From 23baecc8d50478b1b1ebbf45da1eb4e0560a14cc Mon Sep 17 00:00:00 2001 From: Evan Vetere Date: Mon, 29 Jun 2026 20:25:17 -0400 Subject: [PATCH 1/2] feat(iam): re-home audit-log-querier inheritance to activity service Move the iam-user-self-manage -> activity.miloapis.com-audit-log-querier role inheritance out of the foundational control-plane layer and into the activity service overlay (config/services/activity), which is only applied once the activity stack is present. The audit-log-querier Role is shipped by the activity service. Referencing it from the core role bundle forced the foundational milo control plane to depend on activity rolling out first -- an inverted dependency that pulled the foundation into datum-cloud/infra#2939. This adds a partial Role manifest that, under server-side apply, merges a single inheritedRoles entry into the iam-user-self-manage Role. inheritedRoles is a map-type list keyed by name, so the activity overlay owns just this entry while the core role bundle continues to own launchStage and includedPermissions. The core role bundle now has zero activity coupling. Refs: milo-os/milo#676 Unblocks: datum-cloud/infra#2953 Co-Authored-By: Claude Opus 4.8 (1M context) --- config/services/activity/kustomization.yaml | 3 +++ ...am-user-self-manage-audit-log-querier.yaml | 24 +++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 config/services/activity/roles/iam-user-self-manage-audit-log-querier.yaml diff --git a/config/services/activity/kustomization.yaml b/config/services/activity/kustomization.yaml index 729d029c..e84a6c75 100644 --- a/config/services/activity/kustomization.yaml +++ b/config/services/activity/kustomization.yaml @@ -6,5 +6,8 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component +resources: + - roles/iam-user-self-manage-audit-log-querier.yaml + components: - policies diff --git a/config/services/activity/roles/iam-user-self-manage-audit-log-querier.yaml b/config/services/activity/roles/iam-user-self-manage-audit-log-querier.yaml new file mode 100644 index 00000000..2411d92c --- /dev/null +++ b/config/services/activity/roles/iam-user-self-manage-audit-log-querier.yaml @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: AGPL-3.0-only + +# Grants users the ability to query their own audit logs by inheriting the +# activity.miloapis.com-audit-log-querier Role into iam-user-self-manage. +# +# This inheritance ships with the activity service overlay rather than the core +# control-plane role bundle on purpose: the audit-log-querier Role is provided +# by the activity stack, so referencing it from the foundational layer would +# force the core control plane to depend on activity being up first (an +# inverted dependency). Keeping it here means the core role bundle has zero +# activity coupling, and this entry is only applied once activity is present. +# +# Under server-side apply this partial Role merges its single inheritedRoles +# entry into the iam-user-self-manage Role owned by the core role bundle. +# inheritedRoles is a map-type list keyed by name, so this overlay owns just +# this entry while the core bundle continues to own launchStage and +# includedPermissions. +apiVersion: iam.miloapis.com/v1alpha1 +kind: Role +metadata: + name: iam-user-self-manage +spec: + inheritedRoles: + - name: activity.miloapis.com-audit-log-querier From e9718a98b14da56fa0995a8e932c5fc29a56158d Mon Sep 17 00:00:00 2001 From: Evan Vetere Date: Tue, 30 Jun 2026 12:57:05 -0400 Subject: [PATCH 2/2] chore(iam): trim explanatory comment from audit-log-querier role --- .../iam-user-self-manage-audit-log-querier.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/config/services/activity/roles/iam-user-self-manage-audit-log-querier.yaml b/config/services/activity/roles/iam-user-self-manage-audit-log-querier.yaml index 2411d92c..8b95becb 100644 --- a/config/services/activity/roles/iam-user-self-manage-audit-log-querier.yaml +++ b/config/services/activity/roles/iam-user-self-manage-audit-log-querier.yaml @@ -1,20 +1,5 @@ # SPDX-License-Identifier: AGPL-3.0-only -# Grants users the ability to query their own audit logs by inheriting the -# activity.miloapis.com-audit-log-querier Role into iam-user-self-manage. -# -# This inheritance ships with the activity service overlay rather than the core -# control-plane role bundle on purpose: the audit-log-querier Role is provided -# by the activity stack, so referencing it from the foundational layer would -# force the core control plane to depend on activity being up first (an -# inverted dependency). Keeping it here means the core role bundle has zero -# activity coupling, and this entry is only applied once activity is present. -# -# Under server-side apply this partial Role merges its single inheritedRoles -# entry into the iam-user-self-manage Role owned by the core role bundle. -# inheritedRoles is a map-type list keyed by name, so this overlay owns just -# this entry while the core bundle continues to own launchStage and -# includedPermissions. apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: