You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by pc...@apache.org on 2023/12/13 08:29:16 UTC
(camel-k) branch main updated (15e00dae4 -> e6fcd0ffb)
This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
from 15e00dae4 chore(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 (#4986)
new fdfbb8acf feat(install): Separate namespaced and descoped rbacs
new e8c28a056 feat(install): Separate namespaced and descoped openshift rbacs
new ce5c6903b feat(install): Adaptations for namespaced/descoped separation rbacs
new e6fcd0ffb feat(doc): Kustomize installation procedure
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
config/manifests/kustomization.yaml | 2 +
.../rbac/descoped}/kustomization.yaml | 26 ++-
.../operator-cluster-role-binding-events.yaml} | 5 +-
.../operator-cluster-role-binding-keda.yaml} | 5 +-
.../operator-cluster-role-binding-knative.yaml} | 5 +-
.../operator-cluster-role-binding-leases.yaml} | 5 +-
...operator-cluster-role-binding-podmonitors.yaml} | 5 +-
.../operator-cluster-role-binding-strimzi.yaml} | 5 +-
.../operator-cluster-role-binding.yaml} | 5 +-
.../operator-cluster-role-events.yaml} | 2 +-
.../operator-cluster-role-keda.yaml} | 2 +-
.../operator-cluster-role-knative.yaml} | 2 +-
.../operator-cluster-role-leases.yaml} | 2 +-
.../operator-cluster-role-podmonitors.yaml} | 2 +-
.../operator-cluster-role-strimzi.yaml} | 2 +-
.../operator-cluster-role.yaml} | 2 +-
config/rbac/kustomization.yaml | 29 ++-
config/rbac/{ => namespaced}/kustomization.yaml | 9 +-
.../operator-role-binding-events.yaml | 0
.../operator-role-binding-keda.yaml | 0
.../operator-role-binding-knative.yaml | 0
.../operator-role-binding-leases.yaml | 0
.../operator-role-binding-podmonitors.yaml | 0
.../operator-role-binding-strimzi.yaml | 0
.../{ => namespaced}/operator-role-binding.yaml | 0
.../{ => namespaced}/operator-role-events.yaml | 0
.../rbac/{ => namespaced}/operator-role-keda.yaml | 0
.../{ => namespaced}/operator-role-knative.yaml | 0
.../{ => namespaced}/operator-role-leases.yaml | 0
.../operator-role-podmonitors.yaml | 0
.../{ => namespaced}/operator-role-strimzi.yaml | 0
config/rbac/{ => namespaced}/operator-role.yaml | 0
.../rbac/openshift/descoped}/kustomization.yaml | 7 +-
.../operator-cluster-role-binding-openshift.yaml} | 5 +-
.../operator-cluster-role-openshift.yaml} | 2 +-
config/rbac/openshift/kustomization.yaml | 2 -
.../openshift/{ => namespaced}/kustomization.yaml | 4 +-
.../operator-role-binding-openshift.yaml | 0
.../{ => namespaced}/operator-role-openshift.yaml | 0
.../ROOT/pages/installation/installation.adoc | 40 +++-
e2e/support/test_support.go | 8 +-
install/Makefile | 26 +--
pkg/install/operator.go | 210 +++++++++++++--------
43 files changed, 253 insertions(+), 166 deletions(-)
copy {install/platform => config/rbac/descoped}/kustomization.yaml (61%)
copy config/rbac/{operator-role-binding-events.yaml => descoped/operator-cluster-role-binding-events.yaml} (94%)
copy config/rbac/{operator-role-binding-keda.yaml => descoped/operator-cluster-role-binding-keda.yaml} (94%)
copy config/rbac/{operator-role-binding-knative.yaml => descoped/operator-cluster-role-binding-knative.yaml} (94%)
copy config/rbac/{operator-role-binding-leases.yaml => descoped/operator-cluster-role-binding-leases.yaml} (94%)
copy config/rbac/{operator-role-binding-podmonitors.yaml => descoped/operator-cluster-role-binding-podmonitors.yaml} (94%)
copy config/rbac/{operator-role-binding-strimzi.yaml => descoped/operator-cluster-role-binding-strimzi.yaml} (94%)
copy config/rbac/{operator-role-binding.yaml => descoped/operator-cluster-role-binding.yaml} (94%)
copy config/rbac/{operator-role-events.yaml => descoped/operator-cluster-role-events.yaml} (98%)
copy config/rbac/{operator-role-keda.yaml => descoped/operator-cluster-role-keda.yaml} (98%)
copy config/rbac/{operator-role-knative.yaml => descoped/operator-cluster-role-knative.yaml} (98%)
copy config/rbac/{operator-role-leases.yaml => descoped/operator-cluster-role-leases.yaml} (98%)
copy config/rbac/{operator-role-podmonitors.yaml => descoped/operator-cluster-role-podmonitors.yaml} (98%)
copy config/rbac/{operator-role-strimzi.yaml => descoped/operator-cluster-role-strimzi.yaml} (98%)
copy config/rbac/{operator-role.yaml => descoped/operator-cluster-role.yaml} (99%)
copy config/rbac/{ => namespaced}/kustomization.yaml (78%)
rename config/rbac/{ => namespaced}/operator-role-binding-events.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role-binding-keda.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role-binding-knative.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role-binding-leases.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role-binding-podmonitors.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role-binding-strimzi.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role-binding.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role-events.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role-keda.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role-knative.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role-leases.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role-podmonitors.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role-strimzi.yaml (100%)
rename config/rbac/{ => namespaced}/operator-role.yaml (100%)
copy {install/example => config/rbac/openshift/descoped}/kustomization.yaml (85%)
copy config/rbac/openshift/{operator-role-binding-openshift.yaml => descoped/operator-cluster-role-binding-openshift.yaml} (94%)
copy config/rbac/openshift/{operator-role-openshift.yaml => descoped/operator-cluster-role-openshift.yaml} (99%)
copy config/rbac/openshift/{ => namespaced}/kustomization.yaml (87%)
rename config/rbac/openshift/{ => namespaced}/operator-role-binding-openshift.yaml (100%)
rename config/rbac/openshift/{ => namespaced}/operator-role-openshift.yaml (100%)
(camel-k) 03/04: feat(install): Adaptations for namespaced/descoped separation rbacs
Posted by pc...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit ce5c6903bcf8c253a0248d007b06c59eca6cfe6b
Author: Gaelle Fournier <ga...@gmail.com>
AuthorDate: Mon Nov 13 14:13:08 2023 +0100
feat(install): Adaptations for namespaced/descoped separation rbacs
---
e2e/support/test_support.go | 4 +--
install/setup/kustomization.yaml | 12 +++++++++
pkg/install/operator.go | 55 ++++++++++++++++------------------------
3 files changed, 36 insertions(+), 35 deletions(-)
diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go
index 2415efee2..371e8491a 100644
--- a/e2e/support/test_support.go
+++ b/e2e/support/test_support.go
@@ -2399,7 +2399,7 @@ func CreateOperatorRole(ns string) (err error) {
// This should ideally be removed from the common RBAC manifest.
