Skip to content

add k8s rbac & project api #320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mysekai7 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add k8s rbac & project api #320

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions docs/en/apis/kubernetes_apis/connector/connector.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Connector [dex.coreos.com/v1]

<OpenAPIPath path="/apis/dex.coreos.com/v1/namespaces/{namespace}/connectors" />

<OpenAPIPath path="/apis/dex.coreos.com/v1/namespaces/{namespace}/connectors/{name}" />
Comment on lines +3 to +5
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These OpenAPI paths are missing pathPrefix="/kubernetes/{cluster}", while other Kubernetes API docs in this PR include it (e.g., RBAC/ServiceAccount pages). Without the prefix, the rendered endpoint URLs will be inconsistent/likely incorrect for cluster-scoped routing.

Suggested change
<OpenAPIPath path="/apis/dex.coreos.com/v1/namespaces/{namespace}/connectors" />
<OpenAPIPath path="/apis/dex.coreos.com/v1/namespaces/{namespace}/connectors/{name}" />
<OpenAPIPath pathPrefix="/kubernetes/{cluster}" path="/apis/dex.coreos.com/v1/namespaces/{namespace}/connectors" />
<OpenAPIPath pathPrefix="/kubernetes/{cluster}" path="/apis/dex.coreos.com/v1/namespaces/{namespace}/connectors/{name}" />

Copilot uses AI. Check for mistakes.
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/connector/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
---

Comment on lines +1 to +3
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file contains an empty frontmatter block (--- / ---) but no frontmatter keys. Other docs/en/apis/kubernetes_apis/*/index.mdx pages typically omit frontmatter entirely (e.g., docs/en/apis/kubernetes_apis/alert/index.mdx). Consider removing the empty block for consistency.

Suggested change
---
---

Copilot uses AI. Check for mistakes.
# Connector APIs

<Overview overviewHeaders={[]} />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/project/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
---

Comment on lines +1 to +3
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file contains an empty frontmatter block (--- / ---) but no frontmatter keys. Other docs/en/apis/kubernetes_apis/*/index.mdx pages typically omit frontmatter entirely (e.g., docs/en/apis/kubernetes_apis/alert/index.mdx). Consider removing the empty block for consistency.

Suggested change
---
---

Copilot uses AI. Check for mistakes.
# Project APIs

<Overview overviewHeaders={[]} />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/project/project.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Project [auth.alauda.io/v1]
<OpenAPIPath path="/apis/auth.alauda.io/v1/projects" />

<OpenAPIPath path="/apis/auth.alauda.io/v1/projects/{name}" />

<K8sCrd name="projects.auth.alauda.io" />
Comment on lines +1 to +6
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify corresponding CRD file exists for projects.auth.alauda.io.

Line 6 references a CRD declaration for projects.auth.alauda.io, but the corresponding CRD YAML file is not included in this PR for review. Ensure docs/shared/crds/auth.alauda.io_projects.yaml exists and is properly formatted.

🏁 Script executed:

#!/bin/bash
# Verify the Project CRD file exists and is valid YAML
fd -e yaml docs/shared/crds | grep -i project
cat docs/shared/crds/auth.alauda.io_projects.yaml 2>/dev/null | head -20

Length of output: 369

🏁 Script executed:

#!/bin/bash
# Verify the Project CRD file exists using corrected fd syntax
echo "=== Searching for Project CRD files ==="
fd --full-path 'auth.alauda.io_projects.yaml' docs/shared/crds 2>/dev/null

echo "=== Checking if docs/shared/crds directory exists ==="
ls -la docs/shared/crds 2>&1 | head -30

echo "=== Listing all YAML files in CRDs directory ==="
fd . docs/shared/crds -e yaml 2>&1 | head -20

Length of output: 2568

The CRD file for projects.auth.alauda.io is missing.

