Merge pull request #4217 from camilamacedo86/fix-rbac-generattion-external-types

🐛 fix support for external types by allowing the domain be empty, and properly generate the sample for cert-manager.

Author: k8s-ci-robot

docs/book/src/reference/using_an_external_resource.md

@@ -28,22 +28,22 @@ kubebuilder create api --group <theirgroup> --version <theirversion> --kind <the
 For example, if you're managing Certificates from Cert Manager:
 
 ```shell
-kubebuilder create api --group certmanager --version v1 --kind Certificate --controller=true --resource=false --external-api-path=github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1 --external-api-domain=cert-manager.io
+kubebuilder create api --group certmanager --version v1 --kind Certificate --controller=true --resource=false --external-api-path=github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1 --external-api-domain=io
 ```
 
-See the RBAC markers generated for this:
+See the RBAC [markers][markers-rbac] generated for this:
 
 ```go
-// +kubebuilder:rbac:groups=certmanager.cert-manager.io,resources=certificates,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=certmanager.cert-manager.io,resources=certificates/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=certmanager.cert-manager.io,resources=certificates/finalizers,verbs=update
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates/finalizers,verbs=update
 ```
 
 Also, the RBAC role:
 
 ```ymal
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates
   verbs:
@@ -55,13 +55,13 @@ Also, the RBAC role:
   - update
   - watch
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates/finalizers
   verbs:
   - update
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates/status
   verbs:
@@ -126,15 +126,15 @@ For instance, to create a controller to manage Deployment the command would be l
 create api --group apps --version v1 --kind Deployment --controller=true --resource=false
 ```
 
-See the RBAC markers generated for this:
+See the RBAC [markers][markers-rbac] generated for this:
 
 ```go
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps,resources=deployments/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=apps,resources=deployments/finalizers,verbs=update
 ```
 
