Tests for aggregated cluster roles

Author: Priyashetty17

actions/go.mod

@@ -59,7 +59,7 @@ replace (
 
 require (
 	github.com/rancher/rancher/pkg/apis v0.0.0
-	github.com/rancher/shepherd v0.0.0-20251003203259-669abb78af51
+	github.com/rancher/shepherd v0.0.0-20251015044355-8c54bf0aaf31
 	github.com/rancher/tfp-automation v0.0.0-20251016221424-5aafbe545b8e
 )
 
@@ -174,7 +174,7 @@ require (
 	github.com/rancher/aks-operator v1.12.1 // indirect
 	github.com/rancher/apiserver v0.7.0 // indirect
 	github.com/rancher/eks-operator v1.12.1 // indirect
-	github.com/rancher/fleet/pkg/apis v0.13.0 // indirect
+	github.com/rancher/fleet/pkg/apis v0.14.0-alpha.3 // indirect
 	github.com/rancher/gke-operator v1.12.1 // indirect
 	github.com/rancher/lasso v0.2.3 // indirect
 	github.com/rancher/rke v1.8.0-rc.4 // indirect

actions/go.sum

@@ -248,8 +248,8 @@ github.com/rancher/apiserver v0.7.0 h1:8N9XQXurELdZ3nfU5WKwgwDcYOoixNfpdpMbLZ4rr
 github.com/rancher/apiserver v0.7.0/go.mod h1:9b/n58YT7S8bMFEyr1v7xzL72qwZKQQJK2Ir6lMT8Yk=
 github.com/rancher/eks-operator v1.12.1 h1:ZsaDyQa1Ykrf9b1Ux11DICIV4JXRy14kWKqE0JfAZg0=
 github.com/rancher/eks-operator v1.12.1/go.mod h1:3hz8e7XqekMw/76TShanMS/iMBcQoom2j7/B9nyKbVQ=
-github.com/rancher/fleet/pkg/apis v0.13.0 h1:soXF3cKWD9sMRcX5OlVnOY8aoPr+/FF8DP/zZtLLe3g=
-github.com/rancher/fleet/pkg/apis v0.13.0/go.mod h1:LpFIRtWNJe6Tf4EGJ/brPtutyTUlFj2hJDso1/5CO7Y=
+github.com/rancher/fleet/pkg/apis v0.14.0-alpha.3 h1:SCy+VCww6APf8n9x31sPi/cE6ji9A+uRmS7Qe7I5dVw=
+github.com/rancher/fleet/pkg/apis v0.14.0-alpha.3/go.mod h1:l+30BByeNBbo0AF94+pYW4q/g9U2oM0UkQuriR0bOD4=
 github.com/rancher/gke-operator v1.12.1 h1:zH2DEQsea+kG61cN0+1NWDQp0FyN28o2XIm5ieRLCKU=
 github.com/rancher/gke-operator v1.12.1/go.mod h1:TbOTInXvdC1fPAxj2BHlRIh2j7ezTVQ7eIJW+udz5Xg=
 github.com/rancher/lasso v0.2.3 h1:74/z/C/O3ykhyMrRuEgc9kVyYiSoS7kp5BAijlcyXDg=
@@ -262,8 +262,8 @@ github.com/rancher/rancher/pkg/apis v0.0.0-20250806201723-9a7af3779b9d h1:TZd6Wp
 github.com/rancher/rancher/pkg/apis v0.0.0-20250806201723-9a7af3779b9d/go.mod h1:IhaOGqACWRoyF+xXpd5CvGt02XeJyDdOC8W3Rdz1cW0=
 github.com/rancher/rke v1.8.0-rc.4 h1:jowVyaF3LsJonC7vNsAwWf3MONHAtEFUD/j3UzNSE5U=
 github.com/rancher/rke v1.8.0-rc.4/go.mod h1:x9N1abruzDFMwTpqq2cnaDYpKCptlNoW8VraNWB6Pc4=
-github.com/rancher/shepherd v0.0.0-20251003203259-669abb78af51 h1:xi4qsdR2UtySDvU3eNk5kbtbCIf7A4oiCmOCGo/KIfM=
-github.com/rancher/shepherd v0.0.0-20251003203259-669abb78af51/go.mod h1:BdEW/H1ZkLUn3/A/73pacOSfgh9nn5ITjg5qj02CyS4=
+github.com/rancher/shepherd v0.0.0-20251015044355-8c54bf0aaf31 h1:CKxEoFWtmB9tzsDuFDwaOCJm9CxnzBqHEc58xTEUH1w=
+github.com/rancher/shepherd v0.0.0-20251015044355-8c54bf0aaf31/go.mod h1:wZ6Oe7Aa9aam77+4t3lBiixw9JpTTaYQ+Adfi0ICcqQ=
 github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20250710162344-185ff9f785cd h1:M3oVcVktMhNk8l3ZRW94kroqzWzE/VGbZfLw/F0rw5Y=
 github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20250710162344-185ff9f785cd/go.mod h1:VfRrgue4yl6O0GYakMGYgyByu7ySooPQWWRxTt2MIEI=
 github.com/rancher/tfp-automation v0.0.0-20251016221424-5aafbe545b8e h1:4XpRPzt0C9oB0LsFaC0BoBSR16vp1GSLiZPoJR4KHVs=

