You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/integration-guidelines.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,7 +23,7 @@ This repository defines RBAC (Role-Based Access Control) permissions and roles f
23
23
2. The **PR workflow** (`.github/workflows/pr.yml`) validates JSON schemas and SpiceDB schemas
24
24
3. After merge to `master`, the **master workflow** (`.github/workflows/master.yml`) automatically:
25
25
- Generates V1-only permissions data from KSL schemas
26
-
- Converts configs into Kubernetes ConfigMap templates via `RedHatInsights/rbac-config-actions/convert-config`
26
+
- Converts configs into Kubernetes ConfigMap templates via `project-kessel/rbac-config-actions/convert-config`
27
27
- Validates generated SpiceDB schemas with `authzed/action-spicedb-validate`
28
28
- Creates an automated PR on the `configmaps-schema` branch with the title `[GitHub] - Automated ConfigMap & Schema Generation`
29
29
4. Once the ConfigMap PR is merged, a separate MR must be created in the **app-interface** GitLab repo to bump the `ref` in the `resourceTemplate` for the target namespace, which triggers actual deployment
@@ -124,27 +124,27 @@ Stage may include additional KSL files not yet in prod (e.g., `subscriptions.ksl
124
124
125
125
Runs on every PR to `master` with these sequential checks:
126
126
1.**JSON Schema validation** via `walbo/validate-json` -- validates all `configs/*/permissions/*.json` against `schemas/permissions.schema` and all `configs/*/roles/*.json` against `schemas/roles.schema` (roles use `strict: false`)
127
-
2.**Permission dependency validation** via `RedHatInsights/rbac-config-actions/validate-permission-dependencies` -- checks `requires` field integrity
128
-
3.**V1-only permissions generation** via `RedHatInsights/rbac-config-actions/generate-v1-only-permissions` -- for both stage and prod
129
-
4.**Schema generation and validation** via `RedHatInsights/rbac-config-actions/validate-schema`
127
+
2.**Permission dependency validation** via `project-kessel/rbac-config-actions/validate-permission-dependencies` -- checks `requires` field integrity
128
+
3.**V1-only permissions generation** via `project-kessel/rbac-config-actions/generate-v1-only-permissions` -- for both stage and prod
129
+
4.**Schema generation and validation** via `project-kessel/rbac-config-actions/validate-schema`
130
130
5.**SpiceDB schema validation** via `authzed/action-spicedb-validate` -- validates the generated `.zed` files for both environments
Copy file name to clipboardExpand all lines: docs/testing-guidelines.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,14 +27,14 @@ All files matching `configs/*/roles/*.json` are validated against `schemas/roles
27
27
28
28
### 3. Permission Dependency Validation
29
29
30
-
Uses `RedHatInsights/rbac-config-actions/validate-permission-dependencies` against `configs/*/permissions/*.json`. This validates that any `requires` array entries reference verbs that actually exist for the same app/resource combination. For example, if `create` requires `["read"]`, then `read` must be defined in the same resource array.
30
+
Uses `project-kessel/rbac-config-actions/validate-permission-dependencies` against `configs/*/permissions/*.json`. This validates that any `requires` array entries reference verbs that actually exist for the same app/resource combination. For example, if `create` requires `["read"]`, then `read` must be defined in the same resource array.
31
31
32
32
### 4. KSL-to-SpiceDB Schema Generation
33
33
34
34
The pipeline generates V1-only permissions data and then compiles KSL schemas for both environments:
35
35
36
36
-**V1 permissions generation**: Reads `configs/{stage,prod}/permissions/*.json` and `configs/{stage,prod}/schemas/*.lst` files to produce `configs/{stage,prod}/schemas/src/rbac_v1_permissions.json` (gitignored build artifact)
37
-
-**Schema compilation**: Uses `RedHatInsights/rbac-config-actions/validate-schema` to compile `.ksl` source files plus the generated JSON into `configs/{stage,prod}/schemas/schema.zed`
37
+
-**Schema compilation**: Uses `project-kessel/rbac-config-actions/validate-schema` to compile `.ksl` source files plus the generated JSON into `configs/{stage,prod}/schemas/schema.zed`
38
38
39
39
The `.lst` files (`migrated_apps.lst`, `hostsonly_apps.lst`) control which apps get V1-only permission entries in the generated schema.
0 commit comments