From 53d76b95dd65aaacec95c45553ea706f19c1262d Mon Sep 17 00:00:00 2001
From: Kevin <kevwilliams@gmail.com>
Date: Wed, 6 May 2026 13:20:49 -0700
Subject: [PATCH] feat: add public read access to ResourceRegistration catalog
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add config/services/features/ component scaffolding (iam + registrations placeholder)
- Add quota.miloapis.com-resource-registration-viewer Role: read-only on
  ResourceRegistration (mirrors billing's meter-definition-viewer)
- Add authenticated-user-resource-registration-read PolicyBinding: grants
  the viewer role to system:authenticated, scoped to ResourceRegistration kind
- Wire features into config/services/kustomization.yaml

Unblocks staff-portal Feature Flags UI: any authenticated user can list
the ResourceRegistration catalog to discover available flags. Toggling
flags (ResourceGrant create/delete) is governed by separate roles bound
in datum-cloud/infra and is out of scope for this PR.

The catalog read grants all ResourceRegistration kinds (Entity, Allocation,
Feature) — PolicyBinding resourceSelector is kind-only, no spec filter.
The catalog is non-sensitive metadata, same reasoning as MeterDefinition.
---
 config/services/quota/iam/kustomization.yaml    |  1 +
 ...ticated-user-resource-registration-read.yaml | 14 ++++++++++++++
 .../quota/iam/policies/kustomization.yaml       |  8 ++++++++
 .../quota/iam/policies/kustomizeconfig.yaml     |  5 +++++
 .../quota/iam/roles/feature-flag-viewer.yaml    | 17 +++++++++++++++++
 .../services/quota/iam/roles/kustomization.yaml |  1 +
 6 files changed, 46 insertions(+)
 create mode 100644 config/services/quota/iam/policies/authenticated-user-resource-registration-read.yaml
 create mode 100644 config/services/quota/iam/policies/kustomization.yaml
 create mode 100644 config/services/quota/iam/policies/kustomizeconfig.yaml
 create mode 100644 config/services/quota/iam/roles/feature-flag-viewer.yaml

diff --git a/config/services/quota/iam/kustomization.yaml b/config/services/quota/iam/kustomization.yaml
index 678a5728..7d7d9424 100644
--- a/config/services/quota/iam/kustomization.yaml
+++ b/config/services/quota/iam/kustomization.yaml
@@ -4,3 +4,4 @@ kind: Component
 components:
   - protected-resources
   - roles
+  - policies
diff --git a/config/services/quota/iam/policies/authenticated-user-resource-registration-read.yaml b/config/services/quota/iam/policies/authenticated-user-resource-registration-read.yaml
new file mode 100644
index 00000000..c89d3b6a
--- /dev/null
+++ b/config/services/quota/iam/policies/authenticated-user-resource-registration-read.yaml
@@ -0,0 +1,14 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: PolicyBinding
+metadata:
+  name: authenticated-user-resource-registration-read
+spec:
+  roleRef:
+    name: quota.miloapis.com-resource-registration-viewer
+  subjects:
+    - kind: Group
+      name: "system:authenticated"
+  resourceSelector:
+    resourceKind:
+      apiGroup: "quota.miloapis.com"
+      kind: ResourceRegistration
diff --git a/config/services/quota/iam/policies/kustomization.yaml b/config/services/quota/iam/policies/kustomization.yaml
new file mode 100644
index 00000000..101d479d
--- /dev/null
+++ b/config/services/quota/iam/policies/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configurations:
+  - kustomizeconfig.yaml
+
+resources:
+  - authenticated-user-resource-registration-read.yaml
diff --git a/config/services/quota/iam/policies/kustomizeconfig.yaml b/config/services/quota/iam/policies/kustomizeconfig.yaml
new file mode 100644
index 00000000..94afa758
--- /dev/null
+++ b/config/services/quota/iam/policies/kustomizeconfig.yaml
@@ -0,0 +1,5 @@
+namespace:
+- kind: PolicyBinding
+  group: iam.miloapis.com
+  path: spec/roleRef/namespace
+  create: true
diff --git a/config/services/quota/iam/roles/feature-flag-viewer.yaml b/config/services/quota/iam/roles/feature-flag-viewer.yaml
new file mode 100644
index 00000000..938fa3de
--- /dev/null
+++ b/config/services/quota/iam/roles/feature-flag-viewer.yaml
@@ -0,0 +1,17 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: quota.miloapis.com-resource-registration-viewer
+  namespace: milo-system
+  annotations:
+    kubernetes.io/display-name: Resource Registration Viewer
+    kubernetes.io/description: View access to the ResourceRegistration catalog (feature flags, entities, allocations)
+  labels:
+    quota.miloapis.com/role-type: viewer
+    quota.miloapis.com/service: quota
+spec:
+  launchStage: Beta
+  includedPermissions:
+    - quota.miloapis.com/resourceregistrations.get
+    - quota.miloapis.com/resourceregistrations.list
+    - quota.miloapis.com/resourceregistrations.watch
diff --git a/config/services/quota/iam/roles/kustomization.yaml b/config/services/quota/iam/roles/kustomization.yaml
index 98938e6a..b2c602e4 100644
--- a/config/services/quota/iam/roles/kustomization.yaml
+++ b/config/services/quota/iam/roles/kustomization.yaml
@@ -7,3 +7,4 @@ resources:
   - quota-viewer.yaml
   - quota-operator.yaml
   - organization-quota-manager.yaml
+  - feature-flag-viewer.yaml