From 7f02b829c6b0f9440bdb97a45fb87f2c37562104 Mon Sep 17 00:00:00 2001
From: Pavel Tishkov <pavel.tishkov@flant.com>
Date: Thu, 28 Nov 2024 17:16:17 +0300
Subject: [PATCH] feat(module): fix roles

Signed-off-by: Pavel Tishkov <pavel.tishkov@flant.com>
---
 .../rbacv2/manage/{ => permissions}/manage_internals.yaml    | 2 +-
 .../rbacv2/manage/{ => permissions}/manage_resources.yaml    | 0
 .../rbacv2/manage/{ => permissions}/view_resources.yaml      | 0
 templates/rbacv2/manage/roles/manager.yaml                   | 2 +-
 templates/rbacv2/use/{ => roles}/admin.yaml                  | 1 +
 templates/rbacv2/use/{ => roles}/manager.yaml                | 0
 templates/rbacv2/use/{ => roles}/super-admin.yaml            | 5 +++++
 templates/rbacv2/use/{ => roles}/user.yaml                   | 0
 templates/rbacv2/use/{ => roles}/viewer.yaml                 | 0
 9 files changed, 8 insertions(+), 2 deletions(-)
 rename templates/rbacv2/manage/{ => permissions}/manage_internals.yaml (94%)
 rename templates/rbacv2/manage/{ => permissions}/manage_resources.yaml (100%)
 rename templates/rbacv2/manage/{ => permissions}/view_resources.yaml (100%)
 rename templates/rbacv2/use/{ => roles}/admin.yaml (86%)
 rename templates/rbacv2/use/{ => roles}/manager.yaml (100%)
 rename templates/rbacv2/use/{ => roles}/super-admin.yaml (63%)
 rename templates/rbacv2/use/{ => roles}/user.yaml (100%)
 rename templates/rbacv2/use/{ => roles}/viewer.yaml (100%)

diff --git a/templates/rbacv2/manage/manage_internals.yaml b/templates/rbacv2/manage/permissions/manage_internals.yaml
similarity index 94%
rename from templates/rbacv2/manage/manage_internals.yaml
rename to templates/rbacv2/manage/permissions/manage_internals.yaml
index dada5adcda..7e548ffb43 100644
--- a/templates/rbacv2/manage/manage_internals.yaml
+++ b/templates/rbacv2/manage/permissions/manage_internals.yaml
@@ -9,7 +9,7 @@ metadata:
     rbac.deckhouse.io/kind: manage
     rbac.deckhouse.io/level: module
     rbac.deckhouse.io/namespace: d8-virtualization
-  name: d8:manage:capability:virtualization:manage_internals
+  name: d8:manage:permission:virtualization:manage_internals
 rules:
 - apiGroups:
   - cdi.internal.virtualization.deckhouse.io
diff --git a/templates/rbacv2/manage/manage_resources.yaml b/templates/rbacv2/manage/permissions/manage_resources.yaml
similarity index 100%
rename from templates/rbacv2/manage/manage_resources.yaml
rename to templates/rbacv2/manage/permissions/manage_resources.yaml
diff --git a/templates/rbacv2/manage/view_resources.yaml b/templates/rbacv2/manage/permissions/view_resources.yaml
similarity index 100%
rename from templates/rbacv2/manage/view_resources.yaml
rename to templates/rbacv2/manage/permissions/view_resources.yaml
diff --git a/templates/rbacv2/manage/roles/manager.yaml b/templates/rbacv2/manage/roles/manager.yaml
index db23f2f7e3..8883feb3c4 100644
--- a/templates/rbacv2/manage/roles/manager.yaml
+++ b/templates/rbacv2/manage/roles/manager.yaml
@@ -9,7 +9,7 @@ metadata:
     rbac.deckhouse.io/kind: manage
     rbac.deckhouse.io/level: subsystem
     rbac.deckhouse.io/subsystem: virtualization
-    #rbac.deckhouse.io/aggregate-to-virtualization-as: disaster-admin
+    rbac.deckhouse.io/aggregate-to-virtualization-as: super-admin
     rbac.deckhouse.io/aggregate-to-all-as: manager
 aggregationRule:
   clusterRoleSelectors:
diff --git a/templates/rbacv2/use/admin.yaml b/templates/rbacv2/use/roles/admin.yaml
similarity index 86%
rename from templates/rbacv2/use/admin.yaml
rename to templates/rbacv2/use/roles/admin.yaml
index 9e2b4fe268..9da045f862 100644
--- a/templates/rbacv2/use/admin.yaml
+++ b/templates/rbacv2/use/roles/admin.yaml
@@ -6,6 +6,7 @@ metadata:
     heritage: deckhouse
     module: virtualization
     rbac.deckhouse.io/aggregate-to-all-as: admin
+    rbac.deckhouse.io/aggregate-to-virtualization-as: super-admin
     rbac.deckhouse.io/kind: use
 aggregationRule:
   clusterRoleSelectors:
diff --git a/templates/rbacv2/use/manager.yaml b/templates/rbacv2/use/roles/manager.yaml
similarity index 100%
rename from templates/rbacv2/use/manager.yaml
rename to templates/rbacv2/use/roles/manager.yaml
diff --git a/templates/rbacv2/use/super-admin.yaml b/templates/rbacv2/use/roles/super-admin.yaml
similarity index 63%
rename from templates/rbacv2/use/super-admin.yaml
rename to templates/rbacv2/use/roles/super-admin.yaml
index 1b3126561d..b9489ac6de 100644
--- a/templates/rbacv2/use/super-admin.yaml
+++ b/templates/rbacv2/use/roles/super-admin.yaml
@@ -8,4 +8,9 @@ metadata:
     rbac.deckhouse.io/aggregate-to-role: super-admin
     rbac.deckhouse.io/kind: use
   name: d8:use:virtualization:super-admin
+aggregationRule:
+  clusterRoleSelectors:
+    - matchLabels:
+        rbac.deckhouse.io/kind: use
+        rbac.deckhouse.io/aggregate-to-virtualization-as: super-admin
 rules: []
diff --git a/templates/rbacv2/use/user.yaml b/templates/rbacv2/use/roles/user.yaml
similarity index 100%
rename from templates/rbacv2/use/user.yaml
rename to templates/rbacv2/use/roles/user.yaml
diff --git a/templates/rbacv2/use/viewer.yaml b/templates/rbacv2/use/roles/viewer.yaml
similarity index 100%
rename from templates/rbacv2/use/viewer.yaml
rename to templates/rbacv2/use/roles/viewer.yaml