|
| 1 | +#!/bin/bash |
| 2 | + |
| 3 | +# validate-rbac-resourcenames.sh |
| 4 | +# This script validates that the resourceNames in kubebuilder RBAC annotations |
| 5 | +# match the actual resource names defined in the assets. |
| 6 | + |
| 7 | +set -euo pipefail |
| 8 | + |
| 9 | +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" |
| 10 | +PROJECT_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)" |
| 11 | + |
| 12 | +# extract resourceNames from kubebuilder annotations |
| 13 | +extract_kubebuilder_resourcenames() { |
| 14 | + local resource_type="$1" |
| 15 | + grep -E "^\s*//\s*\+kubebuilder:rbac:.*resources=${resource_type}.*resourceNames=" \ |
| 16 | + "${PROJECT_ROOT}/pkg/controller/external_secrets/controller.go" | \ |
| 17 | + sed -E 's/.*resourceNames=([^,]*).*/\1/' | \ |
| 18 | + tr ';' '\n' | sort -u |
| 19 | +} |
| 20 | + |
| 21 | +# extract actual resource names from assets |
| 22 | +extract_asset_names() { |
| 23 | + local pattern="$1" |
| 24 | + find "${PROJECT_ROOT}/bindata/external-secrets/resources" "${PROJECT_ROOT}/bindata/external-secrets" -name "*.yml" -exec grep -l "kind: ${pattern}" {} \; 2>/dev/null | \ |
| 25 | + xargs grep -h "^ name:" | \ |
| 26 | + awk '{print $2}' | sort -u |
| 27 | +} |
| 28 | + |
| 29 | +# extract CRD names from assets |
| 30 | +extract_crd_names() { |
| 31 | + # Get CRDs from config/crd/bases |
| 32 | + local crd_names="" |
| 33 | + if [[ -d "${PROJECT_ROOT}/config/crd/bases" ]]; then |
| 34 | + crd_names=$(find "${PROJECT_ROOT}/config/crd/bases" -name "*.yml" -o -name "*.yaml" 2>/dev/null | \ |
| 35 | + xargs grep -l "kind: CustomResourceDefinition" 2>/dev/null | \ |
| 36 | + xargs grep -h "^ name:" 2>/dev/null | \ |
| 37 | + awk '{print $2}') |
| 38 | + fi |
| 39 | + echo "${crd_names}" | grep -v "^$" | sort -u |
| 40 | +} |
| 41 | + |
| 42 | +# compare kubebuilder resourceNames with actual resources |
| 43 | +compare_resources() { |
| 44 | + local resource_display_name="$1" |
| 45 | + local kubebuilder_resources="$2" |
| 46 | + local actual_resources="$3" |
| 47 | + |
| 48 | + echo "Kubebuilder resourceNames:" |
| 49 | + echo "${kubebuilder_resources}" | sed 's/^/ - /' |
| 50 | + echo |
| 51 | + echo "Actual ${resource_display_name} names:" |
| 52 | + echo "${actual_resources}" | sed 's/^/ - /' |
| 53 | + echo |
| 54 | + |
| 55 | + # Compare - find missing and extra resources |
| 56 | + local missing_in_kb |
| 57 | + missing_in_kb=$(comm -23 <(echo "${actual_resources}") <(echo "${kubebuilder_resources}")) |
| 58 | + |
| 59 | + local extra_in_kb |
| 60 | + extra_in_kb=$(comm -13 <(echo "${actual_resources}") <(echo "${kubebuilder_resources}")) |
| 61 | + |
| 62 | + local has_errors=false |
| 63 | + |
| 64 | + if [[ -n "${missing_in_kb}" ]]; then |
| 65 | + echo "Missing in kubebuilder annotations:" |
| 66 | + echo "${missing_in_kb}" | sed 's/^/ /' |
| 67 | + has_errors=true |
| 68 | + fi |
| 69 | + |
| 70 | + if [[ -n "${extra_in_kb}" ]]; then |
| 71 | + echo "Extra in kubebuilder annotations (might be outdated):" |
| 72 | + echo "${extra_in_kb}" | sed 's/^/ /' |
| 73 | + fi |
| 74 | + |
| 75 | + if [[ "$has_errors" == "false" ]]; then |
