From 6d71082cda7886710370a4833fa91122dc68c704 Mon Sep 17 00:00:00 2001
From: Evan Vetere <ecv@sine.com>
Date: Fri, 12 Jun 2026 15:10:30 -0400
Subject: [PATCH] feat: add Milo IAM for graph.inventory.miloapis.com
 (v1alpha2)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The v1alpha2 property-graph API (group graph.inventory.miloapis.com,
kinds Node/Edge/NodeType/EdgeType) had no ProtectedResources or Roles, so
every verb on it is Forbidden. Add them mirroring the existing
inventory.miloapis.com IAM.

- protected-resources/graph-{node,edge,nodetype,edgetype}.yaml register
  the four kinds so graph.inventory.miloapis.com/<plural>.<verb>
  permission strings become addressable.
- roles/graph-{viewer,editor,admin,operator}.yaml — group-wide roles in
  milo-system, same semantics as the inventory.miloapis.com-* roles.
- Wire both into the iam kustomizations; document the group in the README.

Bindings remain per-environment (granted in datum-cloud/infra).
---
 config/base/iam/README.md                     | 13 +++++++
 .../iam/protected-resources/graph-edge.yaml   | 18 ++++++++++
 .../protected-resources/graph-edgetype.yaml   | 18 ++++++++++
 .../iam/protected-resources/graph-node.yaml   | 18 ++++++++++
 .../protected-resources/graph-nodetype.yaml   | 18 ++++++++++
 .../protected-resources/kustomization.yaml    |  5 +++
 config/base/iam/roles/graph-admin.yaml        | 15 ++++++++
 config/base/iam/roles/graph-editor.yaml       | 32 +++++++++++++++++
 config/base/iam/roles/graph-operator.yaml     | 34 +++++++++++++++++++
 config/base/iam/roles/graph-viewer.yaml       | 26 ++++++++++++++
 config/base/iam/roles/kustomization.yaml      |  5 +++
 11 files changed, 202 insertions(+)
 create mode 100644 config/base/iam/protected-resources/graph-edge.yaml
 create mode 100644 config/base/iam/protected-resources/graph-edgetype.yaml
 create mode 100644 config/base/iam/protected-resources/graph-node.yaml
 create mode 100644 config/base/iam/protected-resources/graph-nodetype.yaml
 create mode 100644 config/base/iam/roles/graph-admin.yaml
 create mode 100644 config/base/iam/roles/graph-editor.yaml
 create mode 100644 config/base/iam/roles/graph-operator.yaml
 create mode 100644 config/base/iam/roles/graph-viewer.yaml

diff --git a/config/base/iam/README.md b/config/base/iam/README.md
index cbc3f14..14d71ba 100644
--- a/config/base/iam/README.md
+++ b/config/base/iam/README.md
@@ -22,6 +22,19 @@ below).
 - `policybindings.example.yaml` — a template binding a principal across the
   whole group. **Not** in `kustomization.yaml` — subjects are per-environment.
 
+### Graph group (`graph.inventory.miloapis.com`, v1alpha2)
+
+The v1alpha2 property-graph model adds a second API group whose kinds are the
+generic `Node`, `Edge`, `NodeType`, and `EdgeType`. It gets the same treatment:
+
+- `protected-resources/graph-{node,edge,nodetype,edgetype}.yaml`
+- `roles/graph-{viewer,editor,admin,operator}.yaml`
+  (`graph.inventory.miloapis.com-<role>`), same semantics as the
+  `inventory.miloapis.com-*` roles above.
+
+Bindings for the graph group reference these role names and are likewise
+per-environment.
+
 ## Deployment
 