Line 6 references <K8sCrd name="projects.auth.alauda.io" />, but the corresponding CRD YAML file docs/shared/crds/auth.alauda.io_projects.yaml does not exist in the repository. The docs/shared/crds/ directory contains 16 CRD files, including auth.alauda.io_users.yaml, but no projects CRD. Either create the missing CRD file or remove the K8sCrd reference if it is not yet implemented.

🤖 Prompt for AI Agents 
In docs/en/apis/kubernetes_apis/project/project.mdx around lines 1-6, the page
references a CRD via <K8sCrd name="projects.auth.alauda.io" /> but the
corresponding YAML file docs/shared/crds/auth.alauda.io_projects.yaml is
missing; either add that CRD YAML to docs/shared/crds/ (matching naming
convention and contents of other CRDs) and commit it, or remove/replace the
<K8sCrd ... /> tag from this MDX if the CRD is not ready, ensuring the page
builds without broken references.

Comment on lines +2 to +6
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These OpenAPI paths likely need the Kubernetes proxy prefix (pathPrefix="/kubernetes/{cluster}") like the other Kubernetes API docs added in this PR. Also, <K8sCrd name="projects.auth.alauda.io" /> appears to reference a CRD file that doesn’t exist in docs/shared/crds/ (expected something like docs/shared/crds/auth.alauda.io_projects.yaml). Add the missing CRD YAML (or remove/fix the reference) so the page can render correctly.

Suggested change
<OpenAPIPath path="/apis/auth.alauda.io/v1/projects" />
<OpenAPIPath path="/apis/auth.alauda.io/v1/projects/{name}" />
<K8sCrd name="projects.auth.alauda.io" />
<OpenAPIPath pathPrefix="/kubernetes/{cluster}" path="/apis/auth.alauda.io/v1/projects" />
<OpenAPIPath pathPrefix="/kubernetes/{cluster}" path="/apis/auth.alauda.io/v1/projects/{name}" />

Copilot uses AI. Check for mistakes.
5 changes: 5 additions & 0 deletions docs/en/apis/kubernetes_apis/rbac/clusterrole.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# ClusterRole [rbac.authorization.k8s.io/v1]

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/clusterroles" pathPrefix="/kubernetes/{cluster}" />

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/clusterroles/{name}" pathPrefix="/kubernetes/{cluster}" />
5 changes: 5 additions & 0 deletions docs/en/apis/kubernetes_apis/rbac/clusterrolebinding.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# ClusterRoleBinding [rbac.authorization.k8s.io/v1]

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/clusterrolebindings" pathPrefix="/kubernetes/{cluster}" />

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}" pathPrefix="/kubernetes/{cluster}" />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/rbac/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
---

Comment on lines +1 to +3
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file contains an empty frontmatter block (--- / ---) but no frontmatter keys. Other docs/en/apis/kubernetes_apis/*/index.mdx pages typically omit frontmatter entirely (e.g., docs/en/apis/kubernetes_apis/alert/index.mdx). Consider removing the empty block for consistency.

Suggested change
---
---

Copilot uses AI. Check for mistakes.
# RBAC APIs

<Overview overviewHeaders={[]} />
5 changes: 5 additions & 0 deletions docs/en/apis/kubernetes_apis/rbac/role.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Role [rbac.authorization.k8s.io/v1]

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles" pathPrefix="/kubernetes/{cluster}" />

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}" pathPrefix="/kubernetes/{cluster}" />
5 changes: 5 additions & 0 deletions docs/en/apis/kubernetes_apis/rbac/rolebinding.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# RoleBinding [rbac.authorization.k8s.io/v1]

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings" pathPrefix="/kubernetes/{cluster}" />

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}" pathPrefix="/kubernetes/{cluster}" />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/serviceaccount/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
---

Comment on lines +1 to +3
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file contains an empty frontmatter block (--- / ---) but no frontmatter keys. Other docs/en/apis/kubernetes_apis/*/index.mdx pages typically omit frontmatter entirely (e.g., docs/en/apis/kubernetes_apis/alert/index.mdx). Consider removing the empty block for consistency.

