This is an automated email from the ASF dual-hosted git repository. pcongiusti pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit ce5c6903bcf8c253a0248d007b06c59eca6cfe6b Author: Gaelle Fournier <[email protected]> AuthorDate: Mon Nov 13 14:13:08 2023 +0100 feat(install): Adaptations for namespaced/descoped separation rbacs --- e2e/support/test_support.go | 4 +-- install/setup/kustomization.yaml | 12 +++++++++ pkg/install/operator.go | 55 ++++++++++++++++------------------------ 3 files changed, 36 insertions(+), 35 deletions(-) diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go index 2415efee2..371e8491a 100644 --- a/e2e/support/test_support.go +++ b/e2e/support/test_support.go @@ -2399,7 +2399,7 @@ func CreateOperatorRole(ns string) (err error) { // This should ideally be removed from the common RBAC manifest. customizer = install.RemoveIngressRoleCustomizer } - err = install.Resource(TestContext, TestClient(), ns, true, customizer, "/rbac/operator-role.yaml") + err = install.Resource(TestContext, TestClient(), ns, true, customizer, "/rbac/namespaced/operator-role.yaml") if err != nil { return err } @@ -2414,7 +2414,7 @@ func CreateOperatorRoleBinding(ns string) error { if err != nil { failTest(err) } - err = install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/operator-role-binding.yaml") + err = install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/namespaced/operator-role-binding.yaml") if err != nil { return err } diff --git a/install/setup/kustomization.yaml b/install/setup/kustomization.yaml index c10dfd653..9598726ca 100644 --- a/install/setup/kustomization.yaml +++ b/install/setup/kustomization.yaml @@ -19,3 +19,15 @@ kind: Kustomization resources: - ../config/rbac + +transformers: +- |- + apiVersion: builtin + kind: PatchTransformer + metadata: + name: fix-local-registry-rbac-namespace + patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]' + target: + group: rbac.authorization.k8s.io + kind: RoleBinding + name: camel-k-operator-local-registry diff --git a/pkg/install/operator.go b/pkg/install/operator.go index b12cb734c..b24dbe2f3 100644 --- a/pkg/install/operator.go +++ b/pkg/install/operator.go @@ -200,41 +200,30 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, envvar.SetVal(&d.Spec.Template.Spec.Containers[0].Env, "WATCH_NAMESPACE", "") } } - - // Turn Role & RoleBinding into their equivalent cluster types - if r, ok := o.(*rbacv1.Role); ok { - if strings.HasPrefix(r.Name, "camel-k-operator") { - o = &rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: cfg.Namespace, - Name: r.Name, - Labels: map[string]string{ - "app": "camel-k", - }, - }, - Rules: r.Rules, + // Configure subject on ClusterRoleBindings + if crb, ok := o.(*rbacv1.ClusterRoleBinding); ok { + if strings.HasPrefix(crb.Name, "camel-k-operator") { + crb.ObjectMeta.Name = fmt.Sprintf("%s-%s", crb.ObjectMeta.Name, cfg.Namespace) + bound := false + for i, subject := range crb.Subjects { + if subject.Name == "camel-k-operator" { + if subject.Namespace == cfg.Namespace { + bound = true + break + } else if subject.Namespace == "" || subject.Namespace == "placeholder" { + crb.Subjects[i].Namespace = cfg.Namespace + bound = true + break + } + } } - } - } - - if rb, ok := o.(*rbacv1.RoleBinding); ok { - if strings.HasPrefix(rb.Name, "camel-k-operator") { - rb.Subjects[0].Namespace = cfg.Namespace - o = &rbacv1.ClusterRoleBinding{ - ObjectMeta: metav1.ObjectMeta{ + if !bound { + crb.Subjects = append(crb.Subjects, rbacv1.Subject{ + Kind: "ServiceAccount", Namespace: cfg.Namespace, - Name: fmt.Sprintf("%s-%s", rb.Name, cfg.Namespace), - Labels: map[string]string{ - "app": "camel-k", - }, - }, - Subjects: rb.Subjects, - RoleRef: rbacv1.RoleRef{ - APIGroup: rb.RoleRef.APIGroup, - Kind: "ClusterRole", - Name: rb.RoleRef.Name, - }, + Name: "camel-k-operator", + }) } } } @@ -444,7 +433,7 @@ func installClusterRoleBinding(ctx context.Context, c client.Client, collection bound = true break - } else if subject.Namespace == "" { + } else if subject.Namespace == "" || subject.Namespace == "placeholder" { target.Subjects[i].Namespace = namespace bound = true
