This is an automated email from the ASF dual-hosted git repository. pcongiusti pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit fdfbb8acf2ba6b0370e9133157e9136de7abbf2b Author: Gaelle Fournier <[email protected]> AuthorDate: Fri Nov 10 14:35:32 2023 +0100 feat(install): Separate namespaced and descoped rbacs Ref #3165 --- config/manifests/kustomization.yaml | 1 + .../descoped}/kustomization.yaml | 36 +++--- .../operator-cluster-role-binding-events.yaml} | 5 +- .../operator-cluster-role-binding-keda.yaml} | 5 +- .../operator-cluster-role-binding-knative.yaml} | 5 +- .../operator-cluster-role-binding-leases.yaml} | 5 +- ...operator-cluster-role-binding-podmonitors.yaml} | 5 +- .../operator-cluster-role-binding-strimzi.yaml} | 5 +- .../operator-cluster-role-binding.yaml} | 5 +- .../operator-cluster-role-events.yaml} | 2 +- .../operator-cluster-role-keda.yaml} | 2 +- .../operator-cluster-role-knative.yaml} | 2 +- .../operator-cluster-role-leases.yaml} | 2 +- .../operator-cluster-role-podmonitors.yaml} | 2 +- .../operator-cluster-role-strimzi.yaml} | 2 +- .../operator-cluster-role.yaml} | 2 +- config/rbac/kustomization.yaml | 29 +++-- config/rbac/{ => namespaced}/kustomization.yaml | 9 +- .../operator-role-binding-events.yaml | 0 .../operator-role-binding-keda.yaml | 0 .../operator-role-binding-knative.yaml | 0 .../operator-role-binding-leases.yaml | 0 .../operator-role-binding-podmonitors.yaml | 0 .../operator-role-binding-strimzi.yaml | 0 .../{ => namespaced}/operator-role-binding.yaml | 0 .../{ => namespaced}/operator-role-events.yaml | 0 .../rbac/{ => namespaced}/operator-role-keda.yaml | 0 .../{ => namespaced}/operator-role-knative.yaml | 0 .../{ => namespaced}/operator-role-leases.yaml | 0 .../operator-role-podmonitors.yaml | 0 .../{ => namespaced}/operator-role-strimzi.yaml | 0 config/rbac/{ => namespaced}/operator-role.yaml | 0 install/Makefile | 10 +- install/setup/kustomization.yaml | 12 -- pkg/install/operator.go | 136 ++++++++++++++------- 35 files changed, 159 insertions(+), 123 deletions(-) diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 94f8a27f8..9a926be1b 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -27,6 +27,7 @@ resources: - ../samples - ../scorecard - ../rbac +- ../rbac/namespaced - ../rbac/openshift patchesStrategicMerge: diff --git a/config/manifests/kustomization.yaml b/config/rbac/descoped/kustomization.yaml similarity index 61% copy from config/manifests/kustomization.yaml copy to config/rbac/descoped/kustomization.yaml index 94f8a27f8..ade2d46ba 100644 --- a/config/manifests/kustomization.yaml +++ b/config/rbac/descoped/kustomization.yaml @@ -14,25 +14,25 @@ # See the License for the specific language governing permissions and # limitations under the License. # --------------------------------------------------------------------------- + +# +# rbac resources applicable for all kubernetes platforms - global operator +# apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -# Labels to add to all resources and selectors. -commonLabels: - app: camel-k - resources: -- ../manager -- ../crd -- ../samples -- ../scorecard -- ../rbac -- ../rbac/openshift - -patchesStrategicMerge: -- patch-delete-user-cluster-role.yaml -- patch-delete-pvc.yaml -images: -- name: docker.io/apache/camel-k - newName: docker.io/apache/camel-k - newTag: 2.2.0-SNAPSHOT +- operator-cluster-role-events.yaml +- operator-cluster-role-knative.yaml +- operator-cluster-role.yaml +- operator-cluster-role-keda.yaml +- operator-cluster-role-leases.yaml +- operator-cluster-role-podmonitors.yaml +- operator-cluster-role-strimzi.yaml +- operator-cluster-role-binding-events.yaml +- operator-cluster-role-binding-keda.yaml +- operator-cluster-role-binding-knative.yaml +- operator-cluster-role-binding-leases.yaml +- operator-cluster-role-binding-podmonitors.yaml +- operator-cluster-role-binding-strimzi.yaml +- operator-cluster-role-binding.yaml diff --git a/config/rbac/operator-role-binding-events.yaml b/config/rbac/descoped/operator-cluster-role-binding-events.yaml similarity index 94% copy from config/rbac/operator-role-binding-events.yaml copy to config/rbac/descoped/operator-cluster-role-binding-events.yaml index 7b1d41dd5..9dd5228d2 100644 --- a/config/rbac/operator-role-binding-events.yaml +++ b/config/rbac/descoped/operator-cluster-role-binding-events.