customizer = install.RemoveIngressRoleCustomizer
}
- err = install.Resource(TestContext, TestClient(), ns, true, customizer, "/rbac/operator-role.yaml")
+ err = install.Resource(TestContext, TestClient(), ns, true, customizer, "/rbac/namespaced/operator-role.yaml")
if err != nil {
return err
}
@@ -2414,7 +2414,7 @@ func CreateOperatorRoleBinding(ns string) error {
if err != nil {
failTest(err)
}
- err = install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/operator-role-binding.yaml")
+ err = install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/namespaced/operator-role-binding.yaml")
if err != nil {
return err
}
diff --git a/install/setup/kustomization.yaml b/install/setup/kustomization.yaml
index c10dfd653..9598726ca 100644
--- a/install/setup/kustomization.yaml
+++ b/install/setup/kustomization.yaml
@@ -19,3 +19,15 @@ kind: Kustomization
resources:
- ../config/rbac
+
+transformers:
+- |-
+ apiVersion: builtin
+ kind: PatchTransformer
+ metadata:
+ name: fix-local-registry-rbac-namespace
+ patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
+ target:
+ group: rbac.authorization.k8s.io
+ kind: RoleBinding
+ name: camel-k-operator-local-registry
diff --git a/pkg/install/operator.go b/pkg/install/operator.go
index b12cb734c..b24dbe2f3 100644
--- a/pkg/install/operator.go
+++ b/pkg/install/operator.go
@@ -200,41 +200,30 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
envvar.SetVal(&d.Spec.Template.Spec.Containers[0].Env, "WATCH_NAMESPACE", "")
}
}
-
- // Turn Role & RoleBinding into their equivalent cluster types
- if r, ok := o.(*rbacv1.Role); ok {
- if strings.HasPrefix(r.Name, "camel-k-operator") {
- o = &rbacv1.ClusterRole{
- ObjectMeta: metav1.ObjectMeta{
- Namespace: cfg.Namespace,
- Name: r.Name,
- Labels: map[string]string{
- "app": "camel-k",
- },
- },
- Rules: r.Rules,
+ // Configure subject on ClusterRoleBindings
+ if crb, ok := o.(*rbacv1.ClusterRoleBinding); ok {
+ if strings.HasPrefix(crb.Name, "camel-k-operator") {
+ crb.ObjectMeta.Name = fmt.Sprintf("%s-%s", crb.ObjectMeta.Name, cfg.Namespace)
+ bound := false
+ for i, subject := range crb.Subjects {
+ if subject.Name == "camel-k-operator" {
+ if subject.Namespace == cfg.Namespace {
+ bound = true
+ break
+ } else if subject.Namespace == "" || subject.Namespace == "placeholder" {
+ crb.Subjects[i].Namespace = cfg.Namespace
+ bound = true
+ break
+ }
+ }
}
- }
- }
-
- if rb, ok := o.(*rbacv1.RoleBinding); ok {
- if strings.HasPrefix(rb.Name, "camel-k-operator") {
- rb.Subjects[0].Namespace = cfg.Namespace
- o = &rbacv1.ClusterRoleBinding{
- ObjectMeta: metav1.ObjectMeta{
+ if !bound {
+ crb.Subjects = append(crb.Subjects, rbacv1.Subject{
+ Kind: "ServiceAccount",
Namespace: cfg.Namespace,
- Name: fmt.Sprintf("%s-%s", rb.Name, cfg.Namespace),
- Labels: map[string]string{
- "app": "camel-k",
- },
- },
- Subjects: rb.Subjects,
- RoleRef: rbacv1.RoleRef{
- APIGroup: rb.RoleRef.APIGroup,
- Kind: "ClusterRole",
- Name: rb.RoleRef.Name,
- },
+ Name: "camel-k-operator",
+ })
}
}
}
@@ -444,7 +433,7 @@ func installClusterRoleBinding(ctx context.Context, c client.Client, collection
bound = true
break
- } else if subject.Namespace == "" {
+ } else if subject.Namespace == "" || subject.Namespace == "placeholder" {
target.Subjects[i].Namespace = namespace
bound = true
(camel-k) 01/04: feat(install): Separate namespaced and descoped rbacs
Posted by pc...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit fdfbb8acf2ba6b0370e9133157e9136de7abbf2b
Author: Gaelle Fournier <ga...@gmail.com>
AuthorDate: Fri Nov 10 14:35:32 2023 +0100
feat(install): Separate namespaced and descoped rbacs
Ref #3165
---
config/manifests/kustomization.yaml | 1 +
.../descoped}/kustomization.yaml | 36 +++---
.../operator-cluster-role-binding-events.yaml} | 5 +-
.../operator-cluster-role-binding-keda.yaml} | 5 +-
.../operator-cluster-role-binding-knative.yaml} | 5 +-
.../operator-cluster-role-binding-leases.yaml} | 5 +-
...operator-cluster-role-binding-podmonitors.yaml} | 5 +-
.../operator-cluster-role-binding-strimzi.yaml} | 5 +-
.../operator-cluster-role-binding.yaml} | 5 +-
.../operator-cluster-role-events.yaml} | 2 +-
.../operator-cluster-role-keda.yaml} | 2 +-
.../operator-cluster-role-knative.yaml} | 2 +-
.../operator-cluster-role-leases.yaml} | 2 +-
.../operator-cluster-role-podmonitors.yaml} | 2 +-
.../operator-cluster-role-strimzi.yaml} | 2 +-
.../operator-cluster-role.yaml} | 2 +-
config/rbac/kustomization.yaml | 29 +++--
config/rbac/{ => namespaced}/kustomization.yaml | 9 +-
.../operator-role-binding-events.yaml | 0
.../operator-role-binding-keda.yaml | 0
.../operator-role-binding-knative.yaml | 0
.../operator-role-binding-leases.yaml | 0
.../operator-role-binding-podmonitors.yaml | 0
.../operator-role-binding-strimzi.yaml | 0
.../{ => namespaced}/operator-role-binding.yaml | 0
.../{ => namespaced}/operator-role-events.yaml | 0
.../rbac/{ => namespaced}/operator-role-keda.yaml | 0
.../{ => namespaced}/operator-role-knative.yaml | 0
.../{ => namespaced}/operator-role-leases.yaml | 0
.../operator-role-podmonitors.yaml | 0
.../{ => namespaced}/operator-role-strimzi.yaml | 0
config/rbac/{ => namespaced}/operator-role.yaml | 0
install/Makefile | 10 +-
install/setup/kustomization.yaml | 12 --
pkg/install/operator.go | 136 ++++++++++++++-------
35 files changed, 159 insertions(+), 123 deletions(-)
diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml
