feat: add Milo IAM for graph.inventory.miloapis.com (v1alpha2)

config/base/iam/README.md

@@ -22,6 +22,19 @@ below).
 - `policybindings.example.yaml` — a template binding a principal across the
   whole group. **Not** in `kustomization.yaml` — subjects are per-environment.
 
+### Graph group (`graph.inventory.miloapis.com`, v1alpha2)
+
+The v1alpha2 property-graph model adds a second API group whose kinds are the
+generic `Node`, `Edge`, `NodeType`, and `EdgeType`. It gets the same treatment:
+
+- `protected-resources/graph-{node,edge,nodetype,edgetype}.yaml`
+- `roles/graph-{viewer,editor,admin,operator}.yaml`
+  (`graph.inventory.miloapis.com-<role>`), same semantics as the
+  `inventory.miloapis.com-*` roles above.
+
+Bindings for the graph group reference these role names and are likewise
+per-environment.
+
 ## Deployment
 
 Mirrors `config/base/crd`: this targets **Milo**, not the cluster the manager

config/base/iam/protected-resources/graph-edge.yaml

@@ -0,0 +1,18 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: graph.inventory.miloapis.com-edge
+spec:
+  serviceRef:
+    name: "graph.inventory.miloapis.com"
+  kind: Edge
+  plural: edges
+  singular: edge
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch

config/base/iam/protected-resources/graph-edgetype.yaml

@@ -0,0 +1,18 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: graph.inventory.miloapis.com-edgetype
+spec:
+  serviceRef:
+    name: "graph.inventory.miloapis.com"
+  kind: EdgeType
+  plural: edgetypes
+  singular: edgetype
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch

config/base/iam/protected-resources/graph-node.yaml

@@ -0,0 +1,18 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: graph.inventory.miloapis.com-node
+spec:
+  serviceRef:
+    name: "graph.inventory.miloapis.com"
+  kind: Node
+  plural: nodes
+  singular: node
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch

config/base/iam/protected-resources/graph-nodetype.yaml

@@ -0,0 +1,18 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: graph.inventory.miloapis.com-nodetype
+spec:
+  serviceRef:
+    name: "graph.inventory.miloapis.com"
+  kind: NodeType
+  plural: nodetypes
+  singular: nodetype
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch

config/base/iam/protected-resources/kustomization.yaml

@@ -14,3 +14,8 @@ resources:
   - circuit.yaml
   - virtualmachine.yaml
   - link.yaml
+  # graph.inventory.miloapis.com/v1alpha2 (property-graph model)
+  - graph-node.yaml
+  - graph-edge.yaml
+  - graph-nodetype.yaml
+  - graph-edgetype.yaml

config/base/iam/roles/graph-admin.yaml

@@ -0,0 +1,15 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: graph.inventory.miloapis.com-admin
+  namespace: milo-system
+  annotations:
+    kubernetes.io/display-name: Inventory Graph Admin
+    kubernetes.io/description: Full access to all graph.inventory.miloapis.com resources
+  labels:
+    graph.inventory.miloapis.com/role-type: admin
+    graph.inventory.miloapis.com/service: inventory-graph
+spec:
+  launchStage: Alpha
+  inheritedRoles:
+    - name: graph.inventory.miloapis.com-editor

config/base/iam/roles/graph-editor.yaml

@@ -0,0 +1,32 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: graph.inventory.miloapis.com-editor
+  namespace: milo-system
+  annotations:
+    kubernetes.io/display-name: Inventory Graph Editor
+    kubernetes.io/description: Read/write access to all graph.inventory.miloapis.com resources
+  labels:
+    graph.inventory.miloapis.com/role-type: editor
+    graph.inventory.miloapis.com/service: inventory-graph
+spec:
+  launchStage: Alpha
+  inheritedRoles:
+    - name: graph.inventory.miloapis.com-viewer
+  includedPermissions:
+    - graph.inventory.miloapis.com/nodes.create
+    - graph.inventory.miloapis.com/nodes.update
+    - graph.inventory.miloapis.com/nodes.patch
+    - graph.inventory.miloapis.com/nodes.delete
+    - graph.inventory.miloapis.com/edges.create
+    - graph.inventory.miloapis.com/edges.update
+    - graph.inventory.miloapis.com/edges.patch
+    - graph.inventory.miloapis.com/edges.delete
+    - graph.inventory.miloapis.com/nodetypes.create
+    - graph.inventory.miloapis.com/nodetypes.update
+    - graph.inventory.miloapis.com/nodetypes.patch
+    - graph.inventory.miloapis.com/nodetypes.delete
+    - graph.inventory.miloapis.com/edgetypes.create
+    - graph.inventory.miloapis.com/edgetypes.update
+    - graph.inventory.miloapis.com/edgetypes.patch
+    - graph.inventory.miloapis.com/edgetypes.delete

