hm4: own hosting operator CRDs and RBAC

2026-06-17 13:47:40 -05:00
parent 4f7a5f3d20
commit a0d79eeb8c
13 changed files with 1217 additions and 0 deletions
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -981,6 +981,43 @@ public sealed class FleetManifestLintTests
        gatewayManifest.Should().Contain("port: 5400");
    }

+    [Fact]
+    public void Gx10HostingManagers_ProvisioningCrdsAndRbacMustBeGitOpsOwned()
+    {
+        var requiredDocuments = new Dictionary<string, (string Kind, string Name, string[] RequiredText)>(
+            StringComparer.Ordinal)
+        {
+            ["crd-mysqlinstancecrds.json"] = ("CustomResourceDefinition", "mysqlinstancecrds.flowercore.io", ["mysqlinstancecrds", "status"]),
+            ["crd-mysqlreplicacrds.json"] = ("CustomResourceDefinition", "mysqlreplicacrds.flowercore.io", ["mysqlreplicacrds", "status"]),
+            ["crd-phpinstancecrds.json"] = ("CustomResourceDefinition", "phpinstancecrds.flowercore.io", ["phpinstancecrds", "status"]),
+            ["crd-phpapplicationcrds.json"] = ("CustomResourceDefinition", "phpapplicationcrds.flowercore.io", ["phpapplicationcrds", "status"]),
+            ["clusterrole-mysql-operator.json"] = ("ClusterRole", "mysql-operator", ["mysqlinstancecrds", "mysqlreplicacrds", "deployments", "persistentvolumeclaims", "leases"]),
+            ["clusterrolebinding-mysql-operator.json"] = ("ClusterRoleBinding", "mysql-operator", ["ServiceAccount", "mysql-operator", "fc-system"]),
+            ["clusterrole-php-operator.json"] = ("ClusterRole", "php-operator", ["phpinstancecrds", "phpapplicationcrds", "deployments", "persistentvolumeclaims", "leases"]),
+            ["clusterrolebinding-php-operator.json"] = ("ClusterRoleBinding", "php-operator", ["ServiceAccount", "php-operator", "fc-system"]),
+            ["clusterrole-mysql-web.json"] = ("ClusterRole", "mysql-web", ["mysqlinstancecrds", "mysqlreplicacrds", "certificates", "ingressroutes", "pods/exec"]),
+            ["clusterrolebinding-mysql-web.json"] = ("ClusterRoleBinding", "mysql-web", ["ServiceAccount", "mysql-web", "fc-mysql"]),
+            ["clusterrole-php-web.json"] = ("ClusterRole", "php-web", ["phpapplicationcrds", "certificates", "ingressroutes", "pods/exec"]),
+            ["clusterrolebinding-php-web.json"] = ("ClusterRoleBinding", "php-web", ["ServiceAccount", "php-web", "fc-php"]),
+        };
+
+        foreach (var (fileName, expected) in requiredDocuments)
+        {
+            var path = Path.Combine(Inventory.BluejayRoot, "apps-gx10", "fc-system", fileName);
+            File.Exists(path).Should().BeTrue($"{fileName} must be durable in GX10 GitOps");
+
+            var raw = File.ReadAllText(path);
+            using var document = JsonDocument.Parse(raw);
+            document.RootElement.GetProperty("kind").GetString().Should().Be(expected.Kind);
+            document.RootElement.GetProperty("metadata").GetProperty("name").GetString().Should().Be(expected.Name);
+
+            foreach (var requiredText in expected.RequiredText)
+            {
+                raw.Should().Contain(requiredText, $"{fileName} should preserve the live provisioning contract");
+            }
+        }
+    }
+
    [Fact]
    public void DnsAndMediaGitOpsAdoption_PreservesLiveStorageAndImageShape()
    {