feat: implement RoleGenerator with custom models and type-safe RoleVerb enum (#366)

* Initial plan

* feat: implement RoleGenerator with custom models using BaseKubernetesGenerator

Co-authored-by: devantler <[email protected]>

* feat: complete RoleGenerator implementation with comprehensive test coverage

Co-authored-by: devantler <[email protected]>

* refactor: rename ClusterRoleVerb to RoleVerb for better semantic clarity

Co-authored-by: devantler <[email protected]>

* Update src/DevantlerTech.KubernetesGenerator.Native/Models/Role.cs

Co-authored-by: Copilot <[email protected]>
Signed-off-by: Nikolai Emil Damm <[email protected]>

---------

Signed-off-by: Nikolai Emil Damm <[email protected]>
Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: devantler <[email protected]>
Co-authored-by: Nikolai Emil Damm <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: 3 people

src/DevantlerTech.KubernetesGenerator.Native/Models/ClusterRoleRule.cs

@@ -8,7 +8,7 @@ public class ClusterRoleRule
   /// <summary>
   /// Gets or sets the verbs that apply to the resources.
   /// </summary>
-  public required IList<ClusterRoleVerb> Verbs { get; init; } = [];
+  public required IList<RoleVerb> Verbs { get; init; } = [];
 
   /// <summary>
   /// Gets or sets the API groups that the rule applies to.

src/DevantlerTech.KubernetesGenerator.Native/Models/Role.cs

@@ -0,0 +1,28 @@
+namespace DevantlerTech.KubernetesGenerator.Native.Models;
+
+/// <summary>
+/// Represents a role for Kubernetes RBAC with type-safe options.
+/// Uses BaseKubernetesGenerator to generate Kubernetes RBAC roles programmatically.
+/// </summary>
+public class Role
+{
+  /// <summary>
+  /// Gets or sets the API version for the role.
+  /// </summary>
+  public string ApiVersion { get; set; } = "rbac.authorization.k8s.io/v1";
+
+  /// <summary>
+  /// Gets or sets the kind of the resource.
+  /// </summary>
+  public string Kind { get; set; } = "Role";
+
+  /// <summary>
+  /// Gets or sets the metadata for the role.
+  /// </summary>
+  public required Metadata Metadata { get; set; }
+
+  /// <summary>
+  /// Gets or sets the rules that define the permissions.
+  /// </summary>
+  public IList<RoleRule>? Rules { get; init; }
+}

src/DevantlerTech.KubernetesGenerator.Native/Models/RoleRule.cs

@@ -0,0 +1,29 @@
+namespace DevantlerTech.KubernetesGenerator.Native.Models;
+
+/// <summary>
+/// Represents a rule for role permissions with type-safe verbs.
+/// </summary>
+public class RoleRule
+{
+  /// <summary>
+  /// Gets or sets the verbs that apply to the resources.
+  /// </summary>
+  public required IList<RoleVerb> Verbs { get; init; } = [];
+
+  /// <summary>
+  /// Gets or sets the API groups that the rule applies to.
+  /// Empty string "" means the core API group.
+  /// </summary>
+  public IList<string>? ApiGroups { get; init; }
+
+  /// <summary>
+  /// Gets or sets the resources that the rule applies to.
+  /// </summary>
+  public IList<string>? Resources { get; init; }
+
+  /// <summary>
+  /// Gets or sets specific resource names that the rule applies to.
+  /// If empty, applies to all resources of the specified type.
+  /// </summary>
+  public IList<string>? ResourceNames { get; init; }
+}

…nerator.Native/Models/ClusterRoleVerb.cs …netesGenerator.Native/Models/RoleVerb.cssrc/DevantlerTech.KubernetesGenerator.Native/Models/ClusterRoleVerb.cs renamed to src/DevantlerTech.KubernetesGenerator.Native/Models/RoleVerb.cs src/DevantlerTech.KubernetesGenerator.Native/Models/ClusterRoleVerb.cs renamed to src/DevantlerTech.KubernetesGenerator.Native/Models/RoleVerb.cs

@@ -3,9 +3,9 @@
 namespace DevantlerTech.KubernetesGenerator.Native.Models;
 
 /// <summary>
-/// Represents the verbs that can be used in ClusterRole rules.
+/// Represents the verbs that can be used in Role and ClusterRole rules.
 /// </summary>
-public enum ClusterRoleVerb
+public enum RoleVerb
 {
   /// <summary>
   /// Read the specified resource.

src/DevantlerTech.KubernetesGenerator.Native/RoleGenerator.cs

@@ -1,11 +1,12 @@
 using DevantlerTech.KubernetesGenerator.Core;
-using k8s.Models;
+using DevantlerTech.KubernetesGenerator.Native.Models;
 
 namespace DevantlerTech.KubernetesGenerator.Native;
 