-Also, the RBAC for the above markers:
+Also, the RBAC for the above [markers][markers-rbac]:
 
 ```yaml
 - apiGroups:
@@ -176,4 +176,4 @@ See an example:
 ```go
 kubebuilder create webhook --group core --version v1 --kind Pod --programmatic-validation
 ```
-
+[markers-rbac]: ./markers/rbac.md

pkg/plugins/golang/v4/api.go

@@ -146,14 +146,6 @@ func (p *createAPISubcommand) InjectResource(res *resource.Resource) error {
 		}
 	}
 
-	// Ensure that if any external API flag is set, both must be provided.
-	if len(p.options.ExternalAPIPath) != 0 || len(p.options.ExternalAPIDomain) != 0 {
-		if len(p.options.ExternalAPIPath) == 0 || len(p.options.ExternalAPIDomain) == 0 {
-			return errors.New("Both '--external-api-path' and '--external-api-domain' must be " +
-				"specified together when referencing an external API.")
-		}
-	}
-
 	p.options.UpdateResource(p.resource, p.config)
 
 	if err := p.resource.Validate(); err != nil {

test/testdata/generate.sh

@@ -46,9 +46,9 @@ function scaffold_test_project {
     $kb create api --group crew --version v1 --kind Admiral --plural=admirales --controller=true --resource=true --namespaced=false --make=false
     $kb create webhook --group crew --version v1 --kind Admiral --plural=admirales --defaulting
     # Controller for External types
-    $kb create api --group certmanager --version v1 --kind Certificate --controller=true --resource=false --make=false --external-api-path=github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1 --external-api-domain=cert-manager.io
+    $kb create api --group "cert-manager" --version v1 --kind Certificate --controller=true --resource=false --make=false --external-api-path=github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1 --external-api-domain=io
     # Webhook for External types
-    $kb create webhook --group certmanager --version v1 --kind Issuer --defaulting --external-api-path=github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1 --external-api-domain=cert-manager.io
+    $kb create webhook --group "cert-manager" --version v1 --kind Issuer --defaulting --external-api-path=github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1 --external-api-domain=io
     # Webhook for Core type
     $kb create webhook --group core --version v1 --kind Pod --defaulting
   fi
@@ -76,9 +76,9 @@ function scaffold_test_project {
     $kb create api --group foo --version v1 --kind Bar --controller=true --resource=true --make=false
     $kb create api --group fiz --version v1 --kind Bar --controller=true --resource=true --make=false
     # Controller for External types
-    $kb create api --group certmanager --version v1 --kind Certificate --controller=true --resource=false --make=false --external-api-path=github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1 --external-api-domain=cert-manager.io
+    $kb create api --group "cert-manager" --version v1 --kind Certificate --controller=true --resource=false --make=false --external-api-path=github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1 --external-api-domain=io
     # Webhook for External types
-    $kb create webhook --group certmanager --version v1 --kind Issuer --defaulting --external-api-path=github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1 --external-api-domain=cert-manager.io
+    $kb create webhook --group "cert-manager" --version v1 --kind Issuer --defaulting --external-api-path=github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1 --external-api-domain=io
     # Webhook for Core type
     $kb create webhook --group core --version v1 --kind Pod --programmatic-validation
   fi

testdata/project-v4-multigroup/PROJECT

@@ -127,15 +127,15 @@ resources:
   path: sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/api/fiz/v1
   version: v1
 - controller: true
-  domain: cert-manager.io
+  domain: io
   external: true
-  group: certmanager
+  group: cert-manager
   kind: Certificate
   path: github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1
   version: v1
-- domain: cert-manager.io
+- domain: io
   external: true
-  group: certmanager
+  group: cert-manager
   kind: Issuer
   path: github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1
   version: v1

testdata/project-v4-multigroup/cmd/main.go

@@ -48,15 +48,15 @@ import (
 	shipv1beta1 "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/api/ship/v1beta1"
 	shipv2alpha1 "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/api/ship/v2alpha1"
 	appscontroller "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/controller/apps"
-	certmanagercontroller "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/controller/certmanager"
+	certmanagercontroller "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/controller/cert-manager"
 	crewcontroller "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/controller/crew"
 	examplecomcontroller "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/controller/example.com"
 	fizcontroller "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/controller/fiz"
 	foocontroller "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/controller/foo"
 	foopolicycontroller "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/controller/foo.policy"
 	seacreaturescontroller "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/controller/sea-creatures"
 	shipcontroller "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/controller/ship"
-	webhookcertmanagerv1 "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/webhook/certmanager/v1"
+	webhookcertmanagerv1 "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/webhook/cert-manager/v1"
 	webhookcorev1 "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/webhook/core/v1"
 	webhookcrewv1 "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/webhook/crew/v1"
 	webhookexamplecomv1alpha1 "sigs.k8s.io/kubebuilder/testdata/project-v4-multigroup/internal/webhook/example.com/v1alpha1"

testdata/project-v4-multigroup/config/crd/patches/cainjection_in_certmanager_issuers.yaml renamed to testdata/project-v4-multigroup/config/crd/patches/cainjection_in_cert-manager_issuers.yaml

@@ -4,4 +4,4 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
-  name: issuers.certmanager.cert-manager.io
+  name: issuers.cert-manager.io

testdata/project-v4-multigroup/config/crd/patches/webhook_in_certmanager_issuers.yaml renamed to testdata/project-v4-multigroup/config/crd/patches/webhook_in_cert-manager_issuers.yaml

@@ -2,7 +2,7 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  name: issuers.certmanager.cert-manager.io
+  name: issuers.cert-manager.io
 spec:
   conversion:
     strategy: Webhook

testdata/project-v4-multigroup/config/rbac/role.yaml

@@ -46,7 +46,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates
   verbs:
@@ -58,13 +58,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates/finalizers
   verbs:
   - update
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates/status