index 94f8a27f8..9a926be1b 100644
--- a/config/manifests/kustomization.yaml
+++ b/config/manifests/kustomization.yaml
@@ -27,6 +27,7 @@ resources:
- ../samples
- ../scorecard
- ../rbac
+- ../rbac/namespaced
- ../rbac/openshift
patchesStrategicMerge:
diff --git a/config/manifests/kustomization.yaml b/config/rbac/descoped/kustomization.yaml
similarity index 61%
copy from config/manifests/kustomization.yaml
copy to config/rbac/descoped/kustomization.yaml
index 94f8a27f8..ade2d46ba 100644
--- a/config/manifests/kustomization.yaml
+++ b/config/rbac/descoped/kustomization.yaml
@@ -14,25 +14,25 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# ---------------------------------------------------------------------------
+
+#
+# rbac resources applicable for all kubernetes platforms - global operator
+#
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-# Labels to add to all resources and selectors.
-commonLabels:
- app: camel-k
-
resources:
-- ../manager
-- ../crd
-- ../samples
-- ../scorecard
-- ../rbac
-- ../rbac/openshift
-
-patchesStrategicMerge:
-- patch-delete-user-cluster-role.yaml
-- patch-delete-pvc.yaml
-images:
-- name: docker.io/apache/camel-k
- newName: docker.io/apache/camel-k
- newTag: 2.2.0-SNAPSHOT
+- operator-cluster-role-events.yaml
+- operator-cluster-role-knative.yaml
+- operator-cluster-role.yaml
+- operator-cluster-role-keda.yaml
+- operator-cluster-role-leases.yaml
+- operator-cluster-role-podmonitors.yaml
+- operator-cluster-role-strimzi.yaml
+- operator-cluster-role-binding-events.yaml
+- operator-cluster-role-binding-keda.yaml
+- operator-cluster-role-binding-knative.yaml
+- operator-cluster-role-binding-leases.yaml
+- operator-cluster-role-binding-podmonitors.yaml
+- operator-cluster-role-binding-strimzi.yaml
+- operator-cluster-role-binding.yaml
diff --git a/config/rbac/operator-role-binding-events.yaml b/config/rbac/descoped/operator-cluster-role-binding-events.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-events.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-events.yaml
index 7b1d41dd5..9dd5228d2 100644
--- a/config/rbac/operator-role-binding-events.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-events.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-events
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-events
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-keda.yaml b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-keda.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-keda.yaml
index fd8c60256..92e154e87 100644
--- a/config/rbac/operator-role-binding-keda.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-keda
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-keda
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-knative.yaml b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-knative.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-knative.yaml
index 034baef7b..739b0dd06 100644
--- a/config/rbac/operator-role-binding-knative.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-knative
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-knative
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-leases.yaml b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-leases.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-leases.yaml
index 5bbc4efc1..35d667fd1 100644
--- a/config/rbac/operator-role-binding-leases.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-leases
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-leases
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-podmonitors.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml
index 26b6d9c85..bef231b07 100644
--- a/config/rbac/operator-role-binding-podmonitors.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-podmonitors
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-podmonitors
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-strimzi.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml
index 9a860c02c..fefd14352 100644
--- a/config/rbac/operator-role-binding-strimzi.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-strimzi
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-strimzi
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding.yaml b/config/rbac/descoped/operator-cluster-role-binding.yaml
similarity index 94%
copy from config/rbac/operator-role-binding.yaml
copy to config/rbac/descoped/operator-cluster-role-binding.yaml
index afbdf270f..83f227d62 100644
--- a/config/rbac/operator-role-binding.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-events.yaml b/config/rbac/descoped/operator-cluster-role-events.yaml
similarity index 98%
copy from config/rbac/operator-role-events.yaml
copy to config/rbac/descoped/operator-cluster-role-events.yaml
index d109b734d..1dfd24b01 100644
--- a/config/rbac/operator-role-events.yaml
+++ b/config/rbac/descoped/operator-cluster-role-events.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-events
diff --git a/config/rbac/operator-role-keda.yaml b/config/rbac/descoped/operator-cluster-role-keda.yaml
similarity index 98%
copy from config/rbac/operator-role-keda.yaml
copy to config/rbac/descoped/operator-cluster-role-keda.yaml
index 22c026c15..3b3f432eb 100644
--- a/config/rbac/operator-role-keda.yaml
+++ b/config/rbac/descoped/operator-cluster-role-keda.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-keda