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: RoleBinding +kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-events @@ -24,7 +24,8 @@ metadata: subjects: - kind: ServiceAccount name: camel-k-operator + namespace: placeholder roleRef: - kind: Role + kind: ClusterRole name: camel-k-operator-events apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/operator-role-binding-keda.yaml b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml similarity index 94% copy from config/rbac/operator-role-binding-keda.yaml copy to config/rbac/descoped/operator-cluster-role-binding-keda.yaml index fd8c60256..92e154e87 100644 --- a/config/rbac/operator-role-binding-keda.yaml +++ b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: RoleBinding +kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-keda @@ -24,7 +24,8 @@ metadata: subjects: - kind: ServiceAccount name: camel-k-operator + namespace: placeholder roleRef: - kind: Role + kind: ClusterRole name: camel-k-operator-keda apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/operator-role-binding-knative.yaml b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml similarity index 94% copy from config/rbac/operator-role-binding-knative.yaml copy to config/rbac/descoped/operator-cluster-role-binding-knative.yaml index 034baef7b..739b0dd06 100644 --- a/config/rbac/operator-role-binding-knative.yaml +++ b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: RoleBinding +kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-knative @@ -24,7 +24,8 @@ metadata: subjects: - kind: ServiceAccount name: camel-k-operator + namespace: placeholder roleRef: - kind: Role + kind: ClusterRole name: camel-k-operator-knative apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/operator-role-binding-leases.yaml b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml similarity index 94% copy from config/rbac/operator-role-binding-leases.yaml copy to config/rbac/descoped/operator-cluster-role-binding-leases.yaml index 5bbc4efc1..35d667fd1 100644 --- a/config/rbac/operator-role-binding-leases.yaml +++ b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: RoleBinding +kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-leases @@ -24,7 +24,8 @@ metadata: subjects: - kind: ServiceAccount name: camel-k-operator + namespace: placeholder roleRef: - kind: Role + kind: ClusterRole name: camel-k-operator-leases apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/operator-role-binding-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml similarity index 94% copy from config/rbac/operator-role-binding-podmonitors.yaml copy to config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml index 26b6d9c85..bef231b07 100644 --- a/config/rbac/operator-role-binding-podmonitors.yaml +++ b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: RoleBinding +kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-podmonitors @@ -24,7 +24,8 @@ metadata: subjects: - kind: ServiceAccount name: camel-k-operator + namespace: placeholder roleRef: - kind: Role + kind: ClusterRole name: camel-k-operator-podmonitors apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/operator-role-binding-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml similarity index 94% copy from config/rbac/operator-role-binding-strimzi.yaml copy to config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml index 9a860c02c..fefd14352 100644 --- a/config/rbac/operator-role-binding-strimzi.yaml +++ b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: RoleBinding +kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-strimzi @@ -24,7 +24,8 @@ metadata: subjects: - kind: ServiceAccount name: camel-k-operator + namespace: placeholder roleRef: - kind: Role + kind: ClusterRole name: camel-k-operator-strimzi apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/operator-role-binding.yaml b/config/rbac/descoped/operator-cluster-role-binding.yaml similarity index 94% copy from config/rbac/operator-role-binding.yaml copy to config/rbac/descoped/operator-cluster-role-binding.yaml index afbdf270f..83f227d62 100644 --- a/config/rbac/operator-role-binding.yaml +++ b/config/rbac/descoped/operator-cluster-role-binding.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: RoleBinding +kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator @@ -24,7 +24,8 @@ metadata: subjects: - kind: ServiceAccount name: camel-k-operator + namespace: placeholder roleRef: - kind: Role + kind: ClusterRole name: camel-k-operator apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/operator-role-events.yaml b/config/rbac/descoped/operator-cluster-role-events.yaml similarity index 98% copy from config/rbac/operator-role-events.yaml copy to config/rbac/descoped/operator-cluster-role-events.yaml index d109b734d..1dfd24b01 100644 --- a/config/rbac/operator-role-events.yaml +++ b/config/rbac/descoped/operator-cluster-role-events.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: Role +kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-events diff --git a/config/rbac/operator-role-keda.yaml b/config/rbac/descoped/operator-cluster-role-keda.yaml similarity index 98% copy from config/rbac/operator-role-keda.yaml copy to config/rbac/descoped/operator-cluster-role-keda.yaml index 22c026c15..3b3f432eb 100644 --- a/config/rbac/operator-role-keda.yaml +++ b/config/rbac/descoped/operator-cluster-role-keda.