feat: move fga subroutine from account operator

cmd/initializer.go

@@ -6,11 +6,14 @@ import (
 
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 
 	"github.com/kcp-dev/logicalcluster/v3"
 	"github.com/kcp-dev/multicluster-provider/initializingworkspaces"
 	pmcontext "github.com/platform-mesh/golang-commons/context"
 	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/rest"
@@ -98,7 +101,22 @@ var initializerCmd = &cobra.Command{
 			initializerCfg.IDP.AdditionalRedirectURLs = []string{}
 		}
 
-		if err := controller.NewLogicalClusterReconciler(log, orgClient, initializerCfg, inClusterClient, mgr).
+		if initializerCfg.FGA.Target == "" {
+			log.Error().Msg("FGA target is empty; set fga-target in configuration")
+			os.Exit(1)
+		}
+
+		// gRPC client initialization: mTLS is handled by the service mesh (Istio)
+		conn, err := grpc.NewClient(initializerCfg.FGA.Target, grpc.WithTransportCredentials(insecure.NewCredentials()))
+		if err != nil {
+			log.Error().Err(err).Msg("unable to create OpenFGA gRPC client")
+			os.Exit(1)
+		}
+		defer func() { _ = conn.Close() }()
+
+		fga := openfgav1.NewOpenFGAServiceClient(conn)
+
+		if err := controller.NewLogicalClusterReconciler(log, orgClient, initializerCfg, inClusterClient, mgr, fga).
 			SetupWithManager(mgr, defaultCfg); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "LogicalCluster")
 			os.Exit(1)

data/coreModule.fga

@@ -6,24 +6,90 @@ type role
   relations
     define assignee: [user,user:*]
 
-type account
+type core_platform-mesh_io_account
   relations
+    define parent: [core_platform-mesh_io_account]
 
-    define parent: [account]
-    define owner: [role#assignee]
-    define member: [role#assignee] or owner
+    define owner: [role#assignee] or owner from parent
+    define member: [role#assignee] or owner or member from parent
 
-    define get: member or get from parent
-    define update: member or update from parent
-    define delete: owner or delete from parent
+    define get: member
+    define update: member
+    define patch: member
+    define delete: owner
 
     define create_core_platform-mesh_io_accounts: member
     define list_core_platform-mesh_io_accounts: member
     define watch_core_platform-mesh_io_accounts: member
 
     # org and account specific
-    define watch: member or watch from parent
+    define watch: member
 
-    # org specific
-    define create: member or create from parent
-    define list: member or list from parent
+    define create_core_namespaces: member
+    define list_core_namespaces: member
+    define watch_core_namespaces: member
+
+    define create_core_platform-mesh_io_accountinfos: member
+    define list_core_platform-mesh_io_accountinfos: member
+    define watch_core_platform-mesh_io_accountinfos: member
+
+    define create_apis_kcp_io_apibindings: owner
+    define list_apis_kcp_io_apibindings: member
+    define watch_apis_kcp_io_apibindings: member
+
+    # IAM specific
+    define manage_iam_roles: owner
+    define get_iam_roles: member
+    define get_iam_users: member
+
+type core_namespace
+  relations
+    define parent: [core_platform-mesh_io_account]
+
+    define member: member from parent
+    define owner: owner from parent
+
+    define get: member
+    define watch: member
+
+    define update: member
+    define patch: member
+    define delete: member
+
+    # IAM specific
+    define manage_iam_roles: owner
+    define get_iam_roles: member
+    define get_iam_users: member
+
+type core_platform-mesh_io_accountinfo
+  relations
+    define parent: [core_platform-mesh_io_account]
+
+    define member: member from parent
+    define owner: owner from parent
+
+    define get: member
+    define watch: member
+
+    # IAM specific
+    define manage_iam_roles: owner
+    define get_iam_roles: member
+    define get_iam_users: member
+
+type apis_kcp_io_apibinding
+  relations
+    define parent: [core_platform-mesh_io_account]
+
+    define member: member from parent
+    define owner: owner from parent
+
+    define get: member
+    define watch: member
+    define update: owner
+    define patch: owner
+    define delete: owner
+
+    # IAM specific
+    define manage_iam_roles: owner
+    define get_iam_roles: member
+    define get_iam_users: member

