fix cluster role binding namespace handling

Author: jaylonmcshan19-x

kubernetes/resource_kubernetes_cluster_role_binding_v1_test.go

@@ -321,6 +321,90 @@ func TestAccKubernetesClusterRoleBindingV1_UpdatePatchOperationsOrderWithRemoval
 	})
 }
 
+func TestAccKubernetesClusterRoleBindingV1_namespaceHandling(t *testing.T) {
+	var conf rbacv1.ClusterRoleBinding
+	name := fmt.Sprintf("tf-acc-test:%s", acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum))
+	resourceName := "kubernetes_cluster_role_binding_v1.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		IDRefreshName:     resourceName,
+		IDRefreshIgnore:   []string{"metadata.0.resource_version"},
+		ProviderFactories: testAccProviderFactories,
+		CheckDestroy:      testAccCheckKubernetesClusterRoleBindingV1Destroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccKubernetesClusterRoleBindingV1Config_namespaceHandling(name),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckKubernetesClusterRoleBindingV1Exists(resourceName, &conf),
+					resource.TestCheckResourceAttr(resourceName, "metadata.0.name", name),
+					resource.TestCheckResourceAttrSet(resourceName, "metadata.0.generation"),
+					resource.TestCheckResourceAttrSet(resourceName, "metadata.0.resource_version"),
+					resource.TestCheckResourceAttrSet(resourceName, "metadata.0.uid"),
+					resource.TestCheckResourceAttr(resourceName, "role_ref.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "role_ref.0.api_group", "rbac.authorization.k8s.io"),
+					resource.TestCheckResourceAttr(resourceName, "role_ref.0.kind", "ClusterRole"),
+					resource.TestCheckResourceAttr(resourceName, "role_ref.0.name", "cluster-admin"),
+					resource.TestCheckResourceAttr(resourceName, "subject.#", "3"),
+					// Checking Group subject
+					resource.TestCheckResourceAttr(resourceName, "subject.0.api_group", "rbac.authorization.k8s.io"),
+					resource.TestCheckResourceAttr(resourceName, "subject.0.kind", "Group"),
+					resource.TestCheckResourceAttr(resourceName, "subject.0.name", "testgroup"),
+					resource.TestCheckResourceAttr(resourceName, "subject.0.namespace", ""),
+					// Checking User subject
+					resource.TestCheckResourceAttr(resourceName, "subject.1.api_group", "rbac.authorization.k8s.io"),
+					resource.TestCheckResourceAttr(resourceName, "subject.1.kind", "User"),
+					resource.TestCheckResourceAttr(resourceName, "subject.1.name", "testuser"),
+					resource.TestCheckResourceAttr(resourceName, "subject.1.namespace", ""),
+					// Checking ServiceAccount subject
+					resource.TestCheckResourceAttr(resourceName, "subject.2.api_group", ""),
+					resource.TestCheckResourceAttr(resourceName, "subject.2.kind", "ServiceAccount"),
+					resource.TestCheckResourceAttr(resourceName, "subject.2.name", "default"),
+					resource.TestCheckResourceAttr(resourceName, "subject.2.namespace", "default"),
+				),
+			},
+		},
+	})
+}
+
+func testAccKubernetesClusterRoleBindingV1Config_namespaceHandling(name string) string {
+	return fmt.Sprintf(`resource "kubernetes_cluster_role_binding_v1" "test" {
+  metadata {
+    name = "%s"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "cluster-admin"
+  }
+
+  # Group subject with namespace explicitly set to ""
+  subject {
+    kind      = "Group"
+    name      = "testgroup"
+    api_group = "rbac.authorization.k8s.io"
+    namespace = ""
+  }
+
+  # User subject with namespace explicitly set to ""
+  subject {
+    kind      = "User"
+    name      = "testuser"
+    api_group = "rbac.authorization.k8s.io"
+    namespace = ""
+  }
+
+  # ServiceAccount subject with no namespace specified
+  subject {
+    kind      = "ServiceAccount"
+    name      = "default"
+    api_group = ""
+  }
+}
+`, name)
+}
+
 func testAccCheckKubernetesClusterRoleBindingV1Destroy(s *terraform.State) error {
 	conn, err := testAccProvider.Meta().(KubeClientsets).MainClientset()
 

kubernetes/schema_rbac.go

@@ -88,7 +88,10 @@ func rbacSubjectSchema() map[string]*schema.Schema {
 			Type:        schema.TypeString,
 			Description: "The Namespace of the subject resource.",
 			Optional:    true,
-			Default:     "default",
+			DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
+				// Suppress diff if namespace is "default" or omitted
+				return (old == "" && new == "default") || (old == "default" && new == "")
+			},
 		},
 	}
 }

kubernetes/structures_rbac.go

@@ -42,13 +42,23 @@ func expandRBACSubjects(in []interface{}) []api.Subject {
 			subject.APIGroup = v.(string)
 		}
 		if v, ok := m["kind"].(string); ok {
-			subject.Kind = string(v)
+			subject.Kind = v
 		}
 		if v, ok := m["name"]; ok {
 			subject.Name = v.(string)
 		}
-		if v, ok := m["namespace"]; ok {
-			subject.Namespace = v.(string)
+
+		// Handle namespace logic
+		if subject.Kind == "Group" || subject.Kind == "User" {
+			// Exclude namespace for Group and User kinds
+		} else {
+			if v, ok := m["namespace"]; ok && v != "" {
+				// We are using the provided namespace if it is set
+				subject.Namespace = v.(string)
+			} else {
+				//Due to it not being Group / Kind and namespace not being set, we Default to "default"
+				subject.Namespace = "default"
+			}
 		}
 		subjects = append(subjects, subject)
 	}
@@ -121,8 +131,15 @@ func flattenRBACSubjects(in []api.Subject) []interface{} {
 		}
 		m["kind"] = n.Kind
 		m["name"] = n.Name
-		if n.Namespace != "" {
-			m["namespace"] = n.Namespace
+
+		if n.Kind == "Group" || n.Kind == "User" {
+			m["namespace"] = ""
+		} else {
+			if n.Namespace == "" {
+				m["namespace"] = "default"
+			} else {
+				m["namespace"] = n.Namespace
+			}
 		}
 		att = append(att, m)
 	}