diff --git a/config/rbac/operator-role-knative.yaml b/config/rbac/descoped/operator-cluster-role-knative.yaml
similarity index 98%
copy from config/rbac/operator-role-knative.yaml
copy to config/rbac/descoped/operator-cluster-role-knative.yaml
index 3cba80931..305d26b62 100644
--- a/config/rbac/operator-role-knative.yaml
+++ b/config/rbac/descoped/operator-cluster-role-knative.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-knative
diff --git a/config/rbac/operator-role-leases.yaml b/config/rbac/descoped/operator-cluster-role-leases.yaml
similarity index 98%
copy from config/rbac/operator-role-leases.yaml
copy to config/rbac/descoped/operator-cluster-role-leases.yaml
index 4223e8e2e..6ea671bd2 100644
--- a/config/rbac/operator-role-leases.yaml
+++ b/config/rbac/descoped/operator-cluster-role-leases.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-leases
diff --git a/config/rbac/operator-role-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml
similarity index 98%
copy from config/rbac/operator-role-podmonitors.yaml
copy to config/rbac/descoped/operator-cluster-role-podmonitors.yaml
index 7a3fe05c4..2578103c3 100644
--- a/config/rbac/operator-role-podmonitors.yaml
+++ b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-podmonitors
diff --git a/config/rbac/operator-role-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-strimzi.yaml
similarity index 98%
copy from config/rbac/operator-role-strimzi.yaml
copy to config/rbac/descoped/operator-cluster-role-strimzi.yaml
index ab0a91d70..9ccea139f 100644
--- a/config/rbac/operator-role-strimzi.yaml
+++ b/config/rbac/descoped/operator-cluster-role-strimzi.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-strimzi
diff --git a/config/rbac/operator-role.yaml b/config/rbac/descoped/operator-cluster-role.yaml
similarity index 99%
copy from config/rbac/operator-role.yaml
copy to config/rbac/descoped/operator-cluster-role.yaml
index 4ddc2d4c1..d7ee2fa39 100644
--- a/config/rbac/operator-role.yaml
+++ b/config/rbac/descoped/operator-cluster-role.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index f2600f162..5b3e03f55 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -23,23 +23,22 @@ kind: Kustomization
resources:
- user-cluster-role.yaml
-- operator-role-events.yaml
-- operator-role-knative.yaml
-- operator-role.yaml
-- operator-role-keda.yaml
-- operator-role-leases.yaml
-- operator-role-podmonitors.yaml
-- operator-role-strimzi.yaml
-- operator-role-binding-events.yaml
-- operator-role-binding-keda.yaml
-- operator-role-binding-knative.yaml
-- operator-role-binding-leases.yaml
-- operator-role-binding-local-registry.yaml
-- operator-role-binding-podmonitors.yaml
-- operator-role-binding-strimzi.yaml
-- operator-role-binding.yaml
- operator-cluster-role-custom-resource-definitions.yaml
- operator-cluster-role-binding-custom-resource-definitions.yaml
- operator-cluster-role-addressable-resolver.yaml
- operator-cluster-role-binding-addressable-resolver.yaml
- operator-cluster-role-local-registry.yaml
+- operator-role-binding-local-registry.yaml
+
+
+transformers:
+- |-
+ apiVersion: builtin
+ kind: PatchTransformer
+ metadata:
+ name: fix-local-registry-rbac-namespace
+ patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
+ target:
+ group: rbac.authorization.k8s.io
+ kind: RoleBinding
+ name: camel-k-operator-local-registry
\ No newline at end of file
diff --git a/config/rbac/kustomization.yaml b/config/rbac/namespaced/kustomization.yaml
similarity index 78%
copy from config/rbac/kustomization.yaml
copy to config/rbac/namespaced/kustomization.yaml
index f2600f162..510beb4d5 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/namespaced/kustomization.yaml
@@ -16,13 +16,12 @@
# ---------------------------------------------------------------------------
#
-# rbac resources applicable for all kubernetes platforms
+# rbac resources applicable for all kubernetes platforms - namespaced operator
#
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- user-cluster-role.yaml
- operator-role-events.yaml
- operator-role-knative.yaml
- operator-role.yaml
@@ -34,12 +33,6 @@ resources:
- operator-role-binding-keda.yaml
- operator-role-binding-knative.yaml
- operator-role-binding-leases.yaml
-- operator-role-binding-local-registry.yaml
- operator-role-binding-podmonitors.yaml
- operator-role-binding-strimzi.yaml
- operator-role-binding.yaml
-- operator-cluster-role-custom-resource-definitions.yaml
-- operator-cluster-role-binding-custom-resource-definitions.yaml
-- operator-cluster-role-addressable-resolver.yaml
-- operator-cluster-role-binding-addressable-resolver.yaml
-- operator-cluster-role-local-registry.yaml
diff --git a/config/rbac/operator-role-binding-events.yaml b/config/rbac/namespaced/operator-role-binding-events.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-events.yaml
rename to config/rbac/namespaced/operator-role-binding-events.yaml
diff --git a/config/rbac/operator-role-binding-keda.yaml b/config/rbac/namespaced/operator-role-binding-keda.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-keda.yaml
rename to config/rbac/namespaced/operator-role-binding-keda.yaml
diff --git a/config/rbac/operator-role-binding-knative.yaml b/config/rbac/namespaced/operator-role-binding-knative.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-knative.yaml
rename to config/rbac/namespaced/operator-role-binding-knative.yaml
diff --git a/config/rbac/operator-role-binding-leases.yaml b/config/rbac/namespaced/operator-role-binding-leases.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-leases.yaml
rename to config/rbac/namespaced/operator-role-binding-leases.yaml
diff --git a/config/rbac/operator-role-binding-podmonitors.yaml b/config/rbac/namespaced/operator-role-binding-podmonitors.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-podmonitors.yaml
rename to config/rbac/namespaced/operator-role-binding-podmonitors.yaml
diff --git a/config/rbac/operator-role-binding-strimzi.yaml b/config/rbac/namespaced/operator-role-binding-strimzi.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-strimzi.yaml
rename to config/rbac/namespaced/operator-role-binding-strimzi.yaml
diff --git a/config/rbac/operator-role-binding.yaml b/config/rbac/namespaced/operator-role-binding.yaml
similarity index 100%
rename from config/rbac/operator-role-binding.yaml
rename to config/rbac/namespaced/operator-role-binding.yaml
diff --git a/config/rbac/operator-role-events.yaml b/config/rbac/namespaced/operator-role-events.yaml
similarity index 100%
rename from config/rbac/operator-role-events.yaml
rename to config/rbac/namespaced/operator-role-events.yaml
diff --git a/config/rbac/operator-role-keda.yaml b/config/rbac/namespaced/operator-role-keda.yaml
similarity index 100%
rename from config/rbac/operator-role-keda.yaml
rename to config/rbac/namespaced/operator-role-keda.yaml
diff --git a/config/rbac/operator-role-knative.yaml b/config/rbac/namespaced/operator-role-knative.yaml
similarity index 100%
rename from config/rbac/operator-role-knative.yaml
rename to config/rbac/namespaced/operator-role-knative.yaml
diff --git a/config/rbac/operator-role-leases.yaml b/config/rbac/namespaced/operator-role-leases.yaml
similarity index 100%
rename from config/rbac/operator-role-leases.yaml
rename to config/rbac/namespaced/operator-role-leases.yaml
diff --git a/config/rbac/operator-role-podmonitors.yaml b/config/rbac/namespaced/operator-role-podmonitors.yaml
similarity index 100%
rename from config/rbac/operator-role-podmonitors.yaml
rename to config/rbac/namespaced/operator-role-podmonitors.yaml
diff --git a/config/rbac/operator-role-strimzi.yaml b/config/rbac/namespaced/operator-role-strimzi.yaml
similarity index 100%
rename from config/rbac/operator-role-strimzi.yaml
rename to config/rbac/namespaced/operator-role-strimzi.yaml
diff --git a/config/rbac/operator-role.yaml b/config/rbac/namespaced/operator-role.yaml
similarity index 100%
rename from config/rbac/operator-role.yaml
rename to config/rbac/namespaced/operator-role.yaml
diff --git a/install/Makefile b/install/Makefile
index ce329c6d5..a80f5e3da 100644
--- a/install/Makefile
+++ b/install/Makefile
@@ -241,13 +241,11 @@ endif
setup: setup-cluster
# Set the namespace in the setup kustomization yaml
@$(call set-kustomize-namespace,$@)
-# If GLOBAL then add the conversion patches for all roles and rolebindings
-ifeq ($(GLOBAL),true)
- @$(call add-remove-kind-patch,setup,add,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role)
- @$(call add-remove-kind-patch,setup,add,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding)
+# If GLOBAL then add the versions with clusterroles and clusterrolebindings
+ifeq ($(GLOBAL), true)
+ @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/descoped && cd - &> /dev/null;
else
- @$(call add-remove-kind-patch,setup,remove,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role)
- @$(call add-remove-kind-patch,setup,remove,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding)
+ @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/namespaced && cd - &> /dev/null;
endif
ifeq ($(PLATFORM), openshift)
@for res in $(RBAC_OS)/operator-role*; do \
diff --git a/install/setup/kustomization.yaml b/install/setup/kustomization.yaml
index 9598726ca..c10dfd653 100644
--- a/install/setup/kustomization.yaml
+++ b/install/setup/kustomization.yaml
@@ -19,15 +19,3 @@ kind: Kustomization
resources:
- ../config/rbac
-
-transformers:
-- |-
- apiVersion: builtin
- kind: PatchTransformer
- metadata:
- name: fix-local-registry-rbac-namespace
- patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
- target:
- group: rbac.authorization.k8s.io
- kind: RoleBinding
- name: camel-k-operator-local-registry
diff --git a/pkg/install/operator.go b/pkg/install/operator.go
index 9daf61ee0..2db3fde3d 100644
--- a/pkg/install/operator.go
+++ b/pkg/install/operator.go
@@ -260,7 +260,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
}
// Install Kubernetes RBAC resources (roles and bindings)
- if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
return err
}
@@ -289,7 +289,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
return err
}
if isKnative {
- if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
return err
}
if err := installClusterRoleBinding(ctx, c, collection, cfg.Namespace, "camel-k-operator-bind-addressable-resolver", "/rbac/operator-cluster-role-binding-addressable-resolver.yaml"); err != nil {
@@ -301,35 +301,35 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
}
}
- if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
if k8serrors.IsAlreadyExists(err) {
return err
}
fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to publish Kubernetes events. Try installing as cluster-admin to allow it to generate events.")
