giantswarm · mirza-src · Dec 8, 2025 · Dec 18, 2025 · Dec 23, 2025 · Jan 21, 2026
@@ -1,13 +1,37 @@
-*.swp
-TODO
-/rbac-operator*
-!vendor/**
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+bin/*
+Dockerfile.cross
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Go workspace file
+go.work
+
+# Kubernetes Generated files - skip generated files, except for vendored files
+!vendor/**/zz_generated.*
+
+# editor and IDE paraphernalia
 .idea
 .vscode
-*.crt
-*.key
-*.config
+*.swp
+*.swo
+*~
 
+# OS X
+.history
+.DS_Store
+
+# binaries
+/rbac-operator*
 
 # ats
 /tests/ats/test_results*.xml
@@ -23,3 +23,38 @@ include Makefile.*.mk
 .PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z%\\\/_0-9-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+LOCALBIN ?= $(shell pwd)/bin
+$(LOCALBIN):
+	mkdir -p $(LOCALBIN)
+CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
+CONTROLLER_TOOLS_VERSION ?= v0.19.0
+
+.PHONY: manifests
+manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+
+.PHONY: generate
+generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
+	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
+
+.PHONY: controller-gen
+controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary.
+$(CONTROLLER_GEN): $(LOCALBIN)
+	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen,$(CONTROLLER_TOOLS_VERSION))
+
+# go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
+# $1 - target path with name of binary
+# $2 - package url which can be installed
+# $3 - specific version of package
+define go-install-tool
+@[ -f "$(1)-$(3)" ] && [ "$$(readlink -- "$(1)" 2>/dev/null)" = "$(1)-$(3)" ] || { \
+set -e; \
+package=$(2)@$(3) ;\
+echo "Downloading $${package}" ;\
+rm -f $(1) ;\
+GOBIN=$(LOCALBIN) go install $${package} ;\
+mv $(1) $(1)-$(3) ;\
+} ;\
+ln -sf $$(realpath $(1)-$(3)) $(1)
+endef
@@ -0,0 +1,21 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
+cliVersion: v4.9.0
+domain: giantswarm.io
+layout:
+- go.kubebuilder.io/v4
+projectName: rbac-operator
+repo: github.com/giantswarm/rbac-operator
+resources:
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: giantswarm.io
+  group: auth
+  kind: RoleBindingTemplate
+  path: github.com/giantswarm/rbac-operator/api/v1alpha1
+  version: v1alpha1
+version: "3"
@@ -1,5 +1,5 @@
 /*
-Copyright 2023.
+Copyright 2025.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package v1alpha1 contains API Schema definitions for the auth.giantswarm.io v1alpha1 API group
+// Package v1alpha1 contains API Schema definitions for the auth v1alpha1 API group.
 // +kubebuilder:object:generate=true
 // +groupName=auth.giantswarm.io
 package v1alpha1
@@ -25,10 +25,10 @@ import (
 )
 
 var (
-	// GroupVersion is group version used to register these objects
+	// GroupVersion is group version used to register these objects.
 	GroupVersion = schema.GroupVersion{Group: "auth.giantswarm.io", Version: "v1alpha1"}
 
-	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
 
 	// AddToScheme adds the types in this group-version to the given scheme.

@@ -1,5 +1,5 @@
 /*
-Copyright 2023.
+Copyright 2025.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -30,26 +30,28 @@ type RoleBindingTemplateSpec struct {
 	Scopes   RoleBindingTemplateScopes   `json:"scopes"`
 }
 
-// RoleBindingTemplateStatus defines the observed state of RoleBindingTemplate
-type RoleBindingTemplateStatus struct {
-	// Namespaces contains a list of namespaces the RoleBinding is currently applied to
-	Namespaces []string `json:"namespaces,omitempty"`
-}
-
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
-//+kubebuilder:resource:scope=Cluster
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster
 
 // RoleBindingTemplate is the Schema for the rolebindingtemplates API
 type RoleBindingTemplate struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta `json:",inline"`
 
-	Spec   RoleBindingTemplateSpec   `json:"spec,omitempty"`
-	Status RoleBindingTemplateStatus `json:"status,omitempty"`
+	// metadata is a standard object metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty,omitzero"`
+
+	// spec defines the desired state of RoleBindingTemplate
+	// +required
+	Spec RoleBindingTemplateSpec `json:"spec"`
+
+	// status defines the observed state of RoleBindingTemplate
+	// +optional
+	Status RoleBindingTemplateStatus `json:"status,omitempty,omitzero"`
 }
 
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 
 // RoleBindingTemplateList contains a list of RoleBindingTemplate
 type RoleBindingTemplateList struct {
@@ -58,11 +60,30 @@ type RoleBindingTemplateList struct {
 	Items           []RoleBindingTemplate `json:"items"`
 }
 
+// RoleBindingTemplateMetadata holds metadata that should be added to created RoleBindings
+type RoleBindingTemplateMetadata struct {
+	// Name of the RoleBinding
+	// +optional
+	Name string `json:"name,omitempty"`
+
+	// Labels to be added to created RoleBindings
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+
+	// Annotations to be added to created RoleBindings
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// Finalizers to be added to created RoleBindings
+	// +optional
+	Finalizers []string `json:"finalizers,omitempty"`
+}
+
 // RoleBindingTemplateResource describes the data needed to create a rolebinding from a template.
 type RoleBindingTemplateResource struct {
-	// Standard object's metadata.
+	// Metadata holds metadata that should be added to created RoleBindings
 	// +optional
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Metadata RoleBindingTemplateMetadata `json:"metadata,omitempty"`
 
 	// Subjects holds references to the objects the role applies to.
 	// +optional
@@ -75,13 +96,44 @@ type RoleBindingTemplateResource struct {
 
 // RoleBindingTemplateScopes describes the scopes the RoleBindingTemplate should be applied to
 type RoleBindingTemplateScopes struct {
-	OrganizationSelector ScopeSelector `json:"organizationSelector"`
+	OrganizationSelector metav1.LabelSelector `json:"organizationSelector"`
 }
 
-// ScopeSelector wraps a k8s label selector
-type ScopeSelector struct {
-	MatchLabels      map[string]string                 `json:"matchLabels,omitempty"`
-	MatchExpressions []metav1.LabelSelectorRequirement `json:"matchExpressions,omitempty"`
+// RoleBindingTemplateStatus Status.Conditions types
+const (
+	ReadyCondition string = "Ready"
+)
+
+// RoleBindingTemplateStatus Status.Conditions reasons
+const (
+	ProgressingReason string = "Progressing"
+	FailedReason      string = "Failed"
+	SucceededReason   string = "Succeeded"
+)
+
+// RoleBindingTemplateNamespaceFailure represents a failed namespace deployment and it's reason.
+type RoleBindingTemplateNamespaceFailure struct {
+	// Namespace is the namespace that failed when trying to apply the RoleBindingTemplate
+	Namespace string `json:"namespace"`
+
+	// Reason is why the RoleBindingTemplate failed to apply to the namespace
+	Reason string `json:"reason,omitempty"`
+}
+
+// RoleBindingTemplateStatus defines the observed state of RoleBindingTemplate.
+type RoleBindingTemplateStatus struct {
+	// Failed namespaces are the namespaces that failed
+	// +optional
+	FailedNamespaces []RoleBindingTemplateNamespaceFailure `json:"failedNamespaces"`
+
+	// ProvisionedNamespaces are the namespaces where the RoleBindingTemplate has created rolebindings
+	// +optional
+	ProvisionedNamespaces []string `json:"provisionedNamespaces"`
+
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
 
 func init() {