feat(rbac): CEL(common expression language) support

streamnative · Dec 16, 2024 · f5ec89b · f5ec89b
1 parent 5d5dfcb
commit f5ec89b
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/cloud/data_source_rolebinding.go b/cloud/data_source_rolebinding.go
@@ -57,6 +57,14 @@ func dataSourceRoleBinding() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"cel": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: descriptions["rolebinding_cel"],
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 		},
 	}
 }
@@ -101,6 +109,12 @@ func DataSourceRoleBindingRead(ctx context.Context, d *schema.ResourceData, meta
 		}
 	}
 
+	if roleBinding.Spec.CEL != nil {
+		if err = d.Set("cel", roleBinding.Spec.CEL); err != nil {
+			return diag.FromErr(fmt.Errorf("ERROR_SET_CEL: %w", err))
+		}
+	}
+
 	if len(roleBinding.Status.Conditions) >= 1 {
 		for _, condition := range roleBinding.Status.Conditions {
 			if condition.Type == "Ready" && condition.Status == "True" {

diff --git a/cloud/provider.go b/cloud/provider.go
@@ -172,6 +172,7 @@ func init() {
 		"rolebinding_cluster_role_name":     "The predefined role name",
 		"rolebinding_service_account_names": "The list of service accounts that are role binding names ",
 		"dns":                               "The DNS ID and name. Must specify together",
+		"rolebinding_cel":                   "The CEL(Common Expression Langauge) for conditional role binding",
 	}
 }
 

diff --git a/cloud/resource_rolebinding.go b/cloud/resource_rolebinding.go
@@ -9,6 +9,7 @@ import (
 	"github.com/streamnative/cloud-api-server/pkg/apis/cloud/v1alpha1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
 	"strings"
 	"time"
 )
@@ -82,6 +83,14 @@ func resourceRoleBinding() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"cel": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: descriptions["rolebinding_cel"],
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 		},
 	}
 }
@@ -92,6 +101,7 @@ func resourceRoleBindingCreate(ctx context.Context, d *schema.ResourceData, m in
 
 	predefinedRoleName := d.Get("cluster_role_name").(string)
 	serviceAccountNames := d.Get("service_account_names").([]interface{})
+	cel := d.Get("cel").(string)
 
 	clientSet, err := getClientSet(getFactoryFromMeta(m))
 	if err != nil {
@@ -127,6 +137,9 @@ func resourceRoleBindingCreate(ctx context.Context, d *schema.ResourceData, m in
 			})
 		}
 	}
+	if cel != "" {
+		rb.Spec.CEL = pointer.String(cel)
+	}
 
 	if _, err := clientSet.CloudV1alpha1().RoleBindings(namespace).Create(ctx, rb, metav1.CreateOptions{
 		FieldManager: "terraform-create",