Suggested change
---
---

Copilot uses AI. Check for mistakes.
# ServiceAccount APIs

<Overview overviewHeaders={[]} />
5 changes: 5 additions & 0 deletions docs/en/apis/kubernetes_apis/serviceaccount/serviceaccount.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# ServiceAccount [v1]

<OpenAPIPath path="/api/v1/namespaces/{namespace}/serviceaccounts" pathPrefix="/kubernetes/{cluster}" />

<OpenAPIPath path="/api/v1/namespaces/{namespace}/serviceaccounts/{name}" pathPrefix="/kubernetes/{cluster}" />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/user/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
---

Comment on lines +1 to +3
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file contains an empty frontmatter block (--- / ---) but no frontmatter keys. Other docs/en/apis/kubernetes_apis/*/index.mdx pages typically omit frontmatter entirely (e.g., docs/en/apis/kubernetes_apis/alert/index.mdx). Consider removing the empty block for consistency.

Suggested change
---
---

Copilot uses AI. Check for mistakes.
# User APIs

<Overview overviewHeaders={[]} />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/user/user.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# User [auth.alauda.io/v1]
<OpenAPIPath path="/apis/auth.alauda.io/v1/users" />

<OpenAPIPath path="/apis/auth.alauda.io/v1/users/{name}" />
Comment on lines +2 to +4
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These OpenAPI paths are missing pathPrefix="/kubernetes/{cluster}", while other Kubernetes API docs in this PR include it (e.g., RBAC/ServiceAccount pages). Without the prefix, the rendered endpoint URLs will be inconsistent/likely incorrect for cluster-scoped routing.

Suggested change
<OpenAPIPath path="/apis/auth.alauda.io/v1/users" />
<OpenAPIPath path="/apis/auth.alauda.io/v1/users/{name}" />
<OpenAPIPath pathPrefix="/kubernetes/{cluster}" path="/apis/auth.alauda.io/v1/users" />
<OpenAPIPath pathPrefix="/kubernetes/{cluster}" path="/apis/auth.alauda.io/v1/users/{name}" />

Copilot uses AI. Check for mistakes.

<K8sCrd name="users.auth.alauda.io" />
161 changes: 161 additions & 0 deletions docs/shared/crds/auth.alauda.io_users.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
apiVersion: apiextensions.k8s.io/v1
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CRD YAML is missing the leading document separator (---) used by other CRDs under docs/shared/crds/ (e.g., docs/shared/crds/aiops.alauda.io_alerttemplates.yaml:1). Adding it improves consistency and avoids edge cases with multi-document tooling.

Copilot uses AI. Check for mistakes.
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.9.2
name: users.auth.alauda.io
spec:
conversion:
strategy: None
group: auth.alauda.io
names:
kind: User
listKind: UserList
plural: users
singular: user
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.connector_type
name: Type
type: string
- jsonPath: .spec.email
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In additionalPrinterColumns, the column named "Username" points to .spec.email, but the schema also defines .spec.username (and it’s required). Either change the jsonPath to .spec.username or rename the column to "Email" to match what’s displayed.

Suggested change
- jsonPath: .spec.email
- jsonPath: .spec.username

Copilot uses AI. Check for mistakes.
name: Username
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: User is the Schema for the users API
properties:
apiVersion:
description: "APIVersion defines the versioned schema of this representation of
an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More
info:
https://git.k8s.io/community/contributors/devel/sig-architectur\
e/api-conventions.md#resources"
type: string
kind:
description: "Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architectur\
e/api-conventions.md#types-kinds"
type: string
metadata:
type: object
spec:
description: UserSpec defines the desired state of User
properties:
account:
type: string
connector_id:
type: string
connector_name:
type: string
connector_type:
description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
Important: Run "make" to regenerate code after modifying
this file'
Comment on lines +60 to +62
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The connector_type field description still contains the kubebuilder scaffolding placeholder ("INSERT ADDITIONAL SPEC FIELDS..." / "Run "make" to regenerate..."). This reads like internal developer guidance rather than API documentation; it should be replaced with a real description (or removed).