actions/projects/projects.go

@@ -196,8 +196,13 @@ func WaitForProjectIDUpdate(client *rancher.Client, clusterID, projectName, name
 		projectsapi.ProjectIDAnnotation: projectName,
 	}
 
-	err := kwait.PollUntilContextTimeout(context.Background(), defaults.FiveSecondTimeout, defaults.OneMinuteTimeout, false, func(ctx context.Context) (done bool, pollErr error) {
-		namespace, pollErr := namespaces.GetNamespaceByName(client, clusterID, namespaceName)
+	downstreamContext, err := clusterapi.GetClusterWranglerContext(client, clusterID)
+	if err != nil {
+		return err
+	}
+
+	err = kwait.PollUntilContextTimeout(context.Background(), defaults.FiveSecondTimeout, defaults.OneMinuteTimeout, false, func(ctx context.Context) (done bool, pollErr error) {
+		namespace, pollErr := downstreamContext.Core.Namespace().Get(namespaceName, metav1.GetOptions{})
 		if pollErr != nil {
 			return false, pollErr
 		}

actions/rbac/rbac.go

@@ -27,56 +27,98 @@ import (
 type Role string
 
 const (
-	Admin                       Role = "admin"
-	BaseUser                    Role = "user-base"
-	StandardUser                Role = "user"
-	ClusterOwner                Role = "cluster-owner"
-	ClusterMember               Role = "cluster-member"
-	ProjectOwner                Role = "project-owner"
-	ProjectMember               Role = "project-member"
-	CreateNS                    Role = "create-ns"
-	ReadOnly                    Role = "read-only"
-	CustomManageProjectMember   Role = "projectroletemplatebindings-manage"
-	CrtbView                    Role = "clusterroletemplatebindings-view"
-	PrtbView                    Role = "projectroletemplatebindings-view"
-	ProjectsCreate              Role = "projects-create"
-	ProjectsView                Role = "projects-view"
-	ManageWorkloads             Role = "workloads-manage"
-	ActiveStatus                     = "active"
-	ForbiddenError                   = "403 Forbidden"
-	RancherDeploymentNamespace       = "cattle-system"
-	DefaultNamespace                 = "fleet-default"
-	RancherDeploymentName            = "rancher"
-	CattleResyncEnvVarName           = "CATTLE_RESYNC_DEFAULT"
-	LocalCluster                     = "local"
-	UserKind                         = "User"
-	ImageName                        = "nginx"
-	ManageUsersVerb                  = "manage-users"
-	UpdatePsaVerb                    = "updatepsa"
-	ManagementAPIGroup               = "management.cattle.io"
-	UsersResource                    = "users"
-	UserAttributeResource            = "userattribute"
-	GroupsResource                   = "groups"
-	GroupMembersResource             = "groupmembers"
-	ProjectResource                  = "projects"
-	PrtbResource                     = "projectroletemplatebindings"
-	SecretsResource                  = "secrets"
-	ClusterContext                   = "cluster"
-	ProjectContext                   = "project"
-	GrbOwnerLabel                    = "authz.management.cattle.io/grb-owner"
-	GlobalDataNS                     = "cattle-global-data"
-	MembershipBindingOwnerLabel      = "membership-binding-owner"
-	PSALabelKey                      = "pod-security.kubernetes.io/"
-	PSAEnforceLabelKey               = "pod-security.kubernetes.io/enforce"
-	PSAWarnLabelKey                  = "pod-security.kubernetes.io/warn"
-	PSAAuditLabelKey                 = "pod-security.kubernetes.io/audit"
-	PSAPrivilegedPolicy              = "privileged"
-	PSABaselinePolicy                = "baseline"
-	PSARestrictedPolicy              = "restricted"
-	PSAEnforceVersionLabelKey        = "pod-security.kubernetes.io/enforce-version"
-	PSAWarnVersionLabelKey           = "pod-security.kubernetes.io/warn-version"
-	PSAAuditVersionLabelKey          = "pod-security.kubernetes.io/audit-version"
-	PSALatestValue                   = "latest"
+	Admin                         Role = "admin"
+	BaseUser                      Role = "user-base"
+	StandardUser                  Role = "user"
+	ClusterOwner                  Role = "cluster-owner"
+	ClusterMember                 Role = "cluster-member"
+	ProjectOwner                  Role = "project-owner"
+	ProjectMember                 Role = "project-member"
+	CreateNS                      Role = "create-ns"
+	ReadOnly                      Role = "read-only"
+	CustomManageProjectMember     Role = "projectroletemplatebindings-manage"
+	CrtbView                      Role = "clusterroletemplatebindings-view"
+	PrtbView                      Role = "projectroletemplatebindings-view"
+	ProjectsCreate                Role = "projects-create"
+	ProjectsView                  Role = "projects-view"
