From 24a00664e45a87867d779d129c53d5595a411d38 Mon Sep 17 00:00:00 2001
From: Ashutosh-Baral <ashutosh.baral@berrybytes.com>
Date: Wed, 16 Apr 2025 16:00:52 +0545
Subject: [PATCH 1/2] rbac issue is solved for both cluster scope and namespace
 scope

---
 .../bases/myoperator.01cloud.io_userconfigs.yaml |  1 +
 config/rbac/role.yaml                            |  8 ++++++++
 go.mod                                           |  2 +-
 internal/controller/suite_test.go                |  3 ++-
 internal/controller/userconfig_controller.go     | 14 ++++++++------
 internal/usecase/delete.go                       |  2 +-
 internal/usecase/kubeconfig_generator.go         |  2 +-
 internal/usecase/namespace.go                    |  3 ++-
 internal/usecase/network_policies.go             |  2 +-
 internal/usecase/rbac.go                         | 16 ++++++++++++++++
 internal/usecase/resource_quota.go               |  5 ++++-
 internal/usecase/sealed_secrets.go               |  6 +++++-
 internal/usecase/usecase.go                      |  4 +++-
 test/e2e/e2e_test.go                             |  9 ++++-----
 14 files changed, 57 insertions(+), 20 deletions(-)

diff --git a/config/crd/bases/myoperator.01cloud.io_userconfigs.yaml b/config/crd/bases/myoperator.01cloud.io_userconfigs.yaml
index 9d64e47..54a145a 100644
--- a/config/crd/bases/myoperator.01cloud.io_userconfigs.yaml
+++ b/config/crd/bases/myoperator.01cloud.io_userconfigs.yaml
@@ -311,6 +311,7 @@ spec:
                           - logs
                           - scaledeployment
                           - scalereplicaset
+                          - persistentvolume
                           type: string
                       required:
                       - operation
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 962b43a..9e0277f 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -7,9 +7,17 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmap
   - configmaps
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
   - limitranges
   - namespaces
+  - persistentvolume
+  - persistentvolumeclaim
   - persistentvolumeclaims
   - persistentvolumes
   - pods
diff --git a/go.mod b/go.mod
index 7abc355..2811d82 100644
--- a/go.mod
+++ b/go.mod
@@ -9,7 +9,6 @@ require (
 	k8s.io/api v0.31.0
 	k8s.io/apimachinery v0.31.3
 	k8s.io/client-go v0.31.0
-	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
 	sigs.k8s.io/controller-runtime v0.19.1
 )
 
@@ -104,6 +103,7 @@ require (
 	k8s.io/component-base v0.31.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240709000822-3c01b740850f // indirect
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go
index c902ab0..e00da06 100644
--- a/internal/controller/suite_test.go
+++ b/internal/controller/suite_test.go
@@ -11,6 +11,8 @@ import (
 
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
+
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -19,7 +21,6 @@ import (
 	myoperatorv1alpha1 "01cloud/zoperator/api/v1alpha1"
 
 	sealedsecretsv1alpha1 "github.com/bitnami-labs/sealed-secrets/pkg/apis/sealedsecrets/v1alpha1"
-	ctrl "sigs.k8s.io/controller-runtime"
 	// +kubebuilder:scaffold:imports
 )
 
diff --git a/internal/controller/userconfig_controller.go b/internal/controller/userconfig_controller.go
index 018697d..7b000d8 100644
--- a/internal/controller/userconfig_controller.go
+++ b/internal/controller/userconfig_controller.go
@@ -5,20 +5,18 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
-
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
-
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 
+	sealedsecretsv1alpha1 "github.com/bitnami-labs/sealed-secrets/pkg/apis/sealedsecrets/v1alpha1"
+
 	myoperatorv1alpha1 "01cloud/zoperator/api/v1alpha1"
 	usecase "01cloud/zoperator/internal/usecase"
-
-	sealedsecretsv1alpha1 "github.com/bitnami-labs/sealed-secrets/pkg/apis/sealedsecrets/v1alpha1"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // UserConfigReconciler reconciles a UserConfig object
@@ -72,11 +70,15 @@ const (
 // +kubebuilder:rbac:groups=apps,resources=daemonsets/scale,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps,resources=statefulsets/scale,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaim,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=persistentvolumeclaim,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,verbs=get;list;watch;create;update;patch;delete
 
 // +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=core,resources=persistentvolume,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=persistentvolumes,verbs=get;list;watch;create;update;patch;delete
+
 // +kubebuilder:rbac:groups=core,resources=persistentvolumes/status,verbs=get;update;patch
 
 // Reconcile handles the reconciliation loop for UserConfig resources
diff --git a/internal/usecase/delete.go b/internal/usecase/delete.go
index f90ca7c..465140d 100644
--- a/internal/usecase/delete.go
+++ b/internal/usecase/delete.go
@@ -7,8 +7,8 @@ import (
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	ctrl "sigs.k8s.io/controller-runtime"
 
