humio · SaaldjorMike · May 12, 2025
diff --git a/PROJECT b/PROJECT
@@ -137,4 +137,13 @@ resources:
   kind: HumioUser
   path: github.com/humio/humio-operator/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: humio.com
+  group: core
+  kind: HumioSystemPermissionRole
+  path: github.com/humio/humio-operator/api/v1alpha1
+  version: v1alpha1
 version: "3"
diff --git a/api/v1alpha1/humiosystempermissionrole_types.go b/api/v1alpha1/humiosystempermissionrole_types.go
@@ -0,0 +1,90 @@
+/*
+Copyright 2020 Humio https://humio.com
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	// HumioSystemPermissionRoleStateUnknown is the Unknown state of the system permission role
+	HumioSystemPermissionRoleStateUnknown = "Unknown"
+	// HumioSystemPermissionRoleStateExists is the Exists state of the system permission role
+	HumioSystemPermissionRoleStateExists = "Exists"
+	// HumioSystemPermissionRoleStateNotFound is the NotFound state of the system permission role
+	HumioSystemPermissionRoleStateNotFound = "NotFound"
+	// HumioSystemPermissionRoleStateConfigError is the state of the system permission role when user-provided specification results in configuration error, such as non-existent humio cluster
+	HumioSystemPermissionRoleStateConfigError = "ConfigError"
+)
+
+// HumioSystemPermissionRoleSpec defines the desired state of HumioSystemPermissionRole.
+// +kubebuilder:validation:XValidation:rule="(has(self.managedClusterName) && self.managedClusterName != \"\") != (has(self.externalClusterName) && self.externalClusterName != \"\")",message="Must specify exactly one of managedClusterName or externalClusterName"
+type HumioSystemPermissionRoleSpec struct {
+	// ManagedClusterName refers to an object of type HumioCluster that is managed by the operator where the Humio
+	// resources should be created.
+	// This conflicts with ExternalClusterName.
+	ManagedClusterName string `json:"managedClusterName,omitempty"`
+	// ExternalClusterName refers to an object of type HumioExternalCluster where the Humio resources should be created.
+	// This conflicts with ManagedClusterName.
+	ExternalClusterName string `json:"externalClusterName,omitempty"`
+	// Name is the name of the role inside Humio
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+	// Permissions is the list of system permissions that this role grants.
+	// For more details, see https://library.humio.com/logscale-graphql-reference-datatypes/graphql-enum-systempermission.html
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:items:MinLength=1
+	// +listType=set
+	Permissions []string `json:"permissions"`
+	// TODO: Add support for assigning the role to groups
+	// Groups *string `json:"groups,omitempty"`
+}
+
+// HumioSystemPermissionRoleStatus defines the observed state of HumioSystemPermissionRole.
+type HumioSystemPermissionRoleStatus struct {
+	// State reflects the current state of the HumioSystemPermissionRole
+	State string `json:"state,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// HumioSystemPermissionRole is the Schema for the humiosystempermissionroles API.
+type HumioSystemPermissionRole struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// +kubebuilder:validation:Required
+	Spec   HumioSystemPermissionRoleSpec   `json:"spec"`
+	Status HumioSystemPermissionRoleStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// HumioSystemPermissionRoleList contains a list of HumioSystemPermissionRole.
+type HumioSystemPermissionRoleList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []HumioSystemPermissionRole `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&HumioSystemPermissionRole{}, &HumioSystemPermissionRoleList{})
+}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/humio-operator/crds/core.humio.com_humiosystempermissionroles.yaml b/charts/humio-operator/crds/core.humio.com_humiosystempermissionroles.yaml
@@ -0,0 +1,100 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.0
+  name: humiosystempermissionroles.core.humio.com
+  labels:
+    app: 'humio-operator'
+    app.kubernetes.io/name: 'humio-operator'
+    app.kubernetes.io/instance: 'humio-operator'
+    app.kubernetes.io/managed-by: 'Helm'
+    helm.sh/chart: 'humio-operator-0.28.2'
+spec:
+  group: core.humio.com
+  names:
+    kind: HumioSystemPermissionRole
+    listKind: HumioSystemPermissionRoleList
+    plural: humiosystempermissionroles
+    singular: humiosystempermissionrole
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: HumioSystemPermissionRole is the Schema for the humiosystempermissionroles
+          API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HumioSystemPermissionRoleSpec defines the desired state of
+              HumioSystemPermissionRole.
+            properties:
+              externalClusterName:
+                description: |-
+                  ExternalClusterName refers to an object of type HumioExternalCluster where the Humio resources should be created.
+                  This conflicts with ManagedClusterName.
+                type: string
+              managedClusterName:
+                description: |-
+                  ManagedClusterName refers to an object of type HumioCluster that is managed by the operator where the Humio
+                  resources should be created.
+                  This conflicts with ExternalClusterName.
+                type: string
+              name:
+                description: Name is the name of the role inside Humio
+                minLength: 1
+                type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
+              permissions:
+                description: |-
+                  Permissions is the list of system permissions that this role grants.
+                  For more details, see https://library.humio.com/logscale-graphql-reference-datatypes/graphql-enum-systempermission.html
+                items:
+                  minLength: 1
+                  type: string
+                minItems: 1
+                type: array
+                x-kubernetes-list-type: set
+            required:
+            - name
+            - permissions
+            type: object
+            x-kubernetes-validations:
+            - message: Must specify exactly one of managedClusterName or externalClusterName
+              rule: (has(self.managedClusterName) && self.managedClusterName != "")
+                != (has(self.externalClusterName) && self.externalClusterName != "")
+          status:
+            description: HumioSystemPermissionRoleStatus defines the observed state
+              of HumioSystemPermissionRole.
+            properties:
+              state:
+                description: State reflects the current state of the HumioSystemPermissionRole
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/humio-operator/templates/operator-rbac.yaml b/charts/humio-operator/templates/operator-rbac.yaml
@@ -112,6 +112,9 @@ rules:
   - humioscheduledsearches
   - humioscheduledsearches/finalizers
   - humioscheduledsearches/status
+  - humiosystempermissionroles
+  - humiosystempermissionroles/finalizers
+  - humiosystempermissionroles/status
   verbs:
   - create
   - delete

diff --git a/cmd/main.go b/cmd/main.go
@@ -418,4 +418,15 @@ func setupControllers(mgr ctrl.Manager, log logr.Logger, requeuePeriod time.Dura
 		ctrl.Log.Error(err, "unable to create controller", "controller", "HumioUser")
 		os.Exit(1)
 	}
+	if err = (&controller.HumioSystemPermissionRoleReconciler{
+		Client: mgr.GetClient(),
+		CommonConfig: controller.CommonConfig{
+			RequeuePeriod: requeuePeriod,
+		},
+		HumioClient: humio.NewClient(log, userAgent),
+		BaseLogger:  log,
+	}).SetupWithManager(mgr); err != nil {
+		ctrl.Log.Error(err, "unable to create controller", "controller", "HumioSystemPermissionRole")
+		os.Exit(1)
+	}
 }