+	ManageWorkloads               Role = "workloads-manage"
+	ActiveStatus                       = "active"
+	ForbiddenError                     = "403 Forbidden"
+	RancherDeploymentNamespace         = "cattle-system"
+	DefaultNamespace                   = "fleet-default"
+	RancherDeploymentName              = "rancher"
+	CattleResyncEnvVarName             = "CATTLE_RESYNC_DEFAULT"
+	LocalCluster                       = "local"
+	UserKind                           = "User"
+	ImageName                          = "nginx"
+	ManageUsersVerb                    = "manage-users"
+	UpdatePsaVerb                      = "updatepsa"
+	ManagementAPIGroup                 = "management.cattle.io"
+	UsersResource                      = "users"
+	UserAttributeResource              = "userattribute"
+	GroupsResource                     = "groups"
+	GroupMembersResource               = "groupmembers"
+	ProjectResource                    = "projects"
+	PrtbResource                       = "projectroletemplatebindings"
+	SecretsResource                    = "secrets"
+	ClusterContext                     = "cluster"
+	ProjectContext                     = "project"
+	GrbOwnerLabel                      = "authz.management.cattle.io/grb-owner"
+	GlobalDataNS                       = "cattle-global-data"
+	MembershipBindingOwnerLabel        = "membership-binding-owner"
+	PSALabelKey                        = "pod-security.kubernetes.io/"
+	PSAEnforceLabelKey                 = "pod-security.kubernetes.io/enforce"
+	PSAWarnLabelKey                    = "pod-security.kubernetes.io/warn"
+	PSAAuditLabelKey                   = "pod-security.kubernetes.io/audit"
+	PSAPrivilegedPolicy                = "privileged"
+	PSABaselinePolicy                  = "baseline"
+	PSARestrictedPolicy                = "restricted"
+	PSAEnforceVersionLabelKey          = "pod-security.kubernetes.io/enforce-version"
+	PSAWarnVersionLabelKey             = "pod-security.kubernetes.io/warn-version"
+	PSAAuditVersionLabelKey            = "pod-security.kubernetes.io/audit-version"
+	PSALatestValue                     = "latest"
+	RkeCattleAPIGroup                  = "rke.cattle.io"
+	ProjectCattleAPIGroup              = "project.cattle.io"
+	AppsAPIGroup                       = "apps"
+	CrtbOwnerLabel                     = "authz.cluster.cattle.io/crtb-owner"
+	PrtbOwnerLabel                     = "authz.cluster.cattle.io/prtb-owner"
+	ClusterNameAnnotationKey           = "cluster.cattle.io/name"
+	RegularResourceAggregator          = "-aggregator"
+	ClusterMgmtResourceAggregator      = "-cluster-mgmt-aggregator"
+	ProjectMgmtResourceAggregator      = "-project-mgmt-aggregator"
+	ClusterMgmtResource                = "-cluster-mgmt"
+	ProjectMgmtResource                = "-project-mgmt"
+)
+
+var (
+	ClusterMgmtResources = map[string]string{
+		"clusterscans":                ManagementAPIGroup,
+		"clusterregistrationtokens":   ManagementAPIGroup,
+		"clusterroletemplatebindings": ManagementAPIGroup,
+		"etcdbackups":                 ManagementAPIGroup,
+		"nodes":                       ManagementAPIGroup,
+		"nodepools":                   ManagementAPIGroup,
+		"projects":                    ManagementAPIGroup,
+		"etcdsnapshots":               RkeCattleAPIGroup,
+	}
+
+	ProjectMgmtResources = map[string]string{
+		"sourcecodeproviderconfigs":   ProjectCattleAPIGroup,
+		"projectroletemplatebindings": ManagementAPIGroup,
+		"secrets":                     "",
+	}
+
+	PolicyRules = map[string][]rbacv1.PolicyRule{
+		"readProjects":    definePolicyRules([]string{"get", "list"}, []string{"projects"}, []string{ManagementAPIGroup}),
+		"editProjects":    definePolicyRules([]string{"create", "update", "patch"}, []string{"projects"}, []string{ManagementAPIGroup}),
+		"manageProjects":  definePolicyRules([]string{"create", "update", "patch", "delete"}, []string{"projects"}, []string{ManagementAPIGroup}),
+		"readPrtbs":       definePolicyRules([]string{"get", "list"}, []string{"projectroletemplatebindings"}, []string{ManagementAPIGroup}),
+		"updatePrtbs":     definePolicyRules([]string{"update", "patch"}, []string{"projectroletemplatebindings"}, []string{ManagementAPIGroup}),
+		"readDeployments": definePolicyRules([]string{"get", "list"}, []string{"deployments"}, []string{AppsAPIGroup}),
+		"readPods":        definePolicyRules([]string{"get", "list"}, []string{"pods"}, []string{""}),
+		"readNamespaces":  definePolicyRules([]string{"get", "list"}, []string{"namespaces"}, []string{""}),
+		"readSecrets":     definePolicyRules([]string{"get", "list"}, []string{"secrets"}, []string{""}),
+	}
 )
 
