You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by ts...@apache.org on 2022/08/19 04:56:10 UTC
[camel-k] 01/02: feat: add global option to helm installation for operator to watch all namespaces
This is an automated email from the ASF dual-hosted git repository.
tsato pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit c5b887b03482c8ada2206a7a7dd4d9935f91274d
Author: zhiming.lim.e@thalesdigital.io <zh...@thalesdigital.io>
AuthorDate: Sat Aug 13 01:09:55 2022 +0800
feat: add global option to helm installation for operator to watch all namespaces
---
.../templates/operator-cluster-role-bindings.yaml | 179 +++++++++++++++
...rator-role.yaml => operator-cluster-roles.yaml} | 241 +++++++++++++++------
helm/camel-k/templates/operator-role-binding.yaml | 2 +
helm/camel-k/templates/operator-role.yaml | 2 +
helm/camel-k/templates/operator.yaml | 4 +
helm/camel-k/values.yaml | 1 +
6 files changed, 367 insertions(+), 62 deletions(-)
diff --git a/helm/camel-k/templates/operator-cluster-role-bindings.yaml b/helm/camel-k/templates/operator-cluster-role-bindings.yaml
new file mode 100644
index 000000000..e8410f097
--- /dev/null
+++ b/helm/camel-k/templates/operator-cluster-role-bindings.yaml
@@ -0,0 +1,179 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+{{- if eq .Values.operator.global "true" }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+ name: camel-k-operator
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: camel-k-operator
+ apiGroup: rbac.authorization.k8s.io
+
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-custom-resource-definitions
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+ name: camel-k-operator
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: camel-k-operator-custom-resource-definitions
+ apiGroup: rbac.authorization.k8s.io
+
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-events
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+ name: camel-k-operator
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: camel-k-operator-events
+ apiGroup: rbac.authorization.k8s.io
+
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-keda
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+ name: camel-k-operator
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: camel-k-operator-keda
+ apiGroup: rbac.authorization.k8s.io
+
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-leases
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+ name: camel-k-operator
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: camel-k-operator-leases
+ apiGroup: rbac.authorization.k8s.io
+
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-podmonitors
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+ name: camel-k-operator
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: camel-k-operator-podmonitors
+ apiGroup: rbac.authorization.k8s.io
+
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-strimzi
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+ name: camel-k-operator
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: camel-k-operator-strimzi
+ apiGroup: rbac.authorization.k8s.io
+
+
+{{- if eq .Values.platform.cluster "OpenShift" }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-console-openshift
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+ name: camel-k-operator
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: camel-k-operator-console-openshift
+ apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-openshift
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+ name: camel-k-operator
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: camel-k-operator-openshift
+ apiGroup: rbac.authorization.k8s.io
+{{- end }}
+
+{{- end }}
\ No newline at end of file
diff --git a/helm/camel-k/templates/operator-role.yaml b/helm/camel-k/templates/operator-cluster-roles.yaml
similarity index 62%
copy from helm/camel-k/templates/operator-role.yaml
copy to helm/camel-k/templates/operator-cluster-roles.yaml
index 81f23b835..46ca9c777 100644
--- a/helm/camel-k/templates/operator-role.yaml
+++ b/helm/camel-k/templates/operator-cluster-roles.yaml
@@ -15,7 +15,57 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+{{- if eq .Values.operator.global "true" }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-edit
+ labels:
+ app: "camel-k"
+ # Add these permissions to the "admin" and "edit" default roles.