   verbs:

testdata/project-v4-multigroup/config/webhook/manifests.yaml

@@ -10,12 +10,12 @@ webhooks:
     service:
       name: webhook-service
       namespace: system
-      path: /mutate-certmanager-cert-manager-io-v1-issuer
+      path: /mutate-cert-manager-io-v1-issuer
   failurePolicy: Fail
   name: missuer-v1.kb.io
   rules:
   - apiGroups:
-    - certmanager.cert-manager.io
+    - cert-manager.io
     apiVersions:
     - v1
     operations:

testdata/project-v4-multigroup/dist/install.yaml

@@ -1177,7 +1177,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates
   verbs:
@@ -1189,13 +1189,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates/finalizers
   verbs:
   - update
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates/status
   verbs:
@@ -1820,12 +1820,12 @@ webhooks:
     service:
       name: project-v4-multigroup-webhook-service
       namespace: project-v4-multigroup-system
-      path: /mutate-certmanager-cert-manager-io-v1-issuer
+      path: /mutate-cert-manager-io-v1-issuer
   failurePolicy: Fail
   name: missuer-v1.kb.io
   rules:
   - apiGroups:
-    - certmanager.cert-manager.io
+    - cert-manager.io
     apiVersions:
     - v1
     operations:

testdata/project-v4-multigroup/internal/controller/certmanager/certificate_controller.go renamed to testdata/project-v4-multigroup/internal/controller/cert-manager/certificate_controller.go

@@ -32,9 +32,9 @@ type CertificateReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-// +kubebuilder:rbac:groups=certmanager.cert-manager.io,resources=certificates,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=certmanager.cert-manager.io,resources=certificates/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=certmanager.cert-manager.io,resources=certificates/finalizers,verbs=update
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates/finalizers,verbs=update
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -57,6 +57,6 @@ func (r *CertificateReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 func (r *CertificateReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&certmanagerv1.Certificate{}).
-		Named("certmanager-certificate").
+		Named("cert-manager-certificate").
 		Complete(r)
 }

testdata/project-v4-multigroup/internal/controller/certmanager/certificate_controller_test.go renamed to testdata/project-v4-multigroup/internal/controller/cert-manager/certificate_controller_test.go

@@ -40,7 +40,7 @@ func SetupIssuerWebhookWithManager(mgr ctrl.Manager) error {
 
 // TODO(user): EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 
-// +kubebuilder:webhook:path=/mutate-certmanager-cert-manager-io-v1-issuer,mutating=true,failurePolicy=fail,sideEffects=None,groups=certmanager.cert-manager.io,resources=issuers,verbs=create;update,versions=v1,name=missuer-v1.kb.io,admissionReviewVersions=v1
+// +kubebuilder:webhook:path=/mutate-cert-manager-io-v1-issuer,mutating=true,failurePolicy=fail,sideEffects=None,groups=cert-manager.io,resources=issuers,verbs=create;update,versions=v1,name=missuer-v1.kb.io,admissionReviewVersions=v1
 
 // IssuerCustomDefaulter struct is responsible for setting default values on the custom resource of the
 // Kind Issuer when those are created or updated.

testdata/project-v4-multigroup/internal/controller/certmanager/suite_test.go renamed to testdata/project-v4-multigroup/internal/controller/cert-manager/suite_test.go

@@ -46,15 +46,15 @@ resources:
     defaulting: true
     webhookVersion: v1
 - controller: true
-  domain: cert-manager.io
+  domain: io
   external: true
-  group: certmanager
+  group: cert-manager
   kind: Certificate
   path: github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1
   version: v1
-- domain: cert-manager.io
+- domain: io
   external: true
-  group: certmanager
+  group: cert-manager
   kind: Issuer
   path: github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1
   version: v1

testdata/project-v4-multigroup/internal/webhook/certmanager/v1/issuer_webhook.go renamed to testdata/project-v4-multigroup/internal/webhook/cert-manager/v1/issuer_webhook.go

@@ -4,4 +4,4 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
-  name: issuers.certmanager.cert-manager.io
+  name: issuers.cert-manager.io

testdata/project-v4-multigroup/internal/webhook/certmanager/v1/issuer_webhook_test.go renamed to testdata/project-v4-multigroup/internal/webhook/cert-manager/v1/issuer_webhook_test.go

@@ -2,7 +2,7 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  name: issuers.certmanager.cert-manager.io
+  name: issuers.cert-manager.io
 spec:
   conversion:
     strategy: Webhook

testdata/project-v4-multigroup/internal/webhook/certmanager/v1/webhook_suite_test.go renamed to testdata/project-v4-multigroup/internal/webhook/cert-manager/v1/webhook_suite_test.go

@@ -5,7 +5,7 @@ metadata:
   name: manager-role
 rules:
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates
   verbs:
@@ -17,13 +17,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates/finalizers
   verbs:
   - update
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates/status
   verbs:

testdata/project-v4/PROJECT

@@ -50,12 +50,12 @@ webhooks:
     service:
       name: webhook-service
       namespace: system
-      path: /mutate-certmanager-cert-manager-io-v1-issuer
+      path: /mutate-cert-manager-io-v1-issuer
   failurePolicy: Fail
   name: missuer-v1.kb.io
   rules:
   - apiGroups:
-    - certmanager.cert-manager.io
+    - cert-manager.io
     apiVersions:
     - v1
     operations:

testdata/project-v4/config/crd/patches/cainjection_in_issuers.yaml

@@ -405,7 +405,7 @@ metadata:
   name: project-v4-manager-role
 rules:
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates
   verbs:
@@ -417,13 +417,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates/finalizers
   verbs:
   - update
 - apiGroups:
-  - certmanager.cert-manager.io
+  - cert-manager.io
   resources:
   - certificates/status
   verbs:
@@ -694,12 +694,12 @@ webhooks:
     service:
       name: project-v4-webhook-service
       namespace: project-v4-system
-      path: /mutate-certmanager-cert-manager-io-v1-issuer
+      path: /mutate-cert-manager-io-v1-issuer
   failurePolicy: Fail
   name: missuer-v1.kb.io
   rules:
   - apiGroups:
-    - certmanager.cert-manager.io
+    - cert-manager.io
     apiVersions:
     - v1
     operations:

testdata/project-v4/config/crd/patches/webhook_in_issuers.yaml

@@ -32,9 +32,9 @@ type CertificateReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-// +kubebuilder:rbac:groups=certmanager.cert-manager.io,resources=certificates,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=certmanager.cert-manager.io,resources=certificates/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=certmanager.cert-manager.io,resources=certificates/finalizers,verbs=update
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates/finalizers,verbs=update
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.