From 203fde784adaac86708ead328eb01a06076a4246 Mon Sep 17 00:00:00 2001
From: hongming <talonwan@yunify.com>
Date: Tue, 16 Jun 2020 16:30:40 +0800
Subject: [PATCH] fix: auto create workspace manager rolebinding

Signed-off-by: hongming <talonwan@yunify.com>
---
 pkg/apis/iam/v1alpha2/types.go                |  1 +
 .../workspacetemplate_controller.go           | 42 +++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/pkg/apis/iam/v1alpha2/types.go b/pkg/apis/iam/v1alpha2/types.go
index 137596bd9..87941fdc5 100644
--- a/pkg/apis/iam/v1alpha2/types.go
+++ b/pkg/apis/iam/v1alpha2/types.go
@@ -67,6 +67,7 @@ const (
 	ScopeNamespace                        = "namespace"
 	PlatformAdmin                         = "platform-admin"
 	NamespaceAdmin                        = "admin"
+	WorkspaceAdminFormat                  = "%s-admin"
 	ClusterAdmin                          = "cluster-admin"
 )
 
diff --git a/pkg/controller/workspacetemplate/workspacetemplate_controller.go b/pkg/controller/workspacetemplate/workspacetemplate_controller.go
index cc70a5817..d13e675b1 100644
--- a/pkg/controller/workspacetemplate/workspacetemplate_controller.go
+++ b/pkg/controller/workspacetemplate/workspacetemplate_controller.go
@@ -21,6 +21,7 @@ import (
 	"encoding/json"
 	"fmt"
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -253,6 +254,11 @@ func (c *Controller) reconcile(key string) error {
 		return err
 	}
 
+	if err = c.initManagerRoleBinding(workspaceTemplate); err != nil {
+		klog.Error(err)
+		return err
+	}
+
 	if c.multiClusterEnabled {
 		if err = c.multiClusterSync(workspaceTemplate); err != nil {
 			klog.Error(err)
@@ -492,3 +498,39 @@ func (r *Controller) initRoles(workspace *tenantv1alpha2.WorkspaceTemplate) erro
 	}
 	return nil
 }
+
+func (r *Controller) initManagerRoleBinding(workspace *tenantv1alpha2.WorkspaceTemplate) error {
+	if manager := workspace.Spec.Manager; manager != "" {
+
+		workspaceAdminRoleName := fmt.Sprintf(iamv1alpha2.WorkspaceAdminFormat, workspace.Name)
+
+		managerRoleBinding := &iamv1alpha2.WorkspaceRoleBinding{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   fmt.Sprintf("%s-%s", manager, workspaceAdminRoleName),
+				Labels: map[string]string{tenantv1alpha1.WorkspaceLabel: workspace.Name},
+			},
+			RoleRef: rbacv1.RoleRef{
+				APIGroup: iamv1alpha2.SchemeGroupVersion.Group,
+				Kind:     iamv1alpha2.ResourceKindWorkspaceRole,
+				Name:     workspaceAdminRoleName,
+			},
+			Subjects: []rbacv1.Subject{
+				{
+					Name:     manager,
+					Kind:     iamv1alpha2.ResourceKindUser,
+					APIGroup: rbacv1.GroupName,
+				},
+			},
+		}
+		_, err := r.ksClient.IamV1alpha2().WorkspaceRoleBindings().Create(managerRoleBinding)
+		if err != nil {
+			if errors.IsAlreadyExists(err) {
+				return nil
+			}
+			klog.Error(err)
+			return err
+		}
+	}
+
+	return nil
+}