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ {{- include "camel-k.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+ - camel.apache.org
+ resources:
+ - builds
+ - camelcatalogs
+ - integrationkits
+ - integrationplatforms
+ - integrations
+ - kameletbindings
+ - kamelets
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - camel.apache.org
+ resources:
+ - builds/status
+ - camelcatalogs/status
+ - integrationkits/status
+ - integrationplatforms/status
+ - integrations/scale
+ - integrations/status
+ - kameletbindings/scale
+ - kameletbindings/status
+ - kamelets/status
+ verbs:
+ - get
+ - patch
+ - update
+
+
+---
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator
@@ -166,6 +216,34 @@ rules:
- patch
- update
- watch
+
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-custom-resource-definitions
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-events
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+rules:
- apiGroups:
- ""
resources:
@@ -176,8 +254,19 @@ rules:
- get
- list
- watch
+
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-keda
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+rules:
- apiGroups:
- - keda.sh
+ - "keda.sh"
resources:
- scaledobjects
- triggerauthentications
@@ -190,55 +279,105 @@ rules:
- patch
- update
- watch
+
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-leases
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+rules:
- apiGroups:
- - serving.knative.dev
+ - "coordination.k8s.io"
resources:
- - services
+ - leases
verbs:
- create
- delete
+ - deletecollection
- get
- list
- patch
- update
- watch
+
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-local-registry
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+rules:
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ resourceNames: ["local-registry-hosting"]
+ verbs: ["get"]
+
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-podmonitors
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+rules:
- apiGroups:
- - eventing.knative.dev
- resources:
- - triggers
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
-- apiGroups:
- - messaging.knative.dev
+ - monitoring.coreos.com
resources:
- - subscriptions
+ - podmonitors
verbs:
- create
- delete
+ - deletecollection
- get
- list
- patch
- update
+ - watch
+
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-strimzi
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+rules:
- apiGroups:
- - sources.knative.dev
+ - "kafka.strimzi.io"
resources:
- - sinkbindings
+ - kafkatopics
+ - kafkas
verbs:
- - create
- - delete
- get
- list
- - patch
- - update
+ - watch
+
+
+{{- if eq .Values.platform.cluster "OpenShift" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-console-openshift
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+rules:
- apiGroups:
- - coordination.k8s.io
+ - console.openshift.io
resources:
- - leases
+ - consoleclidownloads
verbs:
- create
- delete
@@ -248,6 +387,15 @@ rules:
- patch
- update
- watch
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: camel-k-operator-openshift
+ labels:
+ app: "camel-k"
+ {{- include "camel-k.labels" . | nindent 4 }}
+rules:
- apiGroups:
- camel.apache.org
resources:
@@ -260,7 +408,7 @@ rules:
- update
- apiGroups:
- ""
- - build.openshift.io
+ - "build.openshift.io"
resources:
- buildconfigs
- buildconfigs/webhooks
@@ -276,7 +424,7 @@ rules:
- watch
- apiGroups:
- ""
- - image.openshift.io
+ - "image.openshift.io"
resources:
- imagestreamimages
- imagestreammappings
@@ -303,7 +451,7 @@ rules:
- create
- apiGroups:
- ""
- - route.openshift.io
+ - "route.openshift.io"
resources:
- routes
verbs:
@@ -322,37 +470,6 @@ rules:
- routes/custom-host
verbs:
- create
-- apiGroups:
- - monitoring.coreos.com
- resources:
- - podmonitors
- verbs:
- - create
- - delete
- - deletecollection
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - kafka.strimzi.io
- resources:
- - kafkatopics
- - kafkas
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - "apiextensions.k8s.io"
- resources:
- - customresourcedefinitions
- verbs:
- - get
-- apiGroups:
- - rbac.authorization.k8s.io
- resources:
- - clusterroles
- verbs:
- - bind
+{{- end }}
+
+{{- end }}
\ No newline at end of file
diff --git a/helm/camel-k/templates/operator-role-binding.yaml b/helm/camel-k/templates/operator-role-binding.yaml
index 0c785efa7..c34445be1 100644
--- a/helm/camel-k/templates/operator-role-binding.yaml
+++ b/helm/camel-k/templates/operator-role-binding.yaml
@@ -15,6 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
+{{- if eq .Values.operator.global "false" }}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -29,3 +30,4 @@ roleRef:
kind: Role
name: camel-k-operator
apiGroup: rbac.authorization.k8s.io
+{{- end }}
\ No newline at end of file
diff --git a/helm/camel-k/templates/operator-role.yaml b/helm/camel-k/templates/operator-role.yaml
index 81f23b835..8b6badcda 100644
--- a/helm/camel-k/templates/operator-role.yaml
+++ b/helm/camel-k/templates/operator-role.yaml
@@ -15,6 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
+{{- if eq .Values.operator.global "false" }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -356,3 +357,4 @@ rules:
- clusterroles
verbs:
- bind
+{{- end }}
\ No newline at end of file
diff --git a/helm/camel-k/templates/operator.yaml b/helm/camel-k/templates/operator.yaml
index 6ef4a1d88..326432e21 100644
--- a/helm/camel-k/templates/operator.yaml
+++ b/helm/camel-k/templates/operator.yaml
@@ -43,9 +43,13 @@ spec:
- operator
env:
- name: WATCH_NAMESPACE
+ {{- if eq .Values.operator.global "false" }}
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ {{- else }}
+ value: ""
+ {{- end }}
- name: OPERATOR_NAME
value: camel-k
- name: POD_NAME
diff --git a/helm/camel-k/values.yaml b/helm/camel-k/values.yaml
index 2e8d7854f..ffec29d8b 100644
--- a/helm/camel-k/values.yaml
+++ b/helm/camel-k/values.yaml
@@ -24,6 +24,7 @@ fullnameOverride: ""
operator:
image: docker.io/apache/camel-k:1.10.0-SNAPSHOT
+ global: "false"
resources: {}
securityContext: {}