Skip to content

Commit b04bf61

Browse files
authored
feat: Update username impersonalization for creation projects and install resources index policies (#186)
This updates the impersonation username when creating a project and prevents project creation if the user is not approved. Additionally, it adds the installation for resource index policies. Related to: datum-cloud/enhancements#524
2 parents 96b81f8 + 3f9089a commit b04bf61

4 files changed

Lines changed: 47 additions & 1 deletion

File tree

config/services/kustomization.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,3 +12,4 @@ components:
1212
- resourcemanager.miloapis.com/
1313
- iam.miloapis.com/
1414
- dns.networking.miloapis.com/
15+
- search.miloapis.com/
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
apiVersion: kustomize.config.k8s.io/v1alpha1
2+
kind: Component
3+
4+
resources:
5+
- user-resourceindexpolicy.yaml
6+
7+
# Use explicit sorting options so we can guarantee order in which resources are
8+
# applied.
9+
sortOptions:
10+
order: fifo
11+
12+
labels:
13+
- includeSelectors: true
14+
pairs:
15+
app.kubernetes.io/component: search-miloapis-com
16+
app.kubernetes.io/part-of: datum-cloud
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
apiVersion: search.miloapis.com/v1alpha1
2+
kind: ResourceIndexPolicy
3+
metadata:
4+
name: user-resource-index-policy
5+
spec:
6+
conditions:
7+
- expression: has(metadata.name)
8+
name: has-name
9+
fields:
10+
- path: .metadata.name
11+
searchable: true
12+
- path: .spec.email
13+
searchable: true
14+
- path: .spec.firstName
15+
searchable: true
16+
- path: .spec.lastName
17+
searchable: true
18+
targetResource:
19+
group: iam.miloapis.com
20+
kind: User
21+
version: v1alpha1

internal/controller/resourcemanager/personal_organization_controller.go

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77
"encoding/hex"
88
"fmt"
99
"hash/fnv"
10+
"time"
1011

1112
apierrors "k8s.io/apimachinery/pkg/api/errors"
1213
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -129,6 +130,13 @@ func (r *PersonalOrganizationController) Reconcile(ctx context.Context, req ctrl
129130
return ctrl.Result{}, fmt.Errorf("failed to create or update organization membership: %w", err)
130131
}
131132

133+
// If the user is not active, we should not create a personal project,
134+
// as the impersonated client will not have the correct permissions.
135+
if user.Status.RegistrationApproval != iamv1alpha1.RegistrationApprovalStateApproved {
136+
logger.Info("User is not active, skipping personal project creation", "user", user.Name, "state", user.Status.State)
137+
return ctrl.Result{RequeueAfter: 5 * time.Second}, nil
138+
}
139+
132140
// Create a default personal project in the personal organization.
133141
personalProjectID := hashPersonalOrgName(string(user.UID))
134142
personalProject := &resourcemanagerv1alpha1.Project{
@@ -153,7 +161,7 @@ func (r *PersonalOrganizationController) Reconcile(ctx context.Context, req ctrl
153161
// sees the correct identity and creates the right PolicyBinding.
154162
impersonatedConfig := rest.CopyConfig(r.RestConfig)
155163
impersonatedConfig.Impersonate = rest.ImpersonationConfig{
156-
UserName: user.Name,
164+
UserName: user.Spec.Email,
157165
UID: user.Name,
158166
Groups: []string{"system:authenticated"},
159167
Extra: map[string][]string{

0 commit comments

Comments
 (0)