}
- if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
if k8serrors.IsAlreadyExists(err) {
return err
}
fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create KEDA resources. Try installing as cluster-admin.")
}
- if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
if k8serrors.IsAlreadyExists(err) {
return err
}
fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create PodMonitor resources. Try installing as cluster-admin.")
}
- if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
if k8serrors.IsAlreadyExists(err) {
return err
}
fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to lookup strimzi kafka resources. Try installing as cluster-admin to allow the lookup of strimzi kafka resources.")
}
- if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
if k8serrors.IsAlreadyExists(err) {
return err
}
@@ -491,12 +491,20 @@ func installOpenShiftRoles(ctx context.Context, c client.Client, namespace strin
)
}
-func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/manager/operator-service-account.yaml",
- "/rbac/operator-role.yaml",
- "/rbac/operator-role-binding.yaml",
- )
+func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/manager/operator-service-account.yaml",
+ "/rbac/descoped/operator-cluster-role.yaml",
+ "/rbac/descoped/operator-cluster-role-binding.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/manager/operator-service-account.yaml",
+ "/rbac/namespaced/operator-role.yaml",
+ "/rbac/namespaced/operator-role-binding.yaml",
+ )
+ }
}
func installOperator(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
@@ -505,39 +513,74 @@ func installOperator(ctx context.Context, c client.Client, namespace string, cus
)
}
-func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/operator-role-keda.yaml",
- "/rbac/operator-role-binding-keda.yaml",
- )
+func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/descoped/operator-cluster-role-keda.yaml",
+ "/rbac/descoped/operator-cluster-role-binding-keda.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/namespaced/operator-role-keda.yaml",
+ "/rbac/namespaced/operator-role-binding-keda.yaml",
+ )
+ }
}
-func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/operator-role-knative.yaml",
- "/rbac/operator-role-binding-knative.yaml",
- )
+func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/descoped/operator-cluster-role-knative.yaml",
+ "/rbac/descoped/operator-cluster-role-binding-knative.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/namespaced/operator-role-knative.yaml",
+ "/rbac/namespaced/operator-role-binding-knative.yaml",
+ )
+ }
}
-func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/operator-role-events.yaml",
- "/rbac/operator-role-binding-events.yaml",
- )
+func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/descoped/operator-cluster-role-events.yaml",
+ "/rbac/descoped/operator-cluster-role-binding-events.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/namespaced/operator-role-events.yaml",
+ "/rbac/namespaced/operator-role-binding-events.yaml",
+ )
+ }
}
-func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/operator-role-podmonitors.yaml",
- "/rbac/operator-role-binding-podmonitors.yaml",
- )
+func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/descoped/operator-cluster-role-podmonitors.yaml",
+ "/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/namespaced/operator-role-podmonitors.yaml",
+ "/rbac/namespaced/operator-role-binding-podmonitors.yaml",
+ )
+ }
}
-func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/operator-role-strimzi.yaml",
- "/rbac/operator-role-binding-strimzi.yaml",
- )
+func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/descoped/operator-cluster-role-strimzi.yaml",
+ "/rbac/descoped/operator-cluster-role-binding-strimzi.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/namespaced/operator-role-strimzi.yaml",
+ "/rbac/namespaced/operator-role-binding-strimzi.yaml",
+ )
+ }
}
func installMonitoringResources(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
@@ -547,11 +590,18 @@ func installMonitoringResources(ctx context.Context, c client.Client, namespace
)
}
-func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/operator-role-leases.yaml",
- "/rbac/operator-role-binding-leases.yaml",
- )
+func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/descoped/operator-cluster-role-leases.yaml",
+ "/rbac/descoped/operator-cluster-role-binding-leases.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/namespaced/operator-role-leases.yaml",
+ "/rbac/namespaced/operator-role-binding-leases.yaml",
+ )
+ }
}
// NewPlatform creates a new IntegrationPlatform instance.