 Mirrors `config/base/crd`: this targets **Milo**, not the cluster the manager
diff --git a/config/base/iam/protected-resources/graph-edge.yaml b/config/base/iam/protected-resources/graph-edge.yaml
new file mode 100644
index 0000000..cf82d8e
--- /dev/null
+++ b/config/base/iam/protected-resources/graph-edge.yaml
@@ -0,0 +1,18 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: graph.inventory.miloapis.com-edge
+spec:
+  serviceRef:
+    name: "graph.inventory.miloapis.com"
+  kind: Edge
+  plural: edges
+  singular: edge
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch
diff --git a/config/base/iam/protected-resources/graph-edgetype.yaml b/config/base/iam/protected-resources/graph-edgetype.yaml
new file mode 100644
index 0000000..e8b2586
--- /dev/null
+++ b/config/base/iam/protected-resources/graph-edgetype.yaml
@@ -0,0 +1,18 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: graph.inventory.miloapis.com-edgetype
+spec:
+  serviceRef:
+    name: "graph.inventory.miloapis.com"
+  kind: EdgeType
+  plural: edgetypes
+  singular: edgetype
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch
diff --git a/config/base/iam/protected-resources/graph-node.yaml b/config/base/iam/protected-resources/graph-node.yaml
new file mode 100644
index 0000000..8e12be3
--- /dev/null
+++ b/config/base/iam/protected-resources/graph-node.yaml
@@ -0,0 +1,18 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: graph.inventory.miloapis.com-node
+spec:
+  serviceRef:
+    name: "graph.inventory.miloapis.com"
+  kind: Node
+  plural: nodes
+  singular: node
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch
diff --git a/config/base/iam/protected-resources/graph-nodetype.yaml b/config/base/iam/protected-resources/graph-nodetype.yaml
new file mode 100644
index 0000000..e845407
--- /dev/null
+++ b/config/base/iam/protected-resources/graph-nodetype.yaml
@@ -0,0 +1,18 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: graph.inventory.miloapis.com-nodetype
+spec:
+  serviceRef:
+    name: "graph.inventory.miloapis.com"
+  kind: NodeType
+  plural: nodetypes
+  singular: nodetype
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch
diff --git a/config/base/iam/protected-resources/kustomization.yaml b/config/base/iam/protected-resources/kustomization.yaml
index 9b5f2b2..6fc57b8 100644
--- a/config/base/iam/protected-resources/kustomization.yaml
+++ b/config/base/iam/protected-resources/kustomization.yaml
@@ -14,3 +14,8 @@ resources:
   - circuit.yaml
   - virtualmachine.yaml
   - link.yaml
+  # graph.inventory.miloapis.com/v1alpha2 (property-graph model)
+  - graph-node.yaml
+  - graph-edge.yaml
+  - graph-nodetype.yaml
+  - graph-edgetype.yaml
diff --git a/config/base/iam/roles/graph-admin.yaml b/config/base/iam/roles/graph-admin.yaml
new file mode 100644
index 0000000..5e50579
--- /dev/null
+++ b/config/base/iam/roles/graph-admin.yaml
@@ -0,0 +1,15 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: graph.inventory.miloapis.com-admin
+  namespace: milo-system
+  annotations:
+    kubernetes.io/display-name: Inventory Graph Admin
+    kubernetes.io/description: Full access to all graph.inventory.miloapis.com resources
+  labels:
+    graph.inventory.miloapis.com/role-type: admin
+    graph.inventory.miloapis.com/service: inventory-graph
+spec:
+  launchStage: Alpha
+  inheritedRoles:
+    - name: graph.inventory.miloapis.com-editor
diff --git a/config/base/iam/roles/graph-editor.yaml b/config/base/iam/roles/graph-editor.yaml
new file mode 100644
index 0000000..438ec86
--- /dev/null
+++ b/config/base/iam/roles/graph-editor.yaml
@@ -0,0 +1,32 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: graph.inventory.miloapis.com-editor
+  namespace: milo-system
+  annotations:
+    kubernetes.io/display-name: Inventory Graph Editor
+    kubernetes.io/description: Read/write access to all graph.inventory.miloapis.com resources
+  labels:
+    graph.inventory.miloapis.com/role-type: editor
+    graph.inventory.miloapis.com/service: inventory-graph
+spec:
+  launchStage: Alpha
+  inheritedRoles:
+    - name: graph.inventory.miloapis.com-viewer
+  includedPermissions:
+    - graph.inventory.miloapis.com/nodes.create
