This is an automated email from the ASF dual-hosted git repository. pcongiusti pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit e8c28a05670982463ac3a7e0bae4d7f57523a61f Author: Gaelle Fournier <[email protected]> AuthorDate: Fri Dec 8 22:07:20 2023 +0100 feat(install): Separate namespaced and descoped openshift rbacs --- config/manifests/kustomization.yaml | 1 + .../rbac/openshift/{ => descoped}/kustomization.yaml | 8 +++----- .../operator-cluster-role-binding-openshift.yaml} | 5 +++-- .../operator-cluster-role-openshift.yaml} | 2 +- config/rbac/openshift/kustomization.yaml | 2 -- .../openshift/{ => namespaced}/kustomization.yaml | 4 +--- .../operator-role-binding-openshift.yaml | 0 .../{ => namespaced}/operator-role-openshift.yaml | 0 e2e/support/test_support.go | 4 ++-- install/Makefile | 16 ++++++---------- pkg/install/operator.go | 19 +++++++++++++------ 11 files changed, 30 insertions(+), 31 deletions(-) diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 9a926be1b..f97882bcf 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -29,6 +29,7 @@ resources: - ../rbac - ../rbac/namespaced - ../rbac/openshift +- ../rbac/openshift/namespaced patchesStrategicMerge: - patch-delete-user-cluster-role.yaml diff --git a/config/rbac/openshift/kustomization.yaml b/config/rbac/openshift/descoped/kustomization.yaml similarity index 81% copy from config/rbac/openshift/kustomization.yaml copy to config/rbac/openshift/descoped/kustomization.yaml index 2813c7aad..35cf76e40 100644 --- a/config/rbac/openshift/kustomization.yaml +++ b/config/rbac/openshift/descoped/kustomization.yaml @@ -16,13 +16,11 @@ # --------------------------------------------------------------------------- # -# rbac resources applicable for only openshift platforms +# rbac resources applicable for all kubernetes platforms - global operator # apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- operator-cluster-role-console-binding-openshift.yaml -- operator-cluster-role-console-openshift.yaml -- operator-role-openshift.yaml -- operator-role-binding-openshift.yaml +- operator-cluster-role-openshift.yaml +- operator-cluster-role-binding-openshift.yaml diff --git a/config/rbac/openshift/operator-role-binding-openshift.yaml b/config/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml similarity index 94% copy from config/rbac/openshift/operator-role-binding-openshift.yaml copy to config/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml index 54dbe28d1..8cf0a8fc9 100644 --- a/config/rbac/openshift/operator-role-binding-openshift.yaml +++ b/config/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: RoleBinding +kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-openshift @@ -24,7 +24,8 @@ metadata: subjects: - kind: ServiceAccount name: camel-k-operator + namespace: placeholder roleRef: - kind: Role + kind: ClusterRole name: camel-k-operator-openshift apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/openshift/operator-role-openshift.yaml b/config/rbac/openshift/descoped/operator-cluster-role-openshift.yaml similarity index 99% copy from config/rbac/openshift/operator-role-openshift.yaml copy to config/rbac/openshift/descoped/operator-cluster-role-openshift.yaml index 4eccaee70..5589d7793 100644 --- a/config/rbac/openshift/operator-role-openshift.yaml +++ b/config/rbac/openshift/descoped/operator-cluster-role-openshift.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: Role +kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-openshift diff --git a/config/rbac/openshift/kustomization.yaml b/config/rbac/openshift/kustomization.yaml index 2813c7aad..4920f6600 100644 --- a/config/rbac/openshift/kustomization.yaml +++ b/config/rbac/openshift/kustomization.yaml @@ -24,5 +24,3 @@ kind: Kustomization resources: - operator-cluster-role-console-binding-openshift.yaml - operator-cluster-role-console-openshift.yaml -- operator-role-openshift.yaml -- operator-role-binding-openshift.yaml diff --git a/config/rbac/openshift/kustomization.yaml b/config/rbac/openshift/namespaced/kustomization.yaml similarity index 87% copy from config/rbac/openshift/kustomization.yaml copy to config/rbac/openshift/namespaced/kustomization.yaml index 2813c7aad..0fc781320 100644 --- a/config/rbac/openshift/kustomization.yaml +++ b/config/rbac/openshift/namespaced/kustomization.yaml @@ -16,13 +16,11 @@ # --------------------------------------------------------------------------- # -# rbac