This is an automated email from the ASF dual-hosted git repository. tsato pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit c5b887b03482c8ada2206a7a7dd4d9935f91274d Author: [email protected] <[email protected]> AuthorDate: Sat Aug 13 01:09:55 2022 +0800 feat: add global option to helm installation for operator to watch all namespaces --- .../templates/operator-cluster-role-bindings.yaml | 179 +++++++++++++++ ...rator-role.yaml => operator-cluster-roles.yaml} | 241 +++++++++++++++------ helm/camel-k/templates/operator-role-binding.yaml | 2 + helm/camel-k/templates/operator-role.yaml | 2 + helm/camel-k/templates/operator.yaml | 4 + helm/camel-k/values.yaml | 1 + 6 files changed, 367 insertions(+), 62 deletions(-) diff --git a/helm/camel-k/templates/operator-cluster-role-bindings.yaml b/helm/camel-k/templates/operator-cluster-role-bindings.yaml new file mode 100644 index 000000000..e8410f097 --- /dev/null +++ b/helm/camel-k/templates/operator-cluster-role-bindings.yaml @@ -0,0 +1,179 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +{{- if eq .Values.operator.global "true" }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: camel-k-operator + apiGroup: rbac.authorization.k8s.io + + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-custom-resource-definitions + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: camel-k-operator-custom-resource-definitions + apiGroup: rbac.authorization.k8s.io + + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-events + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: camel-k-operator-events + apiGroup: rbac.authorization.k8s.io + + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-keda + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: camel-k-operator-keda + apiGroup: rbac.authorization.k8s.io + + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-leases + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: camel-k-operator-leases + apiGroup: rbac.authorization.k8s.io + + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-podmonitors + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: camel-k-operator-podmonitors + apiGroup: rbac.authorization.k8s.io + + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-strimzi + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: camel-k-operator-strimzi + apiGroup: rbac.authorization.k8s.io + + +{{- if eq .Values.platform.cluster "OpenShift" }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-console-openshift + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: camel-k-operator-console-openshift + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-openshift + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: camel-k-operator-openshift + apiGroup: rbac.authorization.k8s.io +{{- end }} + +{{- end }} \ No newline at end of file diff --git a/helm/camel-k/templates/operator-role.yaml b/helm/camel-k/templates/operator-cluster-roles.yaml similarity index 62% copy from helm/camel-k/templates/operator-role.yaml copy to helm/camel-k/templates/operator-cluster-roles.yaml index 81f23b835..46ca9c777 100644 --- a/helm/camel-k/templates/operator-role.yaml +++ b/helm/camel-k/templates/operator-cluster-roles.yaml @@ -15,7 +15,57 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: Role +{{- if eq .Values.operator.global "true" }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-edit + labels: + app: "camel-k" + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + {{- include "camel-k.labels" . | nindent 4 }} +rules: +- apiGroups: + - camel.apache.org + resources: + - builds + - camelcatalogs + - integrationkits + - integrationplatforms + - integrations + - kameletbindings + - kamelets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - camel.apache.org + resources: + - builds/status + - camelcatalogs/status + - integrationkits/status + - integrationplatforms/status + - integrations/scale + - integrations/status + - kameletbindings/scale + - kameletbindings/status + - kamelets/status + verbs: + - get + - patch + - update + + +--- +kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator @@ -166,6 +216,34 @@ rules: - patch - update - watch + + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-custom-resource-definitions + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-events + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +rules: - apiGroups: - "" resources: @@ -176,8 +254,19 @@ rules: - get - list - watch + + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-keda + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +rules: - apiGroups: - - keda.sh + - "keda.sh" resources: - scaledobjects - triggerauthentications @@ -190,55 +279,105 @@ rules: - patch - update - watch + + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-leases + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +rules: - apiGroups: - - serving.knative.dev + - "coordination.k8s.io" resources: - - services + - leases verbs: - create - delete + - deletecollection - get - list - patch - update - watch + + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-local-registry + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["local-registry-hosting"] + verbs: ["get"] + + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-podmonitors + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +rules: - apiGroups: - - eventing.knative.dev - resources: - - triggers - verbs: - - create - - delete - - get - - list - - patch - - update -- apiGroups: - - messaging.knative.dev + - monitoring.coreos.com resources: - - subscriptions + - podmonitors verbs: - create - delete + - deletecollection - get - list - patch - update + - watch + + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-strimzi + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +rules: - apiGroups: - - sources.knative.dev + - "kafka.strimzi.io" resources: - - sinkbindings + - kafkatopics + - kafkas verbs: - - create - - delete - get - list - - patch - - update + - watch + + +{{- if eq .Values.platform.cluster "OpenShift" }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-console-openshift + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +rules: - apiGroups: - - coordination.k8s.io + - console.openshift.io resources: - - leases + - consoleclidownloads verbs: - create - delete @@ -248,6 +387,15 @@ rules: - patch - update - watch +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-openshift + labels: + app: "camel-k" + {{- include "camel-k.labels" . | nindent 4 }} +rules: - apiGroups: - camel.apache.org resources: @@ -260,7 +408,7 @@ rules: - update - apiGroups: - "" - - build.openshift.io + - "build.openshift.io" resources: - buildconfigs - buildconfigs/webhooks @@ -276,7 +424,7 @@ rules: - watch - apiGroups: - "" - - image.openshift.io + - "image.openshift.io" resources: - imagestreamimages - imagestreammappings @@ -303,7 +451,7 @@ rules: - create - apiGroups: - "" - - route.openshift.io + - "route.openshift.io" resources: - routes verbs: @@ -322,37 +470,6 @@ rules: - routes/custom-host verbs: - create -- apiGroups: - - monitoring.coreos.com - resources: - - podmonitors - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - kafka.strimzi.io - resources: - - kafkatopics - - kafkas - verbs: - - get - - list - - watch -- apiGroups: - - "apiextensions.k8s.io" - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - bind +{{- end }} + +{{- end }} \ No newline at end of file diff --git a/helm/camel-k/templates/operator-role-binding.yaml b/helm/camel-k/templates/operator-role-binding.yaml index 0c785efa7..c34445be1 100644 --- a/helm/camel-k/templates/operator-role-binding.yaml +++ b/helm/camel-k/templates/operator-role-binding.yaml @@ -15,6 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- +{{- if eq .Values.operator.global "false" }} kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -29,3 +30,4 @@ roleRef: kind: Role name: camel-k-operator apiGroup: rbac.authorization.k8s.io +{{- end }} \ No newline at end of file diff --git a/helm/camel-k/templates/operator-role.yaml b/helm/camel-k/templates/operator-role.yaml index 81f23b835..8b6badcda 100644 --- a/helm/camel-k/templates/operator-role.yaml +++ b/helm/camel-k/templates/operator-role.yaml @@ -15,6 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- +{{- if eq .Values.operator.global "false" }} kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -356,3 +357,4 @@ rules: - clusterroles verbs: - bind +{{- end }} \ No newline at end of file diff --git a/helm/camel-k/templates/operator.yaml b/helm/camel-k/templates/operator.yaml index 6ef4a1d88..326432e21 100644 --- a/helm/camel-k/templates/operator.yaml +++ b/helm/camel-k/templates/operator.yaml @@ -43,9 +43,13 @@ spec: - operator env: - name: WATCH_NAMESPACE + {{- if eq .Values.operator.global "false" }} valueFrom: fieldRef: fieldPath: metadata.namespace + {{- else }} + value: "" + {{- end }} - name: OPERATOR_NAME value: camel-k - name: POD_NAME diff --git a/helm/camel-k/values.yaml b/helm/camel-k/values.yaml index 2e8d7854f..ffec29d8b 100644 --- a/helm/camel-k/values.yaml +++ b/helm/camel-k/values.yaml @@ -24,6 +24,7 @@ fullnameOverride: "" operator: image: docker.io/apache/camel-k:1.10.0-SNAPSHOT + global: "false" resources: {} securityContext: {}
