem> serviceAccounts,
             List<KubernetesRoleBindingBuildItem> roleBindings,
+            List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings,
             Optional<CustomProjectRootBuildItem> customProjectRoot,
             List<KubernetesDeploymentTargetBuildItem> targets) {
 
@@ -171,7 +173,7 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
         result.addAll(KubernetesCommonHelper.createDecorators(project, KNATIVE, name, config,
                 metricsConfiguration, kubernetesClientConfiguration, annotations,
                 labels, image, command, port, livenessPath, readinessPath, startupProbePath,
-                roles, clusterRoles, serviceAccounts, roleBindings));
+                roles, clusterRoles, serviceAccounts, roleBindings, clusterRoleBindings));
 
         image.ifPresent(i -> {
             result.add(new DecoratorBuildItem(KNATIVE, new ApplyContainerImageDecorator(name, i.getImage())));

extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java

@@ -93,6 +93,7 @@
 import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
 import io.quarkus.kubernetes.spi.DecoratorBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
+import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesHealthLivenessPathBuildItem;
@@ -248,7 +249,8 @@ public static List<DecoratorBuildItem> createDecorators(Optional<Project> projec
             List<KubernetesRoleBuildItem> roles,
             List<KubernetesClusterRoleBuildItem> clusterRoles,
             List<KubernetesServiceAccountBuildItem> serviceAccounts,
-            List<KubernetesRoleBindingBuildItem> roleBindings) {
+            List<KubernetesRoleBindingBuildItem> roleBindings,
+            List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings) {
         List<DecoratorBuildItem> result = new ArrayList<>();
 
         result.addAll(createLabelDecorators(project, target, name, config, labels));
@@ -283,7 +285,7 @@ public static List<DecoratorBuildItem> createDecorators(Optional<Project> projec
 
         // Handle RBAC
         result.addAll(createRbacDecorators(name, target, config, kubernetesClientConfiguration, roles, clusterRoles,
-                serviceAccounts, roleBindings));
+                serviceAccounts, roleBindings, clusterRoleBindings));
         return result;
     }
 
@@ -293,7 +295,8 @@ private static Collection<DecoratorBuildItem> createRbacDecorators(String name,
             List<KubernetesRoleBuildItem> rolesFromExtensions,
             List<KubernetesClusterRoleBuildItem> clusterRolesFromExtensions,
             List<KubernetesServiceAccountBuildItem> serviceAccountsFromExtensions,
-            List<KubernetesRoleBindingBuildItem> roleBindingsFromExtensions) {
+            List<KubernetesRoleBindingBuildItem> roleBindingsFromExtensions,
+            List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindingsFromExtensions) {
         List<DecoratorBuildItem> result = new ArrayList<>();
         boolean kubernetesClientRequiresRbacGeneration = kubernetesClientConfiguration
                 .map(KubernetesClientCapabilityBuildItem::isGenerateRbac).orElse(false);
@@ -455,6 +458,17 @@ private static Collection<DecoratorBuildItem> createRbacDecorators(String name,
                     subjects.toArray(new Subject[0]))));
         }
 
