(feature): update cao to manage rolebindingrestriction CRD

Signed-off-by: Bryce Palmer <[email protected]>

Author: everettraven

Makefile

@@ -15,7 +15,7 @@ include $(addprefix ./vendor/github.com/openshift/build-machinery-go/make/, \
 #
 # Example:
 #   make check
-check: | verify test-unit
+check: | verify verify-bindata test-unit
 .PHONY: check
 
 IMAGE_REGISTRY?=registry.svc.ci.openshift.org
@@ -86,3 +86,16 @@ export TP_CMD_PATH ?=./cmd/authentication-operator
 export TP_CMD_ARGS ?=operator --config=/var/run/configmaps/config/operator-config.yaml --v=2 --terminate-on-files=/var/run/configmaps/trusted-ca-bundle/ca-bundle.crt
 export TP_LOCK_CONFIGMAP ?=cluster-authentication-operator-lock
 export TP_BUILD_FLAGS ?=-tags ocp
+
+# ensure the rolebindingrestriction CRD is included in bindata
+RBR_CRD_SOURCE := vendor/github.com/openshift/api/authorization/v1/zz_generated.crd-manifests/0000_03_config-operator_01_rolebindingrestrictions.crd.yaml
+RBR_CRD_TARGET := bindata/oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml
+update-bindata: $(RBR_CRD_TARGET)
+$(RBR_CRD_TARGET): $(RBR_CRD_SOURCE)
+	cp $< $@
+
+verify-bindata: verify-rbr-crd
+.PHONY: verify-bindata
+
+verify-rbr-crd:
+	diff -Naup $(RBR_CRD_SOURCE) $(RBR_CRD_TARGET)

bindata/oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml

@@ -0,0 +1,225 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/470
+    api.openshift.io/merged-by-featuregates: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/bootstrap-required: "true"
+  name: rolebindingrestrictions.authorization.openshift.io
+spec:
+  group: authorization.openshift.io
+  names:
+    kind: RoleBindingRestriction
+    listKind: RoleBindingRestrictionList
+    plural: rolebindingrestrictions
+    singular: rolebindingrestriction
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          RoleBindingRestriction is an object that can be matched against a subject
+          (user, group, or service account) to determine whether rolebindings on that
+          subject are allowed in the namespace to which the RoleBindingRestriction
+          belongs.  If any one of those RoleBindingRestriction objects matches
+          a subject, rolebindings on that subject in the namespace are allowed.
+
+          Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the matcher.
+            properties:
+              grouprestriction:
+                description: grouprestriction matches against group subjects.
+                nullable: true
+                properties:
+                  groups:
+                    description: |-
+                      groups is a list of groups used to match against an individual user's
+                      groups. If the user is a member of one of the whitelisted groups, the user
+                      is allowed to be bound to a role.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  labels:
+                    description: Selectors specifies a list of label selectors over
+                      group labels.
+                    items:
+                      description: |-
+                        A label selector is a label query over a set of resources. The result of matchLabels and
+                        matchExpressions are ANDed. An empty label selector matches all objects. A null
+                        label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    nullable: true
+                    type: array
+                type: object
+              serviceaccountrestriction:
+                description: serviceaccountrestriction matches against service-account
+                  subjects.
+                nullable: true
+                properties:
+                  namespaces:
+                    description: namespaces specifies a list of literal namespace
+                      names.
+                    items:
+                      type: string
+                    type: array
+                  serviceaccounts:
+                    description: serviceaccounts specifies a list of literal service-account
+                      names.
+                    items:
+                      description: |-
+                        ServiceAccountReference specifies a service account and namespace by their
+                        names.
+                      properties:
+                        name:
+                          description: name is the name of the service account.
+                          type: string
+                        namespace:
+                          description: |-
+                            namespace is the namespace of the service account.  Service accounts from
+                            inside the whitelisted namespaces are allowed to be bound to roles.  If
+                            Namespace is empty, then the namespace of the RoleBindingRestriction in
+                            which the ServiceAccountReference is embedded is used.
+                          type: string
+                      type: object
+                    type: array
+                type: object
+              userrestriction:
+                description: userrestriction matches against user subjects.
+                nullable: true
+                properties:
+                  groups:
+                    description: groups specifies a list of literal group names.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  labels:
+                    description: Selectors specifies a list of label selectors over
+                      user labels.
+                    items:
+                      description: |-
+                        A label selector is a label query over a set of resources. The result of matchLabels and
+                        matchExpressions are ANDed. An empty label selector matches all objects. A null
+                        label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    nullable: true
+                    type: array
+                  users:
+                    description: users specifies a list of literal user names.
+                    items:
+                      type: string
+                    type: array
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/ghodss/yaml v1.0.0
 	github.com/google/go-cmp v0.6.0
-	github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f
+	github.com/openshift/api v0.0.0-20250108172834-78bd56dba39b
 	github.com/openshift/build-machinery-go v0.0.0-20241031155326-6ae126a9cb72
 	github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f
 	github.com/openshift/library-go v0.0.0-20241120135057-fc703a7407c9
@@ -17,6 +17,7 @@ require (
 	golang.org/x/net v0.29.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.31.1
+	k8s.io/apiextensions-apiserver v0.31.1
 	k8s.io/apimachinery v0.31.1
 	k8s.io/apiserver v0.31.1
 	k8s.io/cli-runtime v0.31.1
@@ -113,7 +114,6 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.31.1 // indirect
 	k8s.io/kms v0.31.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect

go.sum

@@ -148,8 +148,8 @@ github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA
 github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
 github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
 github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
-github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f h1:ya1OmyZm3LIIxI3U9VE9Nyx3ehCHgBwxyFUPflYPWls=
-github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo=
+github.com/openshift/api v0.0.0-20250108172834-78bd56dba39b h1:Nt4V9k5pyw2CiUL2L5IFlstvURf+12Z7uSzi/v30UpE=
+github.com/openshift/api v0.0.0-20250108172834-78bd56dba39b/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo=
 github.com/openshift/build-machinery-go v0.0.0-20241031155326-6ae126a9cb72 h1:kMM+Ea3YFrcoYS76RhhBA7uELy97JM0gwqnyoy7fxco=
 github.com/openshift/build-machinery-go v0.0.0-20241031155326-6ae126a9cb72/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
 github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f h1:FRc0bVNWprihWS0GqQWzb3dY4dkCwpOP3mDw5NwSoR4=

pkg/dependencymagnet/dependencymagnet.go

@@ -6,6 +6,7 @@
 package dependencymagnet
 
 import (
+	_ "github.com/openshift/api/authorization/v1/zz_generated.crd-manifests"
 	_ "github.com/openshift/api/operator/v1/zz_generated.crd-manifests"
 	_ "github.com/openshift/build-machinery-go"
 )

pkg/operator/replacement_starter.go

@@ -15,6 +15,8 @@ import (
 
 	apiregistrationclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 
+	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+
 	operatorv1 "github.com/openshift/api/operator/v1"
 	configclient "github.com/openshift/client-go/config/clientset/versioned"
 	configinformer "github.com/openshift/client-go/config/informers/externalversions"
@@ -50,6 +52,7 @@ type authenticationOperatorInput struct {
 	authenticationOperatorClient v1helpers.OperatorClient
 	apiregistrationv1Client      apiregistrationclient.Interface
 	migrationClient              kubemigratorclient.Interface
+	apiextensionClient           apiextensionsclient.Interface
 	eventRecorder                events.Recorder
 
 	informerFactories []libraryapplyconfiguration.SimplifiedInformerFactory
@@ -86,6 +89,10 @@ func CreateOperatorInputFromMOM(ctx context.Context, momInput libraryapplyconfig
 	if err != nil {
 		return nil, err
 	}
+	apiextensionClient, err := apiextensionsclient.NewForConfigAndClient(manifestclient.RecommendedRESTConfig(), momInput.MutationTrackingClient.GetHTTPClient())
+	if err != nil {
+		return nil, err
+	}
 
