Skip to content

Commit c907acf

Browse files
committed
Add script to validate RBAC resourceNames
Signed-off-by: chiragkyal <ckyal@redhat.com>
1 parent 127a47e commit c907acf

2 files changed

Lines changed: 161 additions & 1 deletion

File tree

Makefile

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,10 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust
118118
generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
119119
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
120120

121+
.PHONY: validate-rbac
122+
validate-rbac: ## Validate that RBAC resourceNames in kubebuilder annotations match actual resource names.
123+
./hack/validate-rbac-resourcenames.sh
124+
121125
.PHONY: fmt
122126
fmt: ## Run go fmt against code.
123127
go fmt ./...
@@ -370,7 +374,7 @@ catalog-push: ## Push a catalog image.
370374

371375
## verify the changes are working as expected.
372376
.PHONY: verify
373-
verify: vet fmt golangci-lint verify-bindata verify-bindata-assets verify-generated
377+
verify: vet fmt golangci-lint verify-bindata verify-bindata-assets verify-generated validate-rbac
374378

375379
## update the relevant data based on new changes.
376380
.PHONY: update
Lines changed: 156 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,156 @@
1+
#!/bin/bash
2+
3+
# validate-rbac-resourcenames.sh
4+
# This script validates that the resourceNames in kubebuilder RBAC annotations
5+
# match the actual resource names defined in the assets.
6+
7+
set -euo pipefail
8+
9+
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
10+
PROJECT_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
11+
12+
# extract resourceNames from kubebuilder annotations
13+
extract_kubebuilder_resourcenames() {
14+
local resource_type="$1"
15+
grep -E "^\s*//\s*\+kubebuilder:rbac:.*resources=${resource_type}.*resourceNames=" \
16+
"${PROJECT_ROOT}/pkg/controller/external_secrets/controller.go" | \
17+
sed -E 's/.*resourceNames=([^,]*).*/\1/' | \
18+
tr ';' '\n' | sort -u
19+
}
20+
21+
# extract actual resource names from assets
22+
extract_asset_names() {
23+
local pattern="$1"
24+
find "${PROJECT_ROOT}/bindata/external-secrets/resources" "${PROJECT_ROOT}/bindata/external-secrets" -name "*.yml" -exec grep -l "kind: ${pattern}" {} \; 2>/dev/null | \
25+
xargs grep -h "^ name:" | \
26+
awk '{print $2}' | sort -u
27+
}
28+
29+
# extract CRD names from assets
30+
extract_crd_names() {
31+
# Get CRDs from config/crd/bases
32+
local crd_names=""
33+
if [[ -d "${PROJECT_ROOT}/config/crd/bases" ]]; then
34+
crd_names=$(find "${PROJECT_ROOT}/config/crd/bases" -name "*.yml" -o -name "*.yaml" 2>/dev/null | \
35+
xargs grep -l "kind: CustomResourceDefinition" 2>/dev/null | \
36+
xargs grep -h "^ name:" 2>/dev/null | \
37+
awk '{print $2}')
38+
fi
39+
echo "${crd_names}" | grep -v "^$" | sort -u
40+
}
41+
42+
# compare kubebuilder resourceNames with actual resources
43+
compare_resources() {
44+
local resource_display_name="$1"
45+
local kubebuilder_resources="$2"
46+
local actual_resources="$3"
47+
48+
echo "Kubebuilder resourceNames:"
49+
echo "${kubebuilder_resources}" | sed 's/^/ - /'
50+
echo
51+
echo "Actual ${resource_display_name} names:"
52+
echo "${actual_resources}" | sed 's/^/ - /'
53+
echo
54+
55+
# Compare - find missing and extra resources
56+
local missing_in_kb
57+
missing_in_kb=$(comm -23 <(echo "${actual_resources}") <(echo "${kubebuilder_resources}"))
58+
59+
local extra_in_kb
60+
extra_in_kb=$(comm -13 <(echo "${actual_resources}") <(echo "${kubebuilder_resources}"))
61+
62+
local has_errors=false
63+
64+
if [[ -n "${missing_in_kb}" ]]; then
65+
echo "Missing in kubebuilder annotations:"
66+
echo "${missing_in_kb}" | sed 's/^/ /'
67+
has_errors=true
68+
fi
69+
70+
if [[ -n "${extra_in_kb}" ]]; then
71+
echo "Extra in kubebuilder annotations (might be outdated):"
72+
echo "${extra_in_kb}" | sed 's/^/ /'
73+
fi
74+
75+
if [[ "$has_errors" == "false" ]]; then
76+
echo "${resource_display_name} validation passed"
77+
return 0
78+
else
79+
return 1
80+
fi
81+
}
82+
83+
# Generic validation function
84+
validate_resource_type() {
85+
local resource_display_name="$1"
86+
local kubebuilder_resource_type="$2"
87+
local asset_kind="$3"
88+
local extract_func="$4"
89+
90+
echo "Validating ${resource_display_name}..."
91+
92+
# Extract from kubebuilder annotations
93+
local kb_resources
94+
kb_resources=$(extract_kubebuilder_resourcenames "${kubebuilder_resource_type}" || echo "")
95+
96+
# Extract from assets using the specified function
97+
local actual_resources
98+
if [[ "$extract_func" == "extract_crd_names" ]]; then
99+
actual_resources=$(extract_crd_names)
100+
else
101+
actual_resources=$(extract_asset_names "${asset_kind}")
102+
fi
103+
104+
# Compare and report
105+
compare_resources "${resource_display_name}" "${kb_resources}" "${actual_resources}"
106+
}
107+
108+
validate_deployments() {
109+
validate_resource_type "Deployments" "deployments" "Deployment" "extract_asset_names"
110+
}
111+
112+
validate_clusterroles() {
113+
validate_resource_type "ClusterRoles" "clusterroles" "ClusterRole" "extract_asset_names"
114+
}
115+
116+
validate_clusterrolebindings() {
117+
validate_resource_type "ClusterRoleBindings" "clusterrolebindings" "ClusterRoleBinding" "extract_asset_names"
118+
}
119+
120+
validate_webhooks() {
121+
validate_resource_type "ValidatingWebhookConfigurations" "validatingwebhookconfigurations" "ValidatingWebhookConfiguration" "extract_asset_names"
122+
}
123+
124+
validate_crds() {
125+
validate_resource_type "CustomResourceDefinitions" "customresourcedefinitions" "" "extract_crd_names"
126+
}
127+
128+
main() {
129+
local exit_code=0
130+
131+
echo "Validating RBAC resourceNames consistency for external-secrets-operator"
132+
echo "=================================================================================="
133+
134+
validate_deployments || exit_code=1
135+
echo
136+
validate_clusterroles || exit_code=1
137+
echo
138+
validate_clusterrolebindings || exit_code=1
139+
echo
140+
validate_webhooks || exit_code=1
141+
echo
142+
validate_crds || exit_code=1
143+
echo
144+
145+
if [[ $exit_code -eq 0 ]]; then
146+
echo "All RBAC resourceNames validations passed!"
147+
echo "The kubebuilder annotations are consistent with the actual resources."
148+
else
149+
echo "RBAC validation failed!"
150+
echo "Please update the kubebuilder annotations in pkg/controller/external_secrets/controller.go"
151+
fi
152+
153+
return $exit_code
154+
}
155+
156+
main "$@"

0 commit comments

Comments
 (0)