+    - graph.inventory.miloapis.com/nodes.update
+    - graph.inventory.miloapis.com/nodes.patch
+    - graph.inventory.miloapis.com/nodes.delete
+    - graph.inventory.miloapis.com/edges.create
+    - graph.inventory.miloapis.com/edges.update
+    - graph.inventory.miloapis.com/edges.patch
+    - graph.inventory.miloapis.com/edges.delete
+    - graph.inventory.miloapis.com/nodetypes.create
+    - graph.inventory.miloapis.com/nodetypes.update
+    - graph.inventory.miloapis.com/nodetypes.patch
+    - graph.inventory.miloapis.com/nodetypes.delete
+    - graph.inventory.miloapis.com/edgetypes.create
+    - graph.inventory.miloapis.com/edgetypes.update
+    - graph.inventory.miloapis.com/edgetypes.patch
+    - graph.inventory.miloapis.com/edgetypes.delete
diff --git a/config/base/iam/roles/graph-operator.yaml b/config/base/iam/roles/graph-operator.yaml
new file mode 100644
index 0000000..3d3e786
--- /dev/null
+++ b/config/base/iam/roles/graph-operator.yaml
@@ -0,0 +1,34 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: graph.inventory.miloapis.com-operator
+  namespace: milo-system
+  annotations:
+    kubernetes.io/display-name: Inventory Graph Operator
+    kubernetes.io/description: Operational access for the inventory controller to reconcile graph resources and set conditions
+  labels:
+    graph.inventory.miloapis.com/role-type: operator
+    graph.inventory.miloapis.com/service: inventory-graph
+spec:
+  launchStage: Alpha
+  includedPermissions:
+    - graph.inventory.miloapis.com/nodes.get
+    - graph.inventory.miloapis.com/nodes.list
+    - graph.inventory.miloapis.com/nodes.watch
+    - graph.inventory.miloapis.com/nodes.update
+    - graph.inventory.miloapis.com/nodes.patch
+    - graph.inventory.miloapis.com/edges.get
+    - graph.inventory.miloapis.com/edges.list
+    - graph.inventory.miloapis.com/edges.watch
+    - graph.inventory.miloapis.com/edges.update
+    - graph.inventory.miloapis.com/edges.patch
+    - graph.inventory.miloapis.com/nodetypes.get
+    - graph.inventory.miloapis.com/nodetypes.list
+    - graph.inventory.miloapis.com/nodetypes.watch
+    - graph.inventory.miloapis.com/nodetypes.update
+    - graph.inventory.miloapis.com/nodetypes.patch
+    - graph.inventory.miloapis.com/edgetypes.get
+    - graph.inventory.miloapis.com/edgetypes.list
+    - graph.inventory.miloapis.com/edgetypes.watch
+    - graph.inventory.miloapis.com/edgetypes.update
+    - graph.inventory.miloapis.com/edgetypes.patch
diff --git a/config/base/iam/roles/graph-viewer.yaml b/config/base/iam/roles/graph-viewer.yaml
new file mode 100644
index 0000000..ebe7092
--- /dev/null
+++ b/config/base/iam/roles/graph-viewer.yaml
@@ -0,0 +1,26 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: graph.inventory.miloapis.com-viewer
+  namespace: milo-system
+  annotations:
+    kubernetes.io/display-name: Inventory Graph Viewer
+    kubernetes.io/description: Read-only access to all graph.inventory.miloapis.com resources
+  labels:
+    graph.inventory.miloapis.com/role-type: viewer
+    graph.inventory.miloapis.com/service: inventory-graph
+spec:
+  launchStage: Alpha
+  includedPermissions:
+    - graph.inventory.miloapis.com/nodes.get
+    - graph.inventory.miloapis.com/nodes.list
+    - graph.inventory.miloapis.com/nodes.watch
+    - graph.inventory.miloapis.com/edges.get
+    - graph.inventory.miloapis.com/edges.list
+    - graph.inventory.miloapis.com/edges.watch
+    - graph.inventory.miloapis.com/nodetypes.get
+    - graph.inventory.miloapis.com/nodetypes.list
+    - graph.inventory.miloapis.com/nodetypes.watch
+    - graph.inventory.miloapis.com/edgetypes.get
+    - graph.inventory.miloapis.com/edgetypes.list
+    - graph.inventory.miloapis.com/edgetypes.watch
diff --git a/config/base/iam/roles/kustomization.yaml b/config/base/iam/roles/kustomization.yaml
index 43b7ef9..20fa200 100644
--- a/config/base/iam/roles/kustomization.yaml
+++ b/config/base/iam/roles/kustomization.yaml
@@ -6,3 +6,8 @@ resources:
   - inventory-editor.yaml
   - inventory-admin.yaml
   - inventory-operator.yaml
+  # graph.inventory.miloapis.com/v1alpha2 (property-graph model)
+  - graph-viewer.yaml
+  - graph-editor.yaml
+  - graph-admin.yaml
+  - graph-operator.yaml