 	authenticationOperatorClient, dynamicInformers, err := genericoperatorclient.NewOperatorClientWithClient(
 		momInput.Clock,
@@ -128,6 +135,7 @@ func CreateOperatorInputFromMOM(ctx context.Context, momInput libraryapplyconfig
 		authenticationOperatorClient: authenticationOperatorClient,
 		apiregistrationv1Client:      apiregistrationv1Client,
 		migrationClient:              migrationClient,
+		apiextensionClient:           apiextensionClient,
 		eventRecorder:                eventRecorder,
 		informerFactories: []libraryapplyconfiguration.SimplifiedInformerFactory{
 			libraryapplyconfiguration.DynamicInformerFactoryAdapter(dynamicInformers), // we don't share the dynamic informers, but we only want to start when requested
@@ -164,6 +172,10 @@ func CreateControllerInputFromControllerContext(ctx context.Context, controllerC
 	if err != nil {
 		return nil, err
 	}
+	apiextensionsClient, err := apiextensionsclient.NewForConfig(controllerContext.KubeConfig)
+	if err != nil {
+		return nil, err
+	}
 
 	authenticationOperatorClient, dynamicInformers, err := genericoperatorclient.NewClusterScopedOperatorClient(
 		controllerContext.Clock,
@@ -198,6 +210,7 @@ func CreateControllerInputFromControllerContext(ctx context.Context, controllerC
 		authenticationOperatorClient: authenticationOperatorClient,
 		apiregistrationv1Client:      apiregistrationv1Client,
 		migrationClient:              migrationClient,
+		apiextensionClient:           apiextensionsClient,
 		eventRecorder:                eventRecorder,
 		informerFactories: []libraryapplyconfiguration.SimplifiedInformerFactory{
 			libraryapplyconfiguration.DynamicInformerFactoryAdapter(dynamicInformers), // we don't share the dynamic informers, but we only want to start when requested

pkg/operator/starter.go

@@ -100,7 +100,6 @@ func prepareOauthOperator(
 	resourceSyncController *resourcesynccontroller.ResourceSyncController,
 	versionRecorder status.VersionGetter,
 ) ([]libraryapplyconfiguration.NamedRunOnce, []libraryapplyconfiguration.RunFunc, error) {
-
 	clusterVersion, err := authOperatorInput.configClient.ConfigV1().ClusterVersions().Get(ctx, "version", metav1.GetOptions{})
 	if err != nil {
 		return nil, nil, err
@@ -142,8 +141,9 @@ func prepareOauthOperator(
 			"oauth-openshift/oauth-service.yaml",
 			"oauth-openshift/trust_distribution_role.yaml",
 			"oauth-openshift/trust_distribution_rolebinding.yaml",
+			"oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml",
 		},
-		resourceapply.NewKubeClientHolder(authOperatorInput.kubeClient),
+		resourceapply.NewKubeClientHolder(authOperatorInput.kubeClient).WithAPIExtensionsClient(authOperatorInput.apiextensionClient),
 		authOperatorInput.authenticationOperatorClient,
 		authOperatorInput.eventRecorder,
 	).AddKubeInformers(informerFactories.kubeInformersForNamespaces)
@@ -580,7 +580,6 @@ func prepareOauthAPIServerOperator(
 		WithoutLogLevelController().
 		WithoutConfigUpgradableController().
 		PrepareRun()
-
 	if err != nil {
 		return nil, nil, err
 	}
@@ -680,7 +679,7 @@ func singleNameListOptions(name string) func(opts *metav1.ListOptions) {
 }
 
 func apiServices() []*apiregistrationv1.APIService {
-	var apiServiceGroupVersions = []schema.GroupVersion{
+	apiServiceGroupVersions := []schema.GroupVersion{
 		// these are all the apigroups we manage
 		{Group: "oauth.openshift.io", Version: "v1"},
 		{Group: "user.openshift.io", Version: "v1"},