feat: add support for sync source default groups

TobiasGrether · Aug 23, 2024 · 1c9f87c · 1c9f87c
1 parent c771478
commit 1c9f87c
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 42 deletions.
diff --git a/config/crd/bases/perm8s.tobiasgrether.com_synchronisationsources.yaml b/config/crd/bases/perm8s.tobiasgrether.com_synchronisationsources.yaml
@@ -62,6 +62,10 @@ spec:
                 - secretName
                 - url
                 type: object
+              defaultGroups:
+                items:
+                  type: string
+                type: array
               groupMappings:
                 additionalProperties:
                   type: string

diff --git a/controller/sync.go b/controller/sync.go
@@ -98,6 +98,10 @@ func (c *Controller) syncSyncHandler(ctx context.Context, objectRef cache.Object
 			}
 		}
 
+		if source.Spec.DefaultGroups != nil {
+			groups = append(groups, *source.Spec.DefaultGroups...)
+		}
+
 		desiredUser := c.GetUserFromSyncUser(identifier, user.Name, source.Namespace, groups, source)
 
 		currentUser, err := c.clientSet.Perm8sV1alpha1().Users(source.Namespace).Get(ctx, desiredUser.Name, v3.GetOptions{})

diff --git a/pkg/apis/perm8s/v1alpha1/types.go b/pkg/apis/perm8s/v1alpha1/types.go
@@ -1,8 +1,8 @@
 package v1alpha1
 
 import (
-    v4 "k8s.io/api/rbac/v1"
-    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	v4 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 type AuthenticationSource string
@@ -16,57 +16,61 @@ type AuthenticationSource string
 // +kubebuilder:printcolumn:JSONPath=".spec.description",name=Description,type=string
 // +kubebuilder:field:scope=Cluster
 type Group struct {
-    metav1.TypeMeta   `json:",inline"`
-    metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-    Spec GroupSpec `json:"spec"`
+	Spec GroupSpec `json:"spec"`
 }
 
 type GroupSpec struct {
-    DisplayName  string          `json:"displayName"`
-    Description  string          `json:"description"`
-    Permissions  []v4.PolicyRule `json:"permissions"ƒ`
-    Namespaces   []string        `json:"namespaces"`
-    ClusterGroup bool            `json:"clusterGroup"`
+	DisplayName  string          `json:"displayName"`
+	Description  string          `json:"description"`
+	Permissions  []v4.PolicyRule `json:"permissions"ƒ`
+	Namespaces   []string        `json:"namespaces"`
+	ClusterGroup bool            `json:"clusterGroup"`
 }
 
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +genclient:noStatus
 // +kubebuilder:printcolumn:JSONPath=".spec.type",name=Source Type,type=string
 type SynchronisationSource struct {
-    metav1.TypeMeta   `json:",inline"`
-    metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-    Spec SynchronisationSourceSpec `json:"spec"`
+	Spec SynchronisationSourceSpec `json:"spec"`
 }
 
 type SynchronisationSourceSpec struct {
-    // +kubebuilder:validation:Enum=authentik;ldap
-    Type      string                             `json:"type"`
-    // +kubebuilder:validation:Optional
-    Authentik *AuthentikSynchronisationSourceSpec `json:"authentik"`
-    // GroupMappings should be a map internal group identifier => Kubernetes Group Name
-    // This is useful when your IdP or SyncSource returns some kind of UUID for the groups,
-    // but you want human-readable named groups in the cluster
-    GroupMappings map[string]string `json:"groupMappings"`
+	// +kubebuilder:validation:Enum=authentik;ldap
+	Type string `json:"type"`
+	// +kubebuilder:validation:Optional
+	Authentik *AuthentikSynchronisationSourceSpec `json:"authentik"`
+	// GroupMappings should be a map internal group identifier => Kubernetes Group Name
+	// This is useful when your IdP or SyncSource returns some kind of UUID for the groups,
+	// but you want human-readable named groups in the cluster
+	GroupMappings map[string]string `json:"groupMappings"`
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:Optional
+	// +kubebuilder:validation:default:=[]
+	DefaultGroups *[]string `json:"defaultGroups"`
 }
 
 type AuthentikSynchronisationSourceSpec struct {
-    URL        string `json:"url"`
-    Scheme     string `json:"scheme"`
-    SecretName string `json:"secretName"`
-    // RequiredGroups is a list where a user only gets considered for this data source once they are a member of at least one of these groups
-    // Leaving this array empty will autopass all users
-    RequiredGroups []string `json:"requiredGroups"`
+	URL        string `json:"url"`
+	Scheme     string `json:"scheme"`
+	SecretName string `json:"secretName"`
+	// RequiredGroups is a list where a user only gets considered for this data source once they are a member of at least one of these groups
+	// Leaving this array empty will autopass all users
+	RequiredGroups []string `json:"requiredGroups"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type SynchronisationSourceList struct {
-    metav1.TypeMeta `json:",inline"`
-    metav1.ListMeta `json:"metadata"`
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
 
-    Items []SynchronisationSource `json:"items"`
+	Items []SynchronisationSource `json:"items"`
 }
 
 // +genclient
@@ -75,32 +79,32 @@ type SynchronisationSourceList struct {
 // +kubebuilder:printcolumn:JSONPath=".spec.authenticationSource",name=Authentication Source,type=string
 // +kubebuilder:printcolumn:JSONPath=".spec.displayName",name=Display Name,type=string
 type User struct {
-    metav1.TypeMeta   `json:",inline"`
-    metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-    Spec UserSpec `json:"spec"`
+	Spec UserSpec `json:"spec"`
 }
 
 type UserSpec struct {
-    DisplayName          string   `json:"displayName"`
-    AuthenticationSource string   `json:"authenticationSource"`
-    GroupMemberships     []string `json:"groupMemberships"`
+	DisplayName          string   `json:"displayName"`
+	AuthenticationSource string   `json:"authenticationSource"`
+	GroupMemberships     []string `json:"groupMemberships"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 type GroupList struct {
-    metav1.TypeMeta `json:",inline"`
-    metav1.ListMeta `json:"metadata"`
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
 
-    Items []Group `json:"items"`
+	Items []Group `json:"items"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 type UserList struct {
-    metav1.TypeMeta `json:",inline"`
-    metav1.ListMeta `json:"metadata"`
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
 
-    Items []User `json:"items"`
+	Items []User `json:"items"`
 }
diff --git a/pkg/apis/perm8s/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/perm8s/v1alpha1/zz_generated.deepcopy.go