 func (r Role) String() string {
@@ -761,3 +803,91 @@ func CreateGroupProjectRoleTemplateBinding(client *rancher.Client, projectID str
 
 	return prtb, nil
 }
+
+// DeleteClusterRoleTemplateBinding deletes the cluster role template binding using wrangler context
+func DeleteClusterRoleTemplateBinding(client *rancher.Client, crtbNamespace, crtbName string) error {
+	err := client.WranglerContext.Mgmt.ClusterRoleTemplateBinding().Delete(crtbNamespace, crtbName, &metav1.DeleteOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to delete ClusterRoleTemplateBinding %s: %w", crtbName, err)
+	}
+
+	err = kwait.PollUntilContextTimeout(context.TODO(), defaults.FiveHundredMillisecondTimeout, defaults.OneMinuteTimeout, false, func(ctx context.Context) (done bool, err error) {
+		_, err = client.WranglerContext.Mgmt.ClusterRoleTemplateBinding().Get(crtbNamespace, crtbName, metav1.GetOptions{})
+
+		if apierrors.IsNotFound(err) {
+			return true, nil
+		}
+
+		if err != nil {
+			return false, fmt.Errorf("error checking CRTB deletion status: %w", err)
+		}
+
+		return false, nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("timed out waiting for ClusterRoleTemplateBinding %s to be deleted: %w", crtbName, err)
+	}
+
+	return nil
+}
+
+// DeleteProjectRoleTemplateBinding deletes the project role template binding using wrangler context
+func DeleteProjectRoleTemplateBinding(client *rancher.Client, prtbNamespace, prtbName string) error {
+	err := client.WranglerContext.Mgmt.ProjectRoleTemplateBinding().Delete(prtbNamespace, prtbName, &metav1.DeleteOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to delete ProjectRoleTemplateBinding %s: %w", prtbName, err)
+	}
+
+	err = kwait.PollUntilContextTimeout(context.TODO(), defaults.FiveHundredMillisecondTimeout, defaults.OneMinuteTimeout, false, func(ctx context.Context) (done bool, err error) {
+		_, err = client.WranglerContext.Mgmt.ProjectRoleTemplateBinding().Get(prtbNamespace, prtbName, metav1.GetOptions{})
+
+		if apierrors.IsNotFound(err) {
+			return true, nil
+		}
+
+		if err != nil {
+			return false, fmt.Errorf("error checking PRTB deletion status: %w", err)
+		}
+
+		return false, nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("timed out waiting for ProjectRoleTemplateBinding %s to be deleted: %w", prtbName, err)
+	}
+
+	return nil
+}
+
+// UpdateRoleTemplateInheritance updates the inheritance of a role template using wrangler context
+func UpdateRoleTemplateInheritance(client *rancher.Client, roleTemplateName string, inheritedRoles []*v3.RoleTemplate) (*v3.RoleTemplate, error) {
+	var roleTemplateNames []string
+	for _, inheritedRole := range inheritedRoles {
+		if inheritedRole != nil {
+			roleTemplateNames = append(roleTemplateNames, inheritedRole.Name)
+		}
+	}
+
+	existingRoleTemplate, err := GetRoleTemplateByName(client, roleTemplateName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get existing RoleTemplate: %w", err)
+	}
+
+	existingRoleTemplate.RoleTemplateNames = roleTemplateNames
+
+	updatedRoleTemplate, err := client.WranglerContext.Mgmt.RoleTemplate().Update(existingRoleTemplate)
+	if err != nil {
+		return nil, fmt.Errorf("failed to update RoleTemplate inheritance: %w", err)
+	}
+
+	return GetRoleTemplateByName(client, updatedRoleTemplate.Name)
+}
+
+func definePolicyRules(verbs, resources, apiGroups []string) []rbacv1.PolicyRule {
+	return []rbacv1.PolicyRule{{
+		Verbs:     verbs,
+		Resources: resources,
+		APIGroups: apiGroups,
+	}}
+}