 /// <summary>
-/// A generator for Kubernetes Role objects.
+/// A generator for Kubernetes Role objects using custom models with type-safe options.
+/// Uses BaseKubernetesGenerator since kubectl create role requires API server connectivity.
 /// </summary>
-public class RoleGenerator : BaseKubernetesGenerator<V1Role>
+public class RoleGenerator : BaseKubernetesGenerator<Role>
 {
 }

tests/DevantlerTech.KubernetesGenerator.Native.Tests/ClusterRoleGeneratorTests/GenerateAsyncTests.cs

@@ -26,7 +26,7 @@ public async Task GenerateAsync_WithBasicRule_ShouldGenerateAValidClusterRole()
       [
         new ClusterRoleRule
         {
-          Verbs = [ClusterRoleVerb.Get, ClusterRoleVerb.List, ClusterRoleVerb.Watch],
+          Verbs = [RoleVerb.Get, RoleVerb.List, RoleVerb.Watch],
           ApiGroups = [""],
           Resources = ["pods"]
         }
@@ -67,7 +67,7 @@ public async Task GenerateAsync_WithResourceNames_ShouldGenerateAValidClusterRol
       [
         new ClusterRoleRule
         {
-          Verbs = [ClusterRoleVerb.Get],
+          Verbs = [RoleVerb.Get],
           ApiGroups = [""],
           Resources = ["pods"],
           ResourceNames = ["my-pod", "another-pod"]
@@ -109,7 +109,7 @@ public async Task GenerateAsync_WithApiGroups_ShouldGenerateAValidClusterRole()
       [
         new ClusterRoleRule
         {
-          Verbs = [ClusterRoleVerb.Get, ClusterRoleVerb.List, ClusterRoleVerb.Watch],
+          Verbs = [RoleVerb.Get, RoleVerb.List, RoleVerb.Watch],
           ApiGroups = ["apps"],
           Resources = ["replicasets"]
         }
@@ -150,7 +150,7 @@ public async Task GenerateAsync_WithNonResourceUrls_ShouldGenerateAValidClusterR
       [
         new ClusterRoleRule
         {
-          Verbs = [ClusterRoleVerb.Get],
+          Verbs = [RoleVerb.Get],
           NonResourceURLs = ["/logs/*", "/metrics"]
         }
       ]
@@ -244,20 +244,20 @@ public async Task GenerateAsync_WithComprehensiveFeatures_ShouldGenerateAValidCl
       [
         new ClusterRoleRule
         {
-          Verbs = [ClusterRoleVerb.Get, ClusterRoleVerb.List, ClusterRoleVerb.Watch],
+          Verbs = [RoleVerb.Get, RoleVerb.List, RoleVerb.Watch],
           ApiGroups = [""],
           Resources = ["pods", "services"]
         },
         new ClusterRoleRule
         {
-          Verbs = [ClusterRoleVerb.Get, ClusterRoleVerb.List],
+          Verbs = [RoleVerb.Get, RoleVerb.List],
           ApiGroups = ["apps"],
           Resources = ["deployments", "replicasets"],
           ResourceNames = ["my-deployment"]
         },
         new ClusterRoleRule
         {
-          Verbs = [ClusterRoleVerb.Get],
+          Verbs = [RoleVerb.Get],
           NonResourceURLs = ["/api/*", "/metrics"]
         }
       ]

tests/DevantlerTech.KubernetesGenerator.Native.Tests/RoleGeneratorTests/GenerateAsyncTests.cs

@@ -1,4 +1,5 @@
-using k8s.Models;
+using DevantlerTech.KubernetesGenerator.Core;
+using DevantlerTech.KubernetesGenerator.Native.Models;
 
 namespace DevantlerTech.KubernetesGenerator.Native.Tests.RoleGeneratorTests;
 