| 76 | + echo "${resource_display_name} validation passed" |
| 77 | + return 0 |
| 78 | + else |
| 79 | + return 1 |
| 80 | + fi |
| 81 | +} |
| 82 | + |
| 83 | +# Generic validation function |
| 84 | +validate_resource_type() { |
| 85 | + local resource_display_name="$1" |
| 86 | + local kubebuilder_resource_type="$2" |
| 87 | + local asset_kind="$3" |
| 88 | + local extract_func="$4" |
| 89 | + |
| 90 | + echo "Validating ${resource_display_name}..." |
| 91 | + |
| 92 | + # Extract from kubebuilder annotations |
| 93 | + local kb_resources |
| 94 | + kb_resources=$(extract_kubebuilder_resourcenames "${kubebuilder_resource_type}" || echo "") |
| 95 | + |
| 96 | + # Extract from assets using the specified function |
| 97 | + local actual_resources |
| 98 | + if [[ "$extract_func" == "extract_crd_names" ]]; then |
| 99 | + actual_resources=$(extract_crd_names) |
| 100 | + else |
| 101 | + actual_resources=$(extract_asset_names "${asset_kind}") |
| 102 | + fi |
| 103 | + |
| 104 | + # Compare and report |
| 105 | + compare_resources "${resource_display_name}" "${kb_resources}" "${actual_resources}" |
| 106 | +} |
| 107 | + |
| 108 | +validate_deployments() { |
| 109 | + validate_resource_type "Deployments" "deployments" "Deployment" "extract_asset_names" |
| 110 | +} |
| 111 | + |
| 112 | +validate_clusterroles() { |
| 113 | + validate_resource_type "ClusterRoles" "clusterroles" "ClusterRole" "extract_asset_names" |
| 114 | +} |
| 115 | + |
| 116 | +validate_clusterrolebindings() { |
| 117 | + validate_resource_type "ClusterRoleBindings" "clusterrolebindings" "ClusterRoleBinding" "extract_asset_names" |
| 118 | +} |
| 119 | + |
| 120 | +validate_webhooks() { |
| 121 | + validate_resource_type "ValidatingWebhookConfigurations" "validatingwebhookconfigurations" "ValidatingWebhookConfiguration" "extract_asset_names" |
| 122 | +} |
| 123 | + |
| 124 | +validate_crds() { |
| 125 | + validate_resource_type "CustomResourceDefinitions" "customresourcedefinitions" "" "extract_crd_names" |
| 126 | +} |
| 127 | + |
| 128 | +main() { |
| 129 | + local exit_code=0 |
| 130 | + |
| 131 | + echo "Validating RBAC resourceNames consistency for external-secrets-operator" |
| 132 | + echo "==================================================================================" |
| 133 | + |
| 134 | + validate_deployments || exit_code=1 |
| 135 | + echo |
| 136 | + validate_clusterroles || exit_code=1 |
| 137 | + echo |
| 138 | + validate_clusterrolebindings || exit_code=1 |
| 139 | + echo |
| 140 | + validate_webhooks || exit_code=1 |
| 141 | + echo |
| 142 | + validate_crds || exit_code=1 |
| 143 | + echo |
| 144 | + |
| 145 | + if [[ $exit_code -eq 0 ]]; then |
| 146 | + echo "All RBAC resourceNames validations passed!" |
| 147 | + echo "The kubebuilder annotations are consistent with the actual resources." |
| 148 | + else |
| 149 | + echo "RBAC validation failed!" |
| 150 | + echo "Please update the kubebuilder annotations in pkg/controller/external_secrets/controller.go" |
| 151 | + fi |
| 152 | + |
| 153 | + return $exit_code |
| 154 | +} |
| 155 | + |
| 156 | +main "$@" |
0 commit comments