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	myoperatorv1alpha1 "01cloud/zoperator/api/v1alpha1"
diff --git a/internal/usecase/kubeconfig_generator.go b/internal/usecase/kubeconfig_generator.go
index 9460429..c08043a 100644
--- a/internal/usecase/kubeconfig_generator.go
+++ b/internal/usecase/kubeconfig_generator.go
@@ -15,8 +15,8 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
-	ctrl "sigs.k8s.io/controller-runtime"
 
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
diff --git a/internal/usecase/namespace.go b/internal/usecase/namespace.go
index 53b5317..d4d0a3d 100644
--- a/internal/usecase/namespace.go
+++ b/internal/usecase/namespace.go
@@ -1,7 +1,6 @@
 package usecase
 
 import (
-	myoperatorv1alpha1 "01cloud/zoperator/api/v1alpha1"
 	"context"
 	"fmt"
 
@@ -9,6 +8,8 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	myoperatorv1alpha1 "01cloud/zoperator/api/v1alpha1"
 )
 
 func (u *UserConfigUseCase) ReconcileNamespace(ctx context.Context, uc *myoperatorv1alpha1.UserConfig) error {
diff --git a/internal/usecase/network_policies.go b/internal/usecase/network_policies.go
index fac014b..f036cbd 100644
--- a/internal/usecase/network_policies.go
+++ b/internal/usecase/network_policies.go
@@ -5,8 +5,8 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
-
 	networkingv1 "k8s.io/api/networking/v1"
+
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
diff --git a/internal/usecase/rbac.go b/internal/usecase/rbac.go
index f361708..e56cd6e 100644
--- a/internal/usecase/rbac.go
+++ b/internal/usecase/rbac.go
@@ -237,6 +237,22 @@ func mapActualResource(resource string) string {
 		return "networkpolicies"
 	case "sealedsecret", "sealedsecrets":
 		return "sealedsecrets"
+	case "persistentvolumeclaim", "persistentvolumeclaims":
+		return "persistentvolumeclaims"
+	case "persistentvolume", "persistentvolumes":
+		return "persistentvolumes"
+	case "configmap", "configmaps":
+		return "configmaps"
+	case "persistentvolumeclaim/status", "persistentvolumeclaims/status":
+		return "persistentvolumeclaims/status"
+	case "persistentvolume/status", "persistentvolumes/status":
+		return "persistentvolumes/status"
+	case "resourcequota/status", "resourcequotas/status":
+		return "resourcequotas/status"
+	case "limitrange/status", "limitranges/status":
+		return "limitranges/status"
+	case "serviceaccount/token", "serviceaccounts/token":
+		return "serviceaccounts/token"
 	case "logs":
 		return "pods/log"
 	case "scaledeployment":
diff --git a/internal/usecase/resource_quota.go b/internal/usecase/resource_quota.go
index b963a1b..fcc17eb 100644
--- a/internal/usecase/resource_quota.go
+++ b/internal/usecase/resource_quota.go
@@ -1,16 +1,19 @@
 package usecase
 
 import (
-	myoperatorv1alpha1 "01cloud/zoperator/api/v1alpha1"
 	"context"
 	"fmt"
 	"reflect"
 
 	corev1 "k8s.io/api/core/v1"
+
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	myoperatorv1alpha1 "01cloud/zoperator/api/v1alpha1"
 )
 
 func (u *UserConfigUseCase) ReconcileResourceQuota(ctx context.Context, userConfig *myoperatorv1alpha1.UserConfig) error {
diff --git a/internal/usecase/sealed_secrets.go b/internal/usecase/sealed_secrets.go
index e60f09a..60994f3 100644
--- a/internal/usecase/sealed_secrets.go
+++ b/internal/usecase/sealed_secrets.go
@@ -1,17 +1,21 @@
 package usecase
 
 import (
-	myoperatorv1alpha1 "01cloud/zoperator/api/v1alpha1"
 	"context"
 	"fmt"
 
 	sealedsecretsv1alpha1 "github.com/bitnami-labs/sealed-secrets/pkg/apis/sealedsecrets/v1alpha1"
+
 	corev1 "k8s.io/api/core/v1"
+
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	myoperatorv1alpha1 "01cloud/zoperator/api/v1alpha1"
 )
 
 func (u *UserConfigUseCase) ReconcileSealedSecrets(ctx context.Context, uc *myoperatorv1alpha1.UserConfig) error {
diff --git a/internal/usecase/usecase.go b/internal/usecase/usecase.go
index fd657dd..9e7acca 100644
--- a/internal/usecase/usecase.go
+++ b/internal/usecase/usecase.go
@@ -1,12 +1,14 @@
 package usecase
 
 import (
-	myoperatorv1alpha1 "01cloud/zoperator/api/v1alpha1"
 	"context"
 
