Support extra parameters in the templates

cybozu-go · May 17, 2024 · 315d6d6 · 315d6d6
1 parent b4b552c
commit 315d6d6
Show file tree

Hide file tree

Showing 8 changed files with 69 additions and 14 deletions.
diff --git a/api/v1beta1/tenant_types.go b/api/v1beta1/tenant_types.go
@@ -23,6 +23,10 @@ type TenantSpec struct {
 	// If not specified, the default controller is used.
 	// +optional
 	ControllerName string `json:"controllerName,omitempty"`
+
+	// ExtraParams is a map of extra parameters that can be used in the templates.
+	// +optional
+	ExtraParams map[string]string `json:"extraParams,omitempty"`
 }
 
 // RootNamespaceSpec defines the desired state of Namespace.

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/charts/cattage/crds/tenant.yaml b/charts/cattage/crds/tenant.yaml
@@ -77,6 +77,11 @@ spec:
                       - roles
                     type: object
                   type: array
+                extraParams:
+                  additionalProperties:
+                    type: string
+                  description: ExtraParams is a map of extra parameters that can be used in the templates.
+                  type: object
                 rootNamespaces:
                   description: RootNamespaces are the list of root namespaces that belong to this tenant.
                   items:

diff --git a/config/crd/bases/cattage.cybozu.io_tenants.yaml b/config/crd/bases/cattage.cybozu.io_tenants.yaml
@@ -79,6 +79,12 @@ spec:
                   - roles
                   type: object
                 type: array
+              extraParams:
+                additionalProperties:
+                  type: string
+                description: ExtraParams is a map of extra parameters that can be
+                  used in the templates.
+                type: object
               rootNamespaces:
                 description: RootNamespaces are the list of root namespaces that belong
                   to this tenant.

diff --git a/config/manager/configmap.yaml b/config/manager/configmap.yaml
@@ -25,9 +25,9 @@ data:
           {{- range .Roles.admin }}
           - apiGroup: rbac.authorization.k8s.io
             kind: Group
-            name: {{ . }}
+            name: {{ .Name }}
           - kind: ServiceAccount
-            name: node-{{ . }}
+            name: node-{{ .Name }}
             namespace: teleport
           {{- end }}
     argocd:
@@ -48,9 +48,9 @@ data:
               kind: LimitRange
           roles:
             - groups:
-                - cybozu-go:{{ .Name }}
+                - cybozu-go:{{with .Extras.GitHubTeam}}{{ . }}{{else}}{{ .Name }}{{end}}
                 {{- range .Roles.admin }}
-                - cybozu-go:{{ . }}
+                - cybozu-go:{{with .Extras.GitHubTeam}}{{ . }}{{else}}{{ .Name }}{{end}}
                 {{- end }}
               name: admin
               policies:

diff --git a/config/samples/tenant.yaml b/config/samples/tenant.yaml
@@ -6,6 +6,8 @@ spec:
   rootNamespaces:
     - name: app-a
   controllerName: second
+  extraParams:
+    GitHubTeam: a-team-gh
 ---
 apiVersion: cattage.cybozu.io/v1beta1
 kind: Tenant
@@ -21,3 +23,5 @@ spec:
     - name: a-team
       roles:
         - admin
+  extraParams:
+    GitHubTeam: b-team-gh
diff --git a/controllers/tenant_controller.go b/controllers/tenant_controller.go
@@ -354,15 +354,23 @@ func (r *TenantReconciler) patchRoleBinding(ctx context.Context, rb *acrbacv1.Ro
 	})
 }
 
