humio · SaaldjorMike · May 26, 2025 · May 19, 2025 · May 22, 2025 · May 22, 2025
diff --git a/api/v1alpha1/humiogroup_types.go b/api/v1alpha1/humiogroup_types.go
@@ -26,12 +26,12 @@ type HumioGroupSpec struct {
 	// This conflicts with ManagedClusterName.
 	ExternalClusterName string `json:"externalClusterName,omitempty"`
 	// Name is the display name of the HumioGroup
-	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MinLength=2
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`
 	// ExternalMappingName is the mapping name from the external provider that will assign the user to this HumioGroup
-	// +kubebuilder:validation:MinLength=2
+	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:Optional
 	ExternalMappingName *string `json:"externalMappingName,omitempty"`
 }

diff --git a/api/v1alpha1/humioorganizationpermissionrole_types.go b/api/v1alpha1/humioorganizationpermissionrole_types.go
@@ -53,8 +53,12 @@ type HumioOrganizationPermissionRoleSpec struct {
 	// +kubebuilder:validation:items:MinLength=1
 	// +listType=set
 	Permissions []string `json:"permissions"`
-	// TODO: Add support for assigning the role to groups
-	// Groups *string `json:"groups,omitempty"`
+	// RoleAssignmentGroupNames lists the names of LogScale groups that this role is assigned to.
+	// It is optional to specify the list of role assignments. If not specified, the role will not be assigned to any groups.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:items:MinLength=1
+	// +listType=set
+	RoleAssignmentGroupNames []string `json:"roleAssignmentGroupNames,omitempty"`
 }
 
 // HumioOrganizationPermissionRoleStatus defines the observed state of HumioOrganizationPermissionRole.

diff --git a/api/v1alpha1/humiosystempermissionrole_types.go b/api/v1alpha1/humiosystempermissionrole_types.go
@@ -53,8 +53,12 @@ type HumioSystemPermissionRoleSpec struct {
 	// +kubebuilder:validation:items:MinLength=1
 	// +listType=set
 	Permissions []string `json:"permissions"`
-	// TODO: Add support for assigning the role to groups
-	// Groups *string `json:"groups,omitempty"`
+	// RoleAssignmentGroupNames lists the names of LogScale groups that this role is assigned to.
+	// It is optional to specify the list of role assignments. If not specified, the role will not be assigned to any groups.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:items:MinLength=1
+	// +listType=set
+	RoleAssignmentGroupNames []string `json:"roleAssignmentGroupNames,omitempty"`
 }
 
 // HumioSystemPermissionRoleStatus defines the observed state of HumioSystemPermissionRole.

diff --git a/api/v1alpha1/humioviewpermissionrole_types.go b/api/v1alpha1/humioviewpermissionrole_types.go
@@ -31,6 +31,18 @@ const (
 	HumioViewPermissionRoleStateConfigError = "ConfigError"
 )
 
+// HumioViewPermissionRoleAssignment specifies a view or repo and a group to assign it to.
+type HumioViewPermissionRoleAssignment struct {
+	// RepoOrViewName specifies the name of the view or repo to assign the view permission role.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Required
+	RepoOrViewName string `json:"repoOrViewName"`
+	// GroupName specifies the name of the group to assign the view permission role to.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Required
+	GroupName string `json:"groupName"`
+}
+
 // HumioViewPermissionRoleSpec defines the desired state of HumioViewPermissionRole.
 // +kubebuilder:validation:XValidation:rule="(has(self.managedClusterName) && self.managedClusterName != \"\") != (has(self.externalClusterName) && self.externalClusterName != \"\")",message="Must specify exactly one of managedClusterName or externalClusterName"
 type HumioViewPermissionRoleSpec struct {
@@ -53,8 +65,10 @@ type HumioViewPermissionRoleSpec struct {
 	// +kubebuilder:validation:items:MinLength=1
 	// +listType=set
 	Permissions []string `json:"permissions"`
-	// TODO: Add support for assigning the role to groups. These assignments do not just take a group name, but also a view for where this is assigned, so will need to adjust the field below to reflect that.
-	// Groups *string `json:"groups,omitempty"`
+	// RoleAssignments lists the names of LogScale groups that this role is assigned to and for which views/repositories.
+	// It is optional to specify the list of role assignments. If not specified, the role will not be assigned to any groups.
+	// +kubebuilder:validation:Optional
+	RoleAssignments []HumioViewPermissionRoleAssignment `json:"roleAssignments,omitempty"`
 }
 
 // HumioViewPermissionRoleStatus defines the observed state of HumioViewPermissionRole.