+        // Add cluster role bindings from extensions
+        for (KubernetesClusterRoleBindingBuildItem crb : clusterRoleBindingsFromExtensions) {
+            if (crb.getTarget() == null || crb.getTarget().equals(target)) {
+                result.add(new DecoratorBuildItem(target, new AddRoleBindingResourceDecorator(name,
+                        Strings.isNotNullOrEmpty(crb.getName()) ? crb.getName() : name + "-" + crb.getRoleRef().getName(),
+                        crb.getLabels(),
+                        crb.getRoleRef(),
+                        crb.getSubjects())));
+            }
+        }
+
         // Add cluster role bindings from configuration
         for (Map.Entry<String, ClusterRoleBindingConfig> rb : config.getRbacConfig().clusterRoleBindings.entrySet()) {
             String rbName = rb.getValue().name.orElse(rb.getKey());
@@ -692,7 +706,6 @@ public static List<DecoratorBuildItem> createInitJobDecorators(String target, St
                 .filter(d -> d.getGroup() == null || d.getGroup().equals(target))
                 .filter(d -> d.getDecorator() instanceof AddEmptyDirVolumeDecorator
                         || d.getDecorator() instanceof AddSecretVolumeDecorator
-                        || d.getDecorator() instanceof AddEmptyDirVolumeDecorator
                         || d.getDecorator() instanceof AddAzureDiskVolumeDecorator
                         || d.getDecorator() instanceof AddAzureFileVolumeDecorator
                         || d.getDecorator() instanceof AddAwsElasticBlockStoreVolumeDecorator)
@@ -1048,7 +1061,7 @@ private static List<DecoratorBuildItem> createAnnotationDecorators(Optional<Proj
      * @param target The deployment target
      * @param probeKind The probe kind (e.g. readinessProbe, livenessProbe etc)
      * @param portName the probe port name build item
-     * @paramt ports a list of kubernetes port build items
+     * @param ports a list of kubernetes port build items
      * @return a decorator for configures the port of the http action of the probe.
      */
     public static DecoratorBuildItem createProbeHttpPortDecorator(String name, String target, String probeKind,

extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/OpenshiftProcessor.java

@@ -60,6 +60,7 @@
 import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
 import io.quarkus.kubernetes.spi.DecoratorBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
+import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesDeploymentTargetBuildItem;
@@ -200,6 +201,7 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
             List<KubernetesClusterRoleBuildItem> clusterRoles,
             List<KubernetesServiceAccountBuildItem> serviceAccounts,
             List<KubernetesRoleBindingBuildItem> roleBindings,
+            List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings,
             Optional<CustomProjectRootBuildItem> customProjectRoot,
             List<KubernetesDeploymentTargetBuildItem> targets) {
 
@@ -217,7 +219,8 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
         result.addAll(KubernetesCommonHelper.createDecorators(project, OPENSHIFT, name, config,
                 metricsConfiguration, kubernetesClientConfiguration,
                 annotations, labels, image, command,
-                port, livenessPath, readinessPath, startupPath, roles, clusterRoles, serviceAccounts, roleBindings));
+                port, livenessPath, readinessPath, startupPath, roles, clusterRoles, serviceAccounts, roleBindings,
+                clusterRoleBindings));
 
         if (config.flavor == v3) {
             //Openshift 3.x doesn't recognize 'app.kubernetes.io/name', it uses 'app' instead.

extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/VanillaKubernetesProcessor.java

@@ -50,6 +50,7 @@
 import io.quarkus.kubernetes.spi.CustomProjectRootBuildItem;
 import io.quarkus.kubernetes.spi.DecoratorBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesAnnotationBuildItem;
+import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesCommandBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesDeploymentTargetBuildItem;
@@ -148,7 +149,9 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
             List<KubernetesRoleBuildItem> roles,
             List<KubernetesClusterRoleBuildItem> clusterRoles,
             List<KubernetesServiceAccountBuildItem> serviceAccounts,
-            List<KubernetesRoleBindingBuildItem> roleBindings, Optional<CustomProjectRootBuildItem> customProjectRoot,
+            List<KubernetesRoleBindingBuildItem> roleBindings,
+            List<KubernetesClusterRoleBindingBuildItem> clusterRoleBindings,
+            Optional<CustomProjectRootBuildItem> customProjectRoot,
             List<KubernetesDeploymentTargetBuildItem> targets) {
 
         final List<DecoratorBuildItem> result = new ArrayList<>();
@@ -164,7 +167,7 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
         result.addAll(KubernetesCommonHelper.createDecorators(project, KUBERNETES, name, config,
                 metricsConfiguration, kubernetesClientConfiguration, annotations, labels, image, command, port,
                 livenessPath, readinessPath, startupPath,
-                roles, clusterRoles, serviceAccounts, roleBindings));
+                roles, clusterRoles, serviceAccounts, roleBindings, clusterRoleBindings));
 
         DeploymentResourceKind deploymentKind = config.getDeploymentResourceKind(capabilities);
         if (deploymentKind != DeploymentResourceKind.Deployment) {