-func rolesMap(delegates []cattagev1beta1.DelegateSpec) map[string][]string {
-	result := make(map[string][]string)
+func (r *TenantReconciler) rolesMap(ctx context.Context, delegates []cattagev1beta1.DelegateSpec) (map[string][]Role, error) {
+	result := make(map[string][]Role)
 
 	for _, d := range delegates {
 		for _, role := range d.Roles {
-			result[role] = append(result[role], d.Name)
+			delegatedTenant := &cattagev1beta1.Tenant{}
+			err := r.client.Get(ctx, client.ObjectKey{Name: d.Name}, delegatedTenant)
+			if err != nil {
+				return nil, err
+			}
+			result[role] = append(result[role], Role{
+				Name:   delegatedTenant.Name,
+				Extras: delegatedTenant.Spec.ExtraParams,
+			})
 		}
 	}
-	return result
+	return result, nil
 }
 
 func (r *TenantReconciler) reconcileNamespaces(ctx context.Context, tenant *cattagev1beta1.Tenant) error {
@@ -395,13 +403,20 @@ func (r *TenantReconciler) reconcileNamespaces(ctx context.Context, tenant *catt
 		if err != nil {
 			return err
 		}
+		roles, err := r.rolesMap(ctx, tenant.Spec.Delegates)
+		if err != nil {
+			return err
+		}
+
 		var buf bytes.Buffer
 		err = tpl.Execute(&buf, struct {
-			Name  string
-			Roles map[string][]string
+			Name   string
+			Roles  map[string][]Role
+			Extras map[string]string
 		}{
-			Name:  tenant.Name,
-			Roles: rolesMap(tenant.Spec.Delegates),
+			Name:   tenant.Name,
+			Roles:  roles,
+			Extras: tenant.Spec.ExtraParams,
 		})
 		if err != nil {
 			return err
@@ -445,6 +460,11 @@ func (r *TenantReconciler) reconcileNamespaces(ctx context.Context, tenant *catt
 	return nil
 }
 
+type Role struct {
+	Name   string
+	Extras map[string]string
+}
+
 func (r *TenantReconciler) reconcileArgoCD(ctx context.Context, tenant *cattagev1beta1.Tenant) error {
 	logger := log.FromContext(ctx)
 
@@ -469,17 +489,24 @@ func (r *TenantReconciler) reconcileArgoCD(ctx context.Context, tenant *cattagev
 		return err
 	}
 
+	roles, err := r.rolesMap(ctx, tenant.Spec.Delegates)
+	if err != nil {
+		return err
+	}
+
 	var buf bytes.Buffer
 	err = tpl.Execute(&buf, struct {
 		Name         string
 		Namespaces   []string
-		Roles        map[string][]string
+		Roles        map[string][]Role
 		Repositories []string
+		Extras       map[string]string
 	}{
 		Name:         tenant.Name,
 		Namespaces:   namespaces,
-		Roles:        rolesMap(tenant.Spec.Delegates),
+		Roles:        roles,
 		Repositories: tenant.Spec.ArgoCD.Repositories,
+		Extras:       tenant.Spec.ExtraParams,
 	})
 	if err != nil {
 		return err
@@ -489,6 +516,7 @@ func (r *TenantReconciler) reconcileArgoCD(ctx context.Context, tenant *cattagev
 	dec := yaml.NewDecodingSerializer(unstructured.UnstructuredJSONScheme)
 	_, _, err = dec.Decode(buf.Bytes(), nil, proj)
 	if err != nil {
+		logger.Error(err, "failed to decode", "yaml", buf.String())
 		return err
 	}
 

diff --git a/docs/crd_tenant.md b/docs/crd_tenant.md
@@ -78,6 +78,7 @@ TenantSpec defines the desired state of Tenant.
 | argocd | ArgoCD is the settings of Argo CD for this tenant. | [ArgoCDSpec](#argocdspec) | false |
 | delegates | Delegates is a list of other tenants that are delegated access to this tenant. | [][DelegateSpec](#delegatespec) | false |
 | controllerName | ControllerName is the name of the application-controller that manages this tenant's applications. If not specified, the default controller is used. | string | false |
+| extraParams | ExtraParams is a map of extra parameters that can be used in the templates. | map[string]string | false |
 
 [Back to Custom Resources](#custom-resources)