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: Role +kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-keda diff --git a/config/rbac/operator-role-knative.yaml b/config/rbac/descoped/operator-cluster-role-knative.yaml similarity index 98% copy from config/rbac/operator-role-knative.yaml copy to config/rbac/descoped/operator-cluster-role-knative.yaml index 3cba80931..305d26b62 100644 --- a/config/rbac/operator-role-knative.yaml +++ b/config/rbac/descoped/operator-cluster-role-knative.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: Role +kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-knative diff --git a/config/rbac/operator-role-leases.yaml b/config/rbac/descoped/operator-cluster-role-leases.yaml similarity index 98% copy from config/rbac/operator-role-leases.yaml copy to config/rbac/descoped/operator-cluster-role-leases.yaml index 4223e8e2e..6ea671bd2 100644 --- a/config/rbac/operator-role-leases.yaml +++ b/config/rbac/descoped/operator-cluster-role-leases.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: Role +kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-leases diff --git a/config/rbac/operator-role-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml similarity index 98% copy from config/rbac/operator-role-podmonitors.yaml copy to config/rbac/descoped/operator-cluster-role-podmonitors.yaml index 7a3fe05c4..2578103c3 100644 --- a/config/rbac/operator-role-podmonitors.yaml +++ b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: Role +kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-podmonitors diff --git a/config/rbac/operator-role-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-strimzi.yaml similarity index 98% copy from config/rbac/operator-role-strimzi.yaml copy to config/rbac/descoped/operator-cluster-role-strimzi.yaml index ab0a91d70..9ccea139f 100644 --- a/config/rbac/operator-role-strimzi.yaml +++ b/config/rbac/descoped/operator-cluster-role-strimzi.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: Role +kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator-strimzi diff --git a/config/rbac/operator-role.yaml b/config/rbac/descoped/operator-cluster-role.yaml similarity index 99% copy from config/rbac/operator-role.yaml copy to config/rbac/descoped/operator-cluster-role.yaml index 4ddc2d4c1..d7ee2fa39 100644 --- a/config/rbac/operator-role.yaml +++ b/config/rbac/descoped/operator-cluster-role.yaml @@ -15,7 +15,7 @@ # limitations under the License. # --------------------------------------------------------------------------- -kind: Role +kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camel-k-operator diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index f2600f162..5b3e03f55 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -23,23 +23,22 @@ kind: Kustomization resources: - user-cluster-role.yaml -- operator-role-events.yaml -- operator-role-knative.yaml -- operator-role.yaml -- operator-role-keda.yaml -- operator-role-leases.yaml -- operator-role-podmonitors.yaml -- operator-role-strimzi.yaml -- operator-role-binding-events.yaml -- operator-role-binding-keda.yaml -- operator-role-binding-knative.yaml -- operator-role-binding-leases.yaml -- operator-role-binding-local-registry.yaml -- operator-role-binding-podmonitors.yaml -- operator-role-binding-strimzi.yaml -- operator-role-binding.yaml - operator-cluster-role-custom-resource-definitions.yaml - operator-cluster-role-binding-custom-resource-definitions.yaml - operator-cluster-role-addressable-resolver.yaml - operator-cluster-role-binding-addressable-resolver.yaml - operator-cluster-role-local-registry.yaml +- operator-role-binding-local-registry.yaml + + +transformers: +- |- + apiVersion: builtin + kind: PatchTransformer + metadata: + name: fix-local-registry-rbac-namespace + patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]' + target: + group: rbac.authorization.k8s.io + kind: RoleBinding + name: camel-k-operator-local-registry \ No newline at end of file diff --git a/config/rbac/kustomization.yaml b/config/rbac/namespaced/kustomization.yaml similarity index 78% copy from config/rbac/kustomization.yaml copy to config/rbac/namespaced/kustomization.yaml index f2600f162..510beb4d5 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/namespaced/kustomization.yaml @@ -16,13 +16,12 @@ # --------------------------------------------------------------------------- # -# rbac resources applicable for all kubernetes platforms +# rbac resources applicable for all kubernetes platforms - namespaced operator # apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- user-cluster-role.yaml - operator-role-events.yaml - operator-role-knative.yaml - operator-role.yaml @@ -34,12 +33,6 @@ resources: - operator-role-binding-keda.yaml - operator-role-binding-knative.yaml - operator-role-binding-leases.yaml -- operator-role-binding-local-registry.yaml - operator-role-binding-podmonitors.yaml - operator-role-binding-strimzi.yaml - operator-role-binding.yaml -- operator-cluster-role-custom-resource-definitions.yaml -- operator-cluster-role-binding-custom-resource-definitions.yaml -- operator-cluster-role-addressable-resolver.yaml -- operator-cluster-role-binding-addressable-resolver.yaml -- operator-cluster-role-local-registry.yaml diff --git a/config/rbac/operator-role-binding-events.yaml b/config/rbac/namespaced/operator-role-binding-events.yaml similarity index 100% rename from config/rbac/operator-role-binding-events.yaml rename to config/rbac/namespaced/operator-role-binding-events.yaml diff --git a/config/rbac/operator-role-binding-keda.yaml b/config/rbac/namespaced/operator-role-binding-keda.yaml similarity index 100% rename from config/rbac/operator-role-binding-keda.yaml rename to config/rbac/namespaced/operator-role-binding-keda.yaml diff --git a/config/rbac/operator-role-binding-knative.yaml b/config/rbac/namespaced/operator-role-binding-knative.yaml similarity index 100% rename from config/rbac/operator-role-binding-knative.yaml rename to config/rbac/namespaced/operator-role-binding-knative.yaml diff --git a/config/rbac/operator-role-binding-leases.yaml b/config/rbac/namespaced/operator-role-binding-leases.yaml similarity index 100% rename from config/rbac/operator-role-binding-leases.yaml rename to config/rbac/namespaced/operator-role-binding-leases.yaml diff --git a/config/rbac/operator-role-binding-podmonitors.yaml b/config/rbac/namespaced/operator-role-binding-podmonitors.yaml similarity index 100% rename from config/rbac/operator-role-binding-podmonitors.yaml rename to config/rbac/namespaced/operator-role-binding-podmonitors.yaml diff --git a/config/rbac/operator-role-binding-strimzi.yaml b/config/rbac/namespaced/operator-role-binding-strimzi.yaml similarity index 100% rename from config/rbac/operator-role-binding-strimzi.yaml rename to config/rbac/namespaced/operator-role-binding-strimzi.yaml diff --git a/config/rbac/operator-role-binding.yaml b/config/rbac/namespaced/operator-role-binding.yaml similarity index 100% rename from config/rbac/operator-role-binding.yaml rename to config/rbac/namespaced/operator-role-binding.yaml diff --git a/config/rbac/operator-role-events.yaml b/config/rbac/namespaced/operator-role-events.yaml similarity index 100% rename from config/rbac/operator-role-events.yaml rename to config/rbac/namespaced/operator-role-events.yaml diff --git a/config/rbac/operator-role-keda.yaml b/config/rbac/namespaced/operator-role-keda.yaml similarity index 100% rename from config/rbac/operator-role-keda.yaml rename to config/rbac/namespaced/operator-role-keda.yaml diff --git a/config/rbac/operator-role-knative.yaml b/config/rbac/namespaced/operator-role-knative.yaml similarity index 100% rename from config/rbac/operator-role-knative.yaml rename to config/rbac/namespaced/operator-role-knative.yaml diff --git a/config/rbac/operator-role-leases.yaml b/config/rbac/namespaced/operator-role-leases.yaml similarity index 100% rename from config/rbac/operator-role-leases.yaml rename to config/rbac/namespaced/operator-role-leases.yaml diff --git a/config/rbac/operator-role-podmonitors.yaml b/config/rbac/namespaced/operator-role-podmonitors.yaml similarity index 100% rename from config/rbac/operator-role-podmonitors.yaml rename to config/rbac/namespaced/operator-role-podmonitors.yaml diff --git a/config/rbac/operator-role-strimzi.yaml b/config/rbac/namespaced/operator-role-strimzi.yaml similarity index 100% rename from config/rbac/operator-role-strimzi.yaml rename to config/rbac/namespaced/operator-role-strimzi.yaml diff --git a/config/rbac/operator-role.yaml b/config/rbac/namespaced/operator-role.yaml similarity index 100% rename from config/rbac/operator-role.yaml rename to config/rbac/namespaced/operator-role.yaml diff --git a/install/Makefile b/install/Makefile index ce329c6d5..a80f5e3da 100644 --- a/install/Makefile +++ b/install/Makefile @@ -241,13 +241,11 @@ endif setup: setup-cluster # Set the namespace in the setup kustomization yaml @$(call set-kustomize-namespace,$@) -# If GLOBAL then add the conversion patches for all roles and rolebindings -ifeq ($(GLOBAL),true) - @$(call add-remove-kind-patch,setup,add,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role) - @$(call add-remove-kind-patch,setup,add,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding) +# If GLOBAL then add the versions with clusterroles and clusterrolebindings +ifeq ($(GLOBAL), true) + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/descoped && cd - &> /dev/null; else - @$(call add-remove-kind-patch,setup,remove,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role) - @$(call add-remove-kind-patch,setup,remove,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding) + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/namespaced && cd - &> /dev/null; endif ifeq ($(PLATFORM), openshift) @for res in $(RBAC_OS)/operator