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/humio-operator/crds/core.humio.com_humiogroups.yaml b/charts/humio-operator/crds/core.humio.com_humiogroups.yaml
@@ -58,7 +58,7 @@ spec:
               externalMappingName:
                 description: ExternalMappingName is the mapping name from the external
                   provider that will assign the user to this HumioGroup
-                minLength: 2
+                minLength: 1
                 type: string
               managedClusterName:
                 description: |-
@@ -68,7 +68,7 @@ spec:
                 type: string
               name:
                 description: Name is the display name of the HumioGroup
-                minLength: 1
+                minLength: 2
                 type: string
                 x-kubernetes-validations:
                 - message: Value is immutable

diff --git a/charts/humio-operator/crds/core.humio.com_humioorganizationpermissionroles.yaml b/charts/humio-operator/crds/core.humio.com_humioorganizationpermissionroles.yaml
@@ -75,6 +75,15 @@ spec:
                 minItems: 1
                 type: array
                 x-kubernetes-list-type: set
+              roleAssignmentGroupNames:
+                description: |-
+                  RoleAssignmentGroupNames lists the names of LogScale groups that this role is assigned to.
+                  It is optional to specify the list of role assignments. If not specified, the role will not be assigned to any groups.
+                items:
+                  minLength: 1
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
             required:
             - name
             - permissions

diff --git a/charts/humio-operator/crds/core.humio.com_humiosystempermissionroles.yaml b/charts/humio-operator/crds/core.humio.com_humiosystempermissionroles.yaml
@@ -75,6 +75,15 @@ spec:
                 minItems: 1
                 type: array
                 x-kubernetes-list-type: set
+              roleAssignmentGroupNames:
+                description: |-
+                  RoleAssignmentGroupNames lists the names of LogScale groups that this role is assigned to.
+                  It is optional to specify the list of role assignments. If not specified, the role will not be assigned to any groups.
+                items:
+                  minLength: 1
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
             required:
             - name
             - permissions

diff --git a/charts/humio-operator/crds/core.humio.com_humioviewpermissionroles.yaml b/charts/humio-operator/crds/core.humio.com_humioviewpermissionroles.yaml
@@ -75,6 +75,29 @@ spec:
                 minItems: 1
                 type: array
                 x-kubernetes-list-type: set
+              roleAssignments:
+                description: |-
+                  RoleAssignments lists the names of LogScale groups that this role is assigned to and for which views/repositories.
+                  It is optional to specify the list of role assignments. If not specified, the role will not be assigned to any groups.
+                items:
+                  description: HumioViewPermissionRoleAssignment specifies a view
+                    or repo and a group to assign it to.
+                  properties:
+                    groupName:
+                      description: GroupName specifies the name of the group to assign
+                        the view permission role to.
+                      minLength: 1
+                      type: string
+                    repoOrViewName:
+                      description: RepoOrViewName specifies the name of the view or
+                        repo to assign the view permission role.
+                      minLength: 1
+                      type: string
+                  required:
+                  - groupName
+                  - repoOrViewName
+                  type: object
+                type: array
             required:
             - name
             - permissions

diff --git a/config/crd/bases/core.humio.com_humiogroups.yaml b/config/crd/bases/core.humio.com_humiogroups.yaml
@@ -58,7 +58,7 @@ spec:
               externalMappingName:
                 description: ExternalMappingName is the mapping name from the external
                   provider that will assign the user to this HumioGroup
-                minLength: 2
+                minLength: 1
                 type: string
               managedClusterName:
                 description: |-
@@ -68,7 +68,7 @@ spec:
                 type: string
               name:
                 description: Name is the display name of the HumioGroup
-                minLength: 1
+                minLength: 2
                 type: string
                 x-kubernetes-validations:
                 - message: Value is immutable