(camel-k) 02/04: feat(install): Separate namespaced and descoped openshift rbacs
Posted by pc...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit e8c28a05670982463ac3a7e0bae4d7f57523a61f
Author: Gaelle Fournier <ga...@gmail.com>
AuthorDate: Fri Dec 8 22:07:20 2023 +0100
feat(install): Separate namespaced and descoped openshift rbacs
---
config/manifests/kustomization.yaml | 1 +
.../rbac/openshift/{ => descoped}/kustomization.yaml | 8 +++-----
.../operator-cluster-role-binding-openshift.yaml} | 5 +++--
.../operator-cluster-role-openshift.yaml} | 2 +-
config/rbac/openshift/kustomization.yaml | 2 --
.../openshift/{ => namespaced}/kustomization.yaml | 4 +---
.../operator-role-binding-openshift.yaml | 0
.../{ => namespaced}/operator-role-openshift.yaml | 0
e2e/support/test_support.go | 4 ++--
install/Makefile | 16 ++++++----------
pkg/install/operator.go | 19 +++++++++++++------
11 files changed, 30 insertions(+), 31 deletions(-)
diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml
index 9a926be1b..f97882bcf 100644
--- a/config/manifests/kustomization.yaml
+++ b/config/manifests/kustomization.yaml
@@ -29,6 +29,7 @@ resources:
- ../rbac
- ../rbac/namespaced
- ../rbac/openshift
+- ../rbac/openshift/namespaced
patchesStrategicMerge:
- patch-delete-user-cluster-role.yaml
diff --git a/config/rbac/openshift/kustomization.yaml b/config/rbac/openshift/descoped/kustomization.yaml
similarity index 81%
copy from config/rbac/openshift/kustomization.yaml
copy to config/rbac/openshift/descoped/kustomization.yaml
index 2813c7aad..35cf76e40 100644
--- a/config/rbac/openshift/kustomization.yaml
+++ b/config/rbac/openshift/descoped/kustomization.yaml
@@ -16,13 +16,11 @@
# ---------------------------------------------------------------------------
#
-# rbac resources applicable for only openshift platforms
+# rbac resources applicable for all kubernetes platforms - global operator
#
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- operator-cluster-role-console-binding-openshift.yaml
-- operator-cluster-role-console-openshift.yaml
-- operator-role-openshift.yaml
-- operator-role-binding-openshift.yaml
+- operator-cluster-role-openshift.yaml
+- operator-cluster-role-binding-openshift.yaml
diff --git a/config/rbac/openshift/operator-role-binding-openshift.yaml b/config/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml
similarity index 94%
copy from config/rbac/openshift/operator-role-binding-openshift.yaml
copy to config/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml
index 54dbe28d1..8cf0a8fc9 100644
--- a/config/rbac/openshift/operator-role-binding-openshift.yaml
+++ b/config/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-openshift
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-openshift
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/openshift/operator-role-openshift.yaml b/config/rbac/openshift/descoped/operator-cluster-role-openshift.yaml
similarity index 99%
copy from config/rbac/openshift/operator-role-openshift.yaml
copy to config/rbac/openshift/descoped/operator-cluster-role-openshift.yaml
index 4eccaee70..5589d7793 100644
--- a/config/rbac/openshift/operator-role-openshift.yaml
+++ b/config/rbac/openshift/descoped/operator-cluster-role-openshift.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-openshift
diff --git a/config/rbac/openshift/kustomization.yaml b/config/rbac/openshift/kustomization.yaml
index 2813c7aad..4920f6600 100644
--- a/config/rbac/openshift/kustomization.yaml
+++ b/config/rbac/openshift/kustomization.yaml
@@ -24,5 +24,3 @@ kind: Kustomization
resources:
- operator-cluster-role-console-binding-openshift.yaml
- operator-cluster-role-console-openshift.yaml
-- operator-role-openshift.yaml
-- operator-role-binding-openshift.yaml
diff --git a/config/rbac/openshift/kustomization.yaml b/config/rbac/openshift/namespaced/kustomization.yaml
similarity index 87%
copy from config/rbac/openshift/kustomization.yaml
copy to config/rbac/openshift/namespaced/kustomization.yaml
index 2813c7aad..0fc781320 100644
--- a/config/rbac/openshift/kustomization.yaml
+++ b/config/rbac/openshift/namespaced/kustomization.yaml
@@ -16,13 +16,11 @@
# ---------------------------------------------------------------------------
#
-# rbac resources applicable for only openshift platforms
+# rbac resources applicable for all kubernetes platforms - global operator
#
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- operator-cluster-role-console-binding-openshift.yaml
-- operator-cluster-role-console-openshift.yaml
- operator-role-openshift.yaml
- operator-role-binding-openshift.yaml
diff --git a/config/rbac/openshift/operator-role-binding-openshift.yaml b/config/rbac/openshift/namespaced/operator-role-binding-openshift.yaml
similarity index 100%
rename from config/rbac/openshift/operator-role-binding-openshift.yaml
rename to config/rbac/openshift/namespaced/operator-role-binding-openshift.yaml
diff --git a/config/rbac/openshift/operator-role-openshift.yaml b/config/rbac/openshift/namespaced/operator-role-openshift.yaml
similarity index 100%
rename from config/rbac/openshift/operator-role-openshift.yaml
rename to config/rbac/openshift/namespaced/operator-role-openshift.yaml
diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go
index ec1f5d5e1..2415efee2 100644
--- a/e2e/support/test_support.go
+++ b/e2e/support/test_support.go
@@ -2404,7 +2404,7 @@ func CreateOperatorRole(ns string) (err error) {
return err
}
if oc {
- return install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/openshift/operator-role-openshift.yaml")
+ return install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/openshift/namespaced/operator-role-openshift.yaml")
}
return nil
}