config/base/iam/roles/graph-operator.yaml

@@ -0,0 +1,34 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: graph.inventory.miloapis.com-operator
+  namespace: milo-system
+  annotations:
+    kubernetes.io/display-name: Inventory Graph Operator
+    kubernetes.io/description: Operational access for the inventory controller to reconcile graph resources and set conditions
+  labels:
+    graph.inventory.miloapis.com/role-type: operator
+    graph.inventory.miloapis.com/service: inventory-graph
+spec:
+  launchStage: Alpha
+  includedPermissions:
+    - graph.inventory.miloapis.com/nodes.get
+    - graph.inventory.miloapis.com/nodes.list
+    - graph.inventory.miloapis.com/nodes.watch
+    - graph.inventory.miloapis.com/nodes.update
+    - graph.inventory.miloapis.com/nodes.patch
+    - graph.inventory.miloapis.com/edges.get
+    - graph.inventory.miloapis.com/edges.list
+    - graph.inventory.miloapis.com/edges.watch
+    - graph.inventory.miloapis.com/edges.update
+    - graph.inventory.miloapis.com/edges.patch
+    - graph.inventory.miloapis.com/nodetypes.get
+    - graph.inventory.miloapis.com/nodetypes.list
+    - graph.inventory.miloapis.com/nodetypes.watch
+    - graph.inventory.miloapis.com/nodetypes.update
+    - graph.inventory.miloapis.com/nodetypes.patch
+    - graph.inventory.miloapis.com/edgetypes.get
+    - graph.inventory.miloapis.com/edgetypes.list
+    - graph.inventory.miloapis.com/edgetypes.watch
+    - graph.inventory.miloapis.com/edgetypes.update
+    - graph.inventory.miloapis.com/edgetypes.patch

config/base/iam/roles/graph-viewer.yaml

@@ -0,0 +1,26 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: graph.inventory.miloapis.com-viewer
+  namespace: milo-system
+  annotations:
+    kubernetes.io/display-name: Inventory Graph Viewer
+    kubernetes.io/description: Read-only access to all graph.inventory.miloapis.com resources
+  labels:
+    graph.inventory.miloapis.com/role-type: viewer
+    graph.inventory.miloapis.com/service: inventory-graph
+spec:
+  launchStage: Alpha
+  includedPermissions:
+    - graph.inventory.miloapis.com/nodes.get
+    - graph.inventory.miloapis.com/nodes.list
+    - graph.inventory.miloapis.com/nodes.watch
+    - graph.inventory.miloapis.com/edges.get
+    - graph.inventory.miloapis.com/edges.list
+    - graph.inventory.miloapis.com/edges.watch
+    - graph.inventory.miloapis.com/nodetypes.get
+    - graph.inventory.miloapis.com/nodetypes.list
+    - graph.inventory.miloapis.com/nodetypes.watch
+    - graph.inventory.miloapis.com/edgetypes.get
+    - graph.inventory.miloapis.com/edgetypes.list
+    - graph.inventory.miloapis.com/edgetypes.watch

config/base/iam/roles/kustomization.yaml

@@ -6,3 +6,8 @@ resources:
   - inventory-editor.yaml
   - inventory-admin.yaml
   - inventory-operator.yaml
+  # graph.inventory.miloapis.com/v1alpha2 (property-graph model)
+  - graph-viewer.yaml
+  - graph-editor.yaml
+  - graph-admin.yaml
+  - graph-operator.yaml