resources applicable for only openshift platforms +# rbac resources applicable for all kubernetes platforms - global operator # apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- operator-cluster-role-console-binding-openshift.yaml -- operator-cluster-role-console-openshift.yaml - operator-role-openshift.yaml - operator-role-binding-openshift.yaml diff --git a/config/rbac/openshift/operator-role-binding-openshift.yaml b/config/rbac/openshift/namespaced/operator-role-binding-openshift.yaml similarity index 100% rename from config/rbac/openshift/operator-role-binding-openshift.yaml rename to config/rbac/openshift/namespaced/operator-role-binding-openshift.yaml diff --git a/config/rbac/openshift/operator-role-openshift.yaml b/config/rbac/openshift/namespaced/operator-role-openshift.yaml similarity index 100% rename from config/rbac/openshift/operator-role-openshift.yaml rename to config/rbac/openshift/namespaced/operator-role-openshift.yaml diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go index ec1f5d5e1..2415efee2 100644 --- a/e2e/support/test_support.go +++ b/e2e/support/test_support.go @@ -2404,7 +2404,7 @@ func CreateOperatorRole(ns string) (err error) { return err } if oc { - return install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/openshift/operator-role-openshift.yaml") + return install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/openshift/namespaced/operator-role-openshift.yaml") } return nil } @@ -2419,7 +2419,7 @@ func CreateOperatorRoleBinding(ns string) error { return err } if oc { - return install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/openshift/operator-role-binding-openshift.yaml") + return install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/openshift/namespaced/operator-role-binding-openshift.yaml") } return nil } diff --git a/install/Makefile b/install/Makefile index a80f5e3da..692d32f9a 100644 --- a/install/Makefile +++ b/install/Makefile @@ -202,11 +202,7 @@ setup-cluster: check-admin check-crd-api-support have-platform kustomize kubectl # Set the namespace in the setup-cluster kustomization yaml @$(call set-kustomize-namespace,$@) ifeq ($(PLATFORM), openshift) - @for res in $(RBAC_OS)/operator-cluster*; do \ - cd $@ || exit 1 && \ - $(KUSTOMIZE) edit add resource ../$$res && \ - cd - &> /dev/null; \ - done + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC_OS) && cd - &> /dev/null; endif # # Build the resources @@ -248,11 +244,11 @@ else @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/namespaced && cd - &> /dev/null; endif ifeq ($(PLATFORM), openshift) - @for res in $(RBAC_OS)/operator-role*; do \ - cd $@ || exit 1 && \ - $(KUSTOMIZE) edit add resource ../$$res && \ - cd - &> /dev/null; \ - done +ifeq ($(GLOBAL), true) + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC_OS)/descoped && cd - &> /dev/null; +else + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC_OS)/namespaced && cd - &> /dev/null; +endif endif # # Build the resources diff --git a/pkg/install/operator.go b/pkg/install/operator.go index 2db3fde3d..b12cb734c 100644 --- a/pkg/install/operator.go +++ b/pkg/install/operator.go @@ -266,7 +266,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, // Install OpenShift RBAC resources if needed (roles and bindings) if isOpenShift { - if err := installOpenShiftRoles(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err := installOpenShiftRoles(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { return err } if err := installClusterRoleBinding(ctx, c, collection, cfg.Namespace, "camel-k-operator-console-openshift", "/rbac/openshift/operator-cluster-role-console-binding-openshift.yaml"); err != nil { @@ -484,11 +484,18 @@ func installClusterRoleBinding(ctx context.Context, c client.Client, collection return c.Patch(ctx, existing, ctrl.RawPatch(types.MergePatchType, p)) } -func installOpenShiftRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/openshift/operator-role-openshift.yaml", - "/rbac/openshift/operator-role-binding-openshift.yaml", - ) +func installOpenShiftRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/openshift/descoped/operator-cluster-role-openshift.yaml", + "/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/openshift/namespaced/operator-role-openshift.yaml", + "/rbac/openshift/namespaced/operator-role-binding-openshift.yaml", + ) + } } func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