Suggested change
description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
Important: Run "make" to regenerate code after modifying
this file'
description: ConnectorType identifies the type of identity connector
associated with the user

Copilot uses AI. Check for mistakes.
type: string
continuity_errors:
type: integer
email:
type: string
expired:
description: Expired ...
properties:
begin:
format: date-time
type: string
end:
format: date-time
type: string
required:
- begin
- end
type: object
extra:
description: Extra contains additional arbitrary metadata for the user from
third-party systems
type: object
x-kubernetes-preserve-unknown-fields: true
Comment on lines +82 to +85
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Broad use of x-kubernetes-preserve-unknown-fields at multiple levels.

The CRD uses x-kubernetes-preserve-unknown-fields: true at both the spec level (line 85) and root level (line 134). While this enables flexibility for third-party integrations (noted in the extra field comment), it also:

  • Allows arbitrary fields that may mask schema validation issues
  • Increases the risk of unintended data acceptance
  • Makes schema evolution harder to track

Consider narrowing the preserve-unknown-fields scope to only the extra field if possible, or document the rationale for the broader application.

Also applies to: 134-134

groups:
items:
type: string
type: array
ids:
items:
properties:
id:
type: string
type:
type: string
required:
- id
- type
type: object
type: array
is_admin:
type: boolean
is_disabled:
type: boolean
last_login_time:
type: string
mail:
type: string
mobile:
type: string
old_password:
type: string
password:
type: string
Comment on lines +112 to +115
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

⚠️ Security concern: Plain-text password fields in CRD spec.

The password and old_password fields are stored as plain strings in the User resource spec. Kubernetes resources are persisted in etcd by default, which is not the appropriate place for credential storage. Credentials should be managed via Kubernetes Secrets.

Consider:

  1. Removing password fields from the spec and managing them separately via Secrets.
  2. If passwords must be included, ensure etcd encryption and access controls are strictly configured.
  3. Document the security implications and expected access restrictions.

state:
description: State is User's State
type: string
username:
type: string
valid:
type: boolean
webhookType:
type: string
webhookUrl:
type: string
required:
- connector_name
- connector_type
- email
- is_admin
- username
type: object
x-kubernetes-preserve-unknown-fields: true
status:
description: UserStatus defines the observed state of User
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: User
listKind: UserList
plural: users
singular: user
conditions:
- lastTransitionTime: 2025-11-06T16:16:25Z
message: no conflicts found
reason: NoConflicts
status: "True"
type: NamesAccepted
- lastTransitionTime: 2025-11-06T16:16:25Z
message: the initial names have been accepted
reason: InitialNamesAccepted
status: "True"
type: Established
storedVersions:
- v1
Comment on lines +143 to +161
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CRD manifest includes a populated status.conditions section with concrete timestamps/messages. In this repo, the CRD YAMLs under docs/shared/crds/ typically keep status empty (e.g., docs/shared/crds/ait.alauda.io_inspections.yaml:150-155), so these values will go stale and create noisy diffs. Consider stripping runtime status.* content (or normalizing it to the empty placeholder form).

Suggested change
status:
acceptedNames:
kind: User
listKind: UserList
plural: users
singular: user
conditions:
- lastTransitionTime: 2025-11-06T16:16:25Z
message: no conflicts found
reason: NoConflicts
status: "True"
type: NamesAccepted
- lastTransitionTime: 2025-11-06T16:16:25Z
message: the initial names have been accepted
reason: InitialNamesAccepted
status: "True"
type: Established
storedVersions:
- v1
status: {}

Copilot uses AI. Check for mistakes.
Loading