diff --git a/config/crd/bases/core.humio.com_humioorganizationpermissionroles.yaml b/config/crd/bases/core.humio.com_humioorganizationpermissionroles.yaml
@@ -75,6 +75,15 @@ spec:
                 minItems: 1
                 type: array
                 x-kubernetes-list-type: set
+              roleAssignmentGroupNames:
+                description: |-
+                  RoleAssignmentGroupNames lists the names of LogScale groups that this role is assigned to.
+                  It is optional to specify the list of role assignments. If not specified, the role will not be assigned to any groups.
+                items:
+                  minLength: 1
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
             required:
             - name
             - permissions

diff --git a/config/crd/bases/core.humio.com_humiosystempermissionroles.yaml b/config/crd/bases/core.humio.com_humiosystempermissionroles.yaml
@@ -75,6 +75,15 @@ spec:
                 minItems: 1
                 type: array
                 x-kubernetes-list-type: set
+              roleAssignmentGroupNames:
+                description: |-
+                  RoleAssignmentGroupNames lists the names of LogScale groups that this role is assigned to.
+                  It is optional to specify the list of role assignments. If not specified, the role will not be assigned to any groups.
+                items:
+                  minLength: 1
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
             required:
             - name
             - permissions

diff --git a/config/crd/bases/core.humio.com_humioviewpermissionroles.yaml b/config/crd/bases/core.humio.com_humioviewpermissionroles.yaml
@@ -75,6 +75,29 @@ spec:
                 minItems: 1
                 type: array
                 x-kubernetes-list-type: set
+              roleAssignments:
+                description: |-
+                  RoleAssignments lists the names of LogScale groups that this role is assigned to and for which views/repositories.
+                  It is optional to specify the list of role assignments. If not specified, the role will not be assigned to any groups.
+                items:
+                  description: HumioViewPermissionRoleAssignment specifies a view
+                    or repo and a group to assign it to.
+                  properties:
+                    groupName:
+                      description: GroupName specifies the name of the group to assign
+                        the view permission role to.
+                      minLength: 1
+                      type: string
+                    repoOrViewName:
+                      description: RepoOrViewName specifies the name of the view or
+                        repo to assign the view permission role.
+                      minLength: 1
+                      type: string
+                  required:
+                  - groupName
+                  - repoOrViewName
+                  type: object
+                type: array
             required:
             - name
             - permissions

diff --git a/config/samples/core_v1alpha1_humiogroup.yaml b/config/samples/core_v1alpha1_humiogroup.yaml
@@ -4,8 +4,5 @@ metadata:
   name: example-humiogroup-managed
 spec:
   managedClusterName: example-humiocluster
-  displayName: "example-group"
-  lookupName: "example-group-lookup-name"
-  assignments:
-    - roleName: "example-role"
-      viewName: "example-view"
+  name: "example-group"
+  externalMappingName: "example-group-lookup-name"
diff --git a/config/samples/core_v1alpha1_humioorganizationpermissionrole.yaml b/config/samples/core_v1alpha1_humioorganizationpermissionrole.yaml
@@ -9,4 +9,6 @@ spec:
   managedClusterName: example-humiocluster
   name: example-organization-permission-role
   permissions:
-    - CreateRepository
+    - CreateRepository
+  roleAssignmentGroupNames:
+    - example-group
diff --git a/config/samples/core_v1alpha1_humiosystempermissionrole.yaml b/config/samples/core_v1alpha1_humiosystempermissionrole.yaml
@@ -6,4 +6,9 @@ metadata:
     app.kubernetes.io/managed-by: kustomize
   name: humiosystempermissionrole-sample
 spec:
-  # TODO(user): Add fields here
+  managedClusterName: example-humiocluster
+  name: example-system-permission-role
+  permissions:
+    - ReadHealthCheck
+  roleAssignmentGroupNames:
+    - example-group
diff --git a/config/samples/core_v1alpha1_humioviewpermissionrole.yaml b/config/samples/core_v1alpha1_humioviewpermissionrole.yaml
@@ -9,4 +9,7 @@ spec:
   managedClusterName: example-humiocluster
   name: example-view-permission-role
   permissions:
-    - ReadAccess
+    - ReadAccess
+  roleAssignments:
+    - repoOrViewName: humio
+      groupName: example-group