@@ -2419,7 +2419,7 @@ func CreateOperatorRoleBinding(ns string) error {
return err
}
if oc {
- return install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/openshift/operator-role-binding-openshift.yaml")
+ return install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/openshift/namespaced/operator-role-binding-openshift.yaml")
}
return nil
}
diff --git a/install/Makefile b/install/Makefile
index a80f5e3da..692d32f9a 100644
--- a/install/Makefile
+++ b/install/Makefile
@@ -202,11 +202,7 @@ setup-cluster: check-admin check-crd-api-support have-platform kustomize kubectl
# Set the namespace in the setup-cluster kustomization yaml
@$(call set-kustomize-namespace,$@)
ifeq ($(PLATFORM), openshift)
- @for res in $(RBAC_OS)/operator-cluster*; do \
- cd $@ || exit 1 && \
- $(KUSTOMIZE) edit add resource ../$$res && \
- cd - &> /dev/null; \
- done
+ @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC_OS) && cd - &> /dev/null;
endif
#
# Build the resources
@@ -248,11 +244,11 @@ else
@cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/namespaced && cd - &> /dev/null;
endif
ifeq ($(PLATFORM), openshift)
- @for res in $(RBAC_OS)/operator-role*; do \
- cd $@ || exit 1 && \
- $(KUSTOMIZE) edit add resource ../$$res && \
- cd - &> /dev/null; \
- done
+ifeq ($(GLOBAL), true)
+ @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC_OS)/descoped && cd - &> /dev/null;
+else
+ @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC_OS)/namespaced && cd - &> /dev/null;
+endif
endif
#
# Build the resources
diff --git a/pkg/install/operator.go b/pkg/install/operator.go
index 2db3fde3d..b12cb734c 100644
--- a/pkg/install/operator.go
+++ b/pkg/install/operator.go
@@ -266,7 +266,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
// Install OpenShift RBAC resources if needed (roles and bindings)
if isOpenShift {
- if err := installOpenShiftRoles(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err := installOpenShiftRoles(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
return err
}
if err := installClusterRoleBinding(ctx, c, collection, cfg.Namespace, "camel-k-operator-console-openshift", "/rbac/openshift/operator-cluster-role-console-binding-openshift.yaml"); err != nil {
@@ -484,11 +484,18 @@ func installClusterRoleBinding(ctx context.Context, c client.Client, collection
return c.Patch(ctx, existing, ctrl.RawPatch(types.MergePatchType, p))
}
-func installOpenShiftRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/openshift/operator-role-openshift.yaml",
- "/rbac/openshift/operator-role-binding-openshift.yaml",
- )
+func installOpenShiftRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/openshift/descoped/operator-cluster-role-openshift.yaml",
+ "/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/openshift/namespaced/operator-role-openshift.yaml",
+ "/rbac/openshift/namespaced/operator-role-binding-openshift.yaml",
+ )
+ }
}
func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
(camel-k) 04/04: feat(doc): Kustomize installation procedure
Posted by pc...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit e6fcd0ffb1abc10cdfb414b2c4c33aace538c754
Author: Gaelle Fournier <ga...@gmail.com>
AuthorDate: Tue Dec 12 15:38:58 2023 +0100
feat(doc): Kustomize installation procedure
---
.../ROOT/pages/installation/installation.adoc | 40 ++++++++++++++++++++--
1 file changed, 38 insertions(+), 2 deletions(-)
diff --git a/docs/modules/ROOT/pages/installation/installation.adoc b/docs/modules/ROOT/pages/installation/installation.adoc
index 605dd6ff6..f0b40a294 100644
--- a/docs/modules/ROOT/pages/installation/installation.adoc
+++ b/docs/modules/ROOT/pages/installation/installation.adoc
@@ -29,6 +29,8 @@ For CRC, this means executing `oc login -u system:admin` then `kamel install --c
Camel K can be installed using https://kustomize.io[Kustomize], providing an interface for configuring more advanced features.
+**First you need to get the kustomize files**
+
```
# Clone the project repository
$ https://github.com/apache/camel-k.git
@@ -36,13 +38,47 @@ $ cd camel-k
# You can use any release branch or skip this step to use it the last code on `main`
$ git checkout release-a.b.x
$ cd install
-$ kubectl apply -k setup-cluster
+```
+
+**Next you need to apply configuration at cluster level**
+
+```
+$ kubectl kustomize --load-restrictor LoadRestrictionsNone setup-cluster/ | kubectl create -f -
+```
+
+**Then the roles and privileges needs to be added**
+
+```
$ kubectl apply -k setup
+$ kubectl apply -k config/rbac/namespaced
+# For openshift
+$ kubectl apply -k config/rbac/openshift
+$ kubectl apply -k config/rbac/openshift/namespaced
+```
+
+Should you want your operator operator to watch all namespaces (global operator), you will replace `config/rbac/namespaced` by `config/rbac/descoped` and `config/rbac/openshift/namespaced` by `config/rbac/openshift/descoped`.
+
+**Finally the operator can be deployed**
+
+```
$ kubectl apply -k operator
$ kubectl apply -k platform
```
-NOTE: you probably want to edit the configuration. Please, do any change right after cloning the repository.
+By default the operator is configured to get the registry information from a Configmap expected the namespace `kube-public` like this example:
+
+```
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: local-registry-hosting
+ namespace: kube-public
+data:
+ localRegistryHosting.v1: |
+ hostFromContainerRuntime: "registry:5000"
+```
+
+NOTE: you probably want to edit the configuration. Please, do any change right after cloning the repository. Be careful to avoid making any modification in the `install/config` folder.
More information on the xref:installation/advanced/kustomize.adoc[Kustomize Camel K installation procedure] page.