@@ -9,32 +10,27 @@ namespace DevantlerTech.KubernetesGenerator.Native.Tests.RoleGeneratorTests;
 public sealed class GenerateAsyncTests
 {
   /// <summary>
-  /// Verifies the generated Role object.
+  /// Verifies the generated Role object with basic permissions.
   /// </summary>
   /// <returns></returns>
   [Fact]
-  public async Task GenerateAsync_WithAllPropertiesSet_ShouldGenerateAValidRole()
+  public async Task GenerateAsync_WithBasicRole_ShouldGenerateAValidRole()
   {
     // Arrange
     var generator = new RoleGenerator();
-    var model = new V1Role
+    var model = new Role
     {
-      ApiVersion = "rbac.authorization.k8s.io/v1",
-      Kind = "Role",
-      Metadata = new V1ObjectMeta
+      Metadata = new Metadata
       {
-        Name = "role",
-        NamespaceProperty = "default"
+        Name = "pod-reader",
+        Namespace = "default"
       },
       Rules =
       [
-        new V1PolicyRule
+        new RoleRule
         {
-          ApiGroups = ["api-group"],
-          NonResourceURLs = ["url"],
-          ResourceNames = ["resource-name"],
-          Resources = ["resource"],
-          Verbs = ["verb"]
+          Verbs = [RoleVerb.Get, RoleVerb.List, RoleVerb.Watch],
+          Resources = ["pods"]
         }
       ]
     };
@@ -53,4 +49,151 @@ public async Task GenerateAsync_WithAllPropertiesSet_ShouldGenerateAValidRole()
     // Cleanup
     File.Delete(outputPath);
   }
+
+  /// <summary>
+  /// Verifies the generated Role object with complex permissions including API groups and resource names.
+  /// </summary>
+  /// <returns></returns>
+  [Fact]
+  public async Task GenerateAsync_WithComplexRole_ShouldGenerateAValidRole()
+  {
+    // Arrange
+    var generator = new RoleGenerator();
+    var model = new Role
+    {
+      Metadata = new Metadata
+      {
+        Name = "complex-role",
+        Namespace = "test-namespace"
+      },
+      Rules =
+      [
+        new RoleRule
+        {
+          Verbs = [RoleVerb.Get, RoleVerb.Create],
+          Resources = ["pods", "services"],
+          ApiGroups = ["", "apps"],
+          ResourceNames = ["my-pod", "my-service"]
+        }
+      ]
+    };
+
+    // Act
+    string fileName = "complex-role.yaml";
+    string outputPath = Path.Combine(Path.GetTempPath(), fileName);
+    if (File.Exists(outputPath))
+      File.Delete(outputPath);
+    await generator.GenerateAsync(model, outputPath);
+    string fileContent = await File.ReadAllTextAsync(outputPath);
+
+    // Assert
+    _ = await Verify(fileContent, extension: "yaml").UseFileName(fileName);
+
+    // Cleanup
+    File.Delete(outputPath);
+  }
+
+  /// <summary>
+  /// Verifies that a <see cref="KubernetesGeneratorException"/> is thrown when the model does not have a name set.
+  /// </summary>
+  [Fact]
+  public async Task GenerateAsync_WithoutName_ShouldThrowKubernetesGeneratorException()
+  {
+    // Arrange
+    var generator = new RoleGenerator();
+    var model = new Role
+    {
+      Metadata = new Metadata
+      {
+        Name = ""  // Empty name should trigger validation
+      },
+      Rules =
+      [
+        new RoleRule
+        {
+          Verbs = [RoleVerb.Get],
+          Resources = ["pods"]
+        }
+      ]
+    };
+
+    // Act & Assert
+    _ = await Assert.ThrowsAsync<KubernetesGeneratorException>(() => generator.GenerateAsync(model, Path.GetTempFileName()));
+  }
+
+  /// <summary>
+  /// Verifies that a <see cref="KubernetesGeneratorException"/> is thrown when the model does not have any rules.
+  /// </summary>
+  [Fact]
+  public async Task GenerateAsync_WithoutRules_ShouldThrowKubernetesGeneratorException()
+  {
+    // Arrange
+    var generator = new RoleGenerator();
+    var model = new Role
+    {
+      Metadata = new Metadata
+      {
+        Name = "test-role"
+      }
+    };
+
+    // Act & Assert
+    _ = await Assert.ThrowsAsync<KubernetesGeneratorException>(() => generator.GenerateAsync(model, Path.GetTempFileName()));
+  }
+
+  /// <summary>
+  /// Verifies that a <see cref="KubernetesGeneratorException"/> is thrown when a rule has no verbs.
+  /// </summary>
+  [Fact]
+  public async Task GenerateAsync_WithRuleWithoutVerbs_ShouldThrowKubernetesGeneratorException()
+  {
+    // Arrange
+    var generator = new RoleGenerator();
+    var model = new Role
+    {
+      Metadata = new Metadata
+      {
+        Name = "test-role"
+      },
+      Rules =
+      [
+        new RoleRule
+        {
+          Verbs = [], // Empty verbs should trigger validation
+          Resources = ["pods"]
+        }
+      ]
+    };
+
+    // Act & Assert
+    _ = await Assert.ThrowsAsync<KubernetesGeneratorException>(() => generator.GenerateAsync(model, Path.GetTempFileName()));
+  }
+
+  /// <summary>
+  /// Verifies that a <see cref="KubernetesGeneratorException"/> is thrown when a rule has no resources.
+  /// </summary>
+  [Fact]
+  public async Task GenerateAsync_WithRuleWithoutResources_ShouldThrowKubernetesGeneratorException()
+  {
+    // Arrange
+    var generator = new RoleGenerator();
+    var model = new Role
+    {
+      Metadata = new Metadata
+      {
+        Name = "test-role"
+      },
+      Rules =
+      [
+        new RoleRule
+        {
+          Verbs = [RoleVerb.Get]
+          // Resources missing - should trigger validation
+        }
+      ]
+    };
+
+    // Act & Assert
+    _ = await Assert.ThrowsAsync<KubernetesGeneratorException>(() => generator.GenerateAsync(model, Path.GetTempFileName()));
+  }
 }

tests/DevantlerTech.KubernetesGenerator.Native.Tests/RoleGeneratorTests/complex-role.yaml.verified.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: test-namespace
+  name: complex-role
+rules:
+- verbs:
+  - get
+  - create
+  apiGroups:
+  - ''
+  - apps
+  resources:
+  - pods
+  - services
+  resourceNames:
+  - my-pod
+  - my-service