Add decorator to remove namespace from ClusterRole and ClusterRoleBinding

mcruzdev · mcruzdev · commit e3984af40efd · 2024-09-28T21:32:11.000-03:00
diff --git a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java
@@ -291,6 +291,11 @@ private static Collection<DecoratorBuildItem> createRbacDecorators(String name,
             List<KubernetesEffectiveServiceAccountBuildItem> effectiveServiceAccounts,
             List<KubernetesRoleBindingBuildItem> roleBindingsFromExtensions) {
         List<DecoratorBuildItem> result = new ArrayList<>();
+
+        // Cluster resources does not have namespace
+        result.add(new DecoratorBuildItem(target, new RemoveNamespaceFromClusterRoleBindingDecorator()));
+        result.add(new DecoratorBuildItem(target, new RemoveNamespaceFromClusterRoleDecorator()));
+
         boolean kubernetesClientRequiresRbacGeneration = kubernetesClientConfiguration
                 .map(KubernetesClientCapabilityBuildItem::isGenerateRbac).orElse(false);
         Set<String> roles = new HashSet<>();
diff --git a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/RemoveNamespaceFromClusterRoleBindingDecorator.java b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/RemoveNamespaceFromClusterRoleBindingDecorator.java
@@ -0,0 +1,28 @@
+package io.quarkus.kubernetes.deployment;
+
+import io.dekorate.kubernetes.decorator.Decorator;
+import io.dekorate.kubernetes.decorator.NamedResourceDecorator;
+import io.fabric8.kubernetes.api.model.ObjectMeta;
+import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBindingBuilder;
+
+/**
+ * Decorator responsible for remove namespace from ClusterRoleBinding resource.
+ *
+ * This decorator executes after {@link AddNamespaceDecorator}.
+ */
+public class RemoveNamespaceFromClusterRoleBindingDecorator extends NamedResourceDecorator<ClusterRoleBindingBuilder> {
+
+    @Override
+    public void andThenVisit(ClusterRoleBindingBuilder clusterRoleBindingBuilder, ObjectMeta objectMeta) {
+        clusterRoleBindingBuilder
+                .withNewMetadata()
+                .withNamespace(null)
+                .withName(objectMeta.getName())
+                .endMetadata();
+    }
+
+    @Override
+    public Class<? extends Decorator>[] after() {
+        return new Class[] { AddNamespaceDecorator.class };
+    }
+}
diff --git a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/RemoveNamespaceFromClusterRoleDecorator.java b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/RemoveNamespaceFromClusterRoleDecorator.java
@@ -0,0 +1,28 @@
+package io.quarkus.kubernetes.deployment;
+
+import io.dekorate.kubernetes.decorator.Decorator;
+import io.dekorate.kubernetes.decorator.NamedResourceDecorator;
+import io.fabric8.kubernetes.api.model.ObjectMeta;
+import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBuilder;
+
+/**
+ * Decorator responsible for remove namespace from ClusterRole resource.
+ *
+ * This decorator executes after {@link AddNamespaceDecorator}.
+ */
+public class RemoveNamespaceFromClusterRoleDecorator extends NamedResourceDecorator<ClusterRoleBuilder> {
+
+    @Override
+    public void andThenVisit(ClusterRoleBuilder clusterRoleBuilder, ObjectMeta objectMeta) {
+        clusterRoleBuilder
+                .withNewMetadata()
+                .withNamespace(null)
+                .withName(objectMeta.getName())
+                .endMetadata();
+    }
+
+    @Override
+    public Class<? extends Decorator>[] after() {
+        return new Class[] { AddNamespaceDecorator.class };
+    }
+}
diff --git a/integration-tests/kubernetes/quarkus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesWithRbacFullTest.java b/integration-tests/kubernetes/quarkus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesWithRbacFullTest.java
@@ -84,6 +84,7 @@ public void assertGeneratedResources() throws IOException {
 
         // secret-reader assertions
         ClusterRole secretReaderRole = getClusterRoleByName(kubernetesList, "secret-reader");
+        assertThat(secretReaderRole.getMetadata().getNamespace()).isEqualTo(null);
         assertThat(secretReaderRole.getRules()).satisfiesOnlyOnce(r -> {
             assertThat(r.getApiGroups()).containsExactly("");
             assertThat(r.getResources()).containsExactly("secrets");
@@ -111,6 +112,7 @@ public void assertGeneratedResources() throws IOException {
         assertEquals("Group", clusterSubject.getKind());
         assertEquals("manager", clusterSubject.getName());
         assertEquals("rbac.authorization.k8s.io", clusterSubject.getApiGroup());
+        assertThat(clusterRoleBinding.getMetadata().getNamespace()).isEqualTo(null);
     }
 
     private int lastIndexOfKind(String content, String... kinds) {