 	"k8s.io/apimachinery/pkg/runtime"
+
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	myoperatorv1alpha1 "01cloud/zoperator/api/v1alpha1"
 )
 
 type UseCase interface {
diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go
index 36ab2d8..586a6df 100644
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -30,15 +30,14 @@ import (
 	. "github.com/onsi/gomega/gstruct"
 	"github.com/onsi/gomega/types"
 
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/clientcmd"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	myoperatorv1alpha1 "01cloud/zoperator/api/v1alpha1"
 	"01cloud/zoperator/test/utils"

From 86b16a467c4b889dd826617ade4be9b8504af18d Mon Sep 17 00:00:00 2001
From: Ashutosh-Baral <ashutosh.baral@berrybytes.com>
Date: Mon, 16 Jun 2025 15:42:16 +0545
Subject: [PATCH 2/2] fix(userconfig_types.go): updated regex for gmail and
 description for limits specs

---
 api/v1alpha1/userconfig_types.go                        | 8 +++++---
 config/crd/bases/myoperator.01cloud.io_userconfigs.yaml | 9 +++++----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/api/v1alpha1/userconfig_types.go b/api/v1alpha1/userconfig_types.go
index fcc5bd4..19d8ed2 100644
--- a/api/v1alpha1/userconfig_types.go
+++ b/api/v1alpha1/userconfig_types.go
@@ -33,7 +33,8 @@ type Identity struct {
 	Groups []string `json:"groups,omitempty"`
 
 	// Contact is the user's email address for communication.
-	// +kubebuilder:validation:Pattern="^[a-zA-Z._%+-]+@[a-zA-Z.-]+\\.[a-zA-Z]{2,}$"
+	// +kubebuilder:validation:Pattern=^(?!.*\.\.)(?!\.)([\w\.]+)(?<!\.)@gmail\.com$
+
 	Contact string `json:"contact"`
 
 	// Labels are optional additional tags for user classification.
@@ -228,11 +229,11 @@ type LimitRangeLimit struct {
 	// +kubebuilder:validation:Enum=Container;Pod
 	Type string `json:"type"`
 
-	// Maximum allowed resource a container can request or limit. Cannot be assigned below this.
+	// Maximum allowed resource a container can request or limit. Cannot be assigned above this.
 	// +optional
 	Max *Resources `json:"max,omitempty"`
 
-	// Smallest allowed resource a container can request or limit. Cannot be assigned above this
+	// Smallest allowed resource a container can request or limit. Cannot be assigned below this
 	// +optional
 	Min *Resources `json:"min,omitempty"`
 
@@ -349,6 +350,7 @@ type UserConfigStatus struct {
 // +kubebuilder:printcolumn:name="Username",type="string",JSONPath=".spec.identity.username"
 // +kubebuilder:resource:shortName=ucfg
 // +kubebuilder:resource:scope=Cluster
+// UserConfig is the CRD for managing user configurations in a Kubernetes cluster, defining identity, permissions, secrets, and resource quotas.
 type UserConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
diff --git a/config/crd/bases/myoperator.01cloud.io_userconfigs.yaml b/config/crd/bases/myoperator.01cloud.io_userconfigs.yaml
index 54a145a..bb4e8a3 100644
--- a/config/crd/bases/myoperator.01cloud.io_userconfigs.yaml
+++ b/config/crd/bases/myoperator.01cloud.io_userconfigs.yaml
@@ -27,6 +27,8 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
+        description: UserConfig is the CRD for managing user configurations in a Kubernetes
+          cluster, defining identity, permissions, secrets, and resource quotas.
         properties:
           apiVersion:
             description: |-
@@ -53,8 +55,7 @@ spec:
                   details
                 properties:
                   contact:
-                    description: Contact is the user's email address for communication.
-                    pattern: ^[a-zA-Z._%+-]+@[a-zA-Z.-]+\.[a-zA-Z]{2,}$
+                    pattern: ^(?!.*\.\.)(?!\.)([\w\.]+)(?<!\.)@gmail\.com$
                     type: string
                   groups:
                     description: Groups represent user's group membership with predefined
@@ -123,7 +124,7 @@ spec:
                           type: object
                         max:
                           description: Maximum allowed resource a container can request
-                            or limit. Cannot be assigned below this.
+                            or limit. Cannot be assigned above this.
                           properties:
                             cpu:
                               description: |-
@@ -140,7 +141,7 @@ spec:
                           type: object
                         min:
                           description: Smallest allowed resource a container can request
-                            or limit. Cannot be assigned above this
+                            or limit. Cannot be assigned below this
                           properties:
                             cpu:
                               description: |-