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/kcp-dev/multicluster-provider v0.2.0
 	github.com/openfga/api/proto v0.0.0-20250909173124-0ac19aac54f2
 	github.com/openfga/language/pkg/go v0.2.0-beta.2.0.20251003203216-7c0d09a1cc5a
-	github.com/platform-mesh/account-operator v0.5.9
+	github.com/platform-mesh/account-operator v0.5.5-0.20251017120838-b8c73d0b347e
 	github.com/platform-mesh/golang-commons v0.7.4
 	github.com/rs/zerolog v1.34.0
 	github.com/spf13/cobra v1.10.1

go.sum

@@ -157,8 +157,8 @@ github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4
 github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/platform-mesh/account-operator v0.5.9 h1:7Taz/4ZeOaHcQbdW5LPNFXv8PVCg0KyEmxGbe0oiQPg=
-github.com/platform-mesh/account-operator v0.5.9/go.mod h1:3wJaOforqD5TBUDRzhMA8EmWCIDpktR80r210g5hLnQ=
+github.com/platform-mesh/account-operator v0.5.5-0.20251017120838-b8c73d0b347e h1:eG3p5jn92yKjXBfkU4E+t/qvfeqZNnYvjwlX3aFknyc=
+github.com/platform-mesh/account-operator v0.5.5-0.20251017120838-b8c73d0b347e/go.mod h1:Kg2hxWCRggF86d9zrjhHGvEo42B+sfL+Go2PVBs9uvo=
 github.com/platform-mesh/golang-commons v0.7.4 h1:ZIY9ExAZ+BbH1xcn96zw2wR8rlsDST7Soow8yaHG2Mc=
 github.com/platform-mesh/golang-commons v0.7.4/go.mod h1:GJe0jJcS9hfT7ajo7sbOe5p2Uw0GuVLeQhZEffKM9os=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

internal/config/config.go

@@ -10,7 +10,10 @@ type InviteConfig struct {
 // Config struct to hold the app config
 type Config struct {
 	FGA struct {
-		Target string `mapstructure:"fga-target"`
+		Target          string `mapstructure:"fga-target"`
+		ObjectType      string `mapstructure:"fga-object-type" default:"core_platform-mesh_io_account"`
+		ParentRelation  string `mapstructure:"fga-parent-relation" default:"parent"`
+		CreatorRelation string `mapstructure:"fga-creator-relation" default:"owner"`
 	} `mapstructure:",squash"`
 	APIExportEndpointSliceName string `mapstructure:"api-export-endpoint-slice-name"`
 	CoreModulePath             string `mapstructure:"core-module-path"`

internal/controller/initializer_controller.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	kcpcorev1alpha1 "github.com/kcp-dev/kcp/sdk/apis/core/v1alpha1"
+	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 	platformeshconfig "github.com/platform-mesh/golang-commons/config"
 	"github.com/platform-mesh/golang-commons/controller/lifecycle/builder"
 	lifecyclecontrollerruntime "github.com/platform-mesh/golang-commons/controller/lifecycle/multicluster"
@@ -26,11 +27,12 @@ type LogicalClusterReconciler struct {
 	lifecycle *lifecyclecontrollerruntime.LifecycleManager
 }
 
-func NewLogicalClusterReconciler(log *logger.Logger, orgClient client.Client, cfg config.Config, inClusterClient client.Client, mgr mcmanager.Manager) *LogicalClusterReconciler {
+func NewLogicalClusterReconciler(log *logger.Logger, orgClient client.Client, cfg config.Config, inClusterClient client.Client, mgr mcmanager.Manager, fga openfgav1.OpenFGAServiceClient) *LogicalClusterReconciler {
 	return &LogicalClusterReconciler{
 		log: log,
 		lifecycle: builder.NewBuilder("logicalcluster", "LogicalClusterReconciler", []lifecyclesubroutine.Subroutine{
 			subroutine.NewWorkspaceInitializer(orgClient, cfg, mgr),
+			subroutine.NewWorkspaceFGASubroutine(mgr, fga, cfg.FGA.ObjectType, cfg.FGA.ParentRelation, cfg.FGA.CreatorRelation),
 			subroutine.NewWorkspaceAuthConfigurationSubroutine(orgClient, inClusterClient, cfg),
 			subroutine.NewRealmSubroutine(inClusterClient, &cfg, cfg.BaseDomain),
 			subroutine.NewInviteSubroutine(orgClient, mgr),

internal/subroutine/authorization_model.go

@@ -33,7 +33,7 @@ const (
 
 var (
 	privilegedGroupVersions = []string{"rbac.authorization.k8s.io/v1"}
-	groupVersions            = []string{"authentication.k8s.io/v1", "authorization.k8s.io/v1", "v1"}
+	groupVersions           = []string{"authentication.k8s.io/v1", "authorization.k8s.io/v1", "v1"}
 
 	privilegedTemplate = template.Must(template.New("model").Parse(`module internal_core_types_{{ .Name }}
 
@@ -56,13 +56,15 @@ extend type core_namespace
 type {{ .Group }}_{{ .Singular }}
 	relations
 		define parent: [{{ if eq .Scope "Namespaced" }}core_namespace{{ else }}core_platform-mesh_io_account{{ end }}]
-		define member: [role#assignee] or owner or member from parent
-		define owner: [role#assignee] or owner from parent
+		define member: member from parent
+		define owner: owner from parent
 
 		define get: member
 		define update: owner
 		define delete: owner
 		define patch: owner
+		define statusPatch: member
+		define statusUpdate: member
 		define watch: member
 
 		define manage_iam_roles: owner
@@ -216,6 +218,13 @@ func (a *authorizationModelSubroutine) Process(ctx context.Context, instance run
 
 	}
 
+	// DEBUG: Log the model being written
+	modelJSON, _ := protojson.Marshal(authorizationModel)
+	modelDSL, err := language.TransformJSONStringToDSL(string(modelJSON))
+	if err == nil && modelDSL != nil {
+		log.Info().Str("store", store.Name).Str("model", *modelDSL).Msg("Writing authorization model")
+	}
+
 	res, err := a.fga.WriteAuthorizationModel(ctx, &openfgav1.WriteAuthorizationModelRequest{
 		StoreId:         store.Status.StoreID,
 		TypeDefinitions: authorizationModel.TypeDefinitions,

internal/subroutine/authorization_model_generation.go

@@ -58,9 +58,12 @@ extend type core_namespace
 type {{ .Group }}_{{ .Singular }}
 	relations
 		define parent: [{{ if eq .Scope "Namespaced" }}core_namespace{{ else }}core_platform-mesh_io_account{{ end }}]
-		define member: [role#assignee] or owner or member from parent
-		define owner: [role#assignee] or owner from parent
-
+		define member: member from parent
+		define owner: owner from parent
+
+		define statusUpdate: member
+		define statusPatch: member
+
 		define get: member
 		define update: member
 		define delete: member
@@ -70,7 +73,6 @@ type {{ .Group }}_{{ .Singular }}
 		define manage_iam_roles: owner
 		define get_iam_roles: member
 		define get_iam_users: member
-
 `))
 
 type modelInput struct {

internal/subroutine/authorization_model_test.go

@@ -73,10 +73,12 @@ type core_namespace
     define get_iam_roles: member
     define get_iam_users: member
     define manage_iam_roles: owner
-    define member: [role#assignee] or owner or member from parent
-    define owner: [role#assignee] or owner from parent
+    define member: member from parent
+    define owner: owner from parent
     define parent: [core_platform-mesh_io_account]
     define patch: member
+    define statusPatch: member
+    define statusUpdate: member
     define update: member
     define watch: member
 `
@@ -220,7 +222,7 @@ func TestAuthorizationModelProcess(t *testing.T) {
 						Contents: extensionModel,
 					},
 					{
-						Name:     "internal_core_types_namespaces.fga",
+						Name: "internal_core_types_namespaces.fga",
 						Contents: `module namespaces
 
 extend type core_platform-mesh_io_account
@@ -232,13 +234,15 @@ extend type core_platform-mesh_io_account
 type core_namespace
 	relations
 		define parent: [core_platform-mesh_io_account]
-		define member: [role#assignee] or owner or member from parent
-		define owner: [role#assignee] or owner from parent
+		define member: member from parent
+		define owner: owner from parent
 
 		define get: member
 		define update: member
 		define delete: member
 		define patch: member
+		define statusPatch: member
+		define statusUpdate: member
 		define watch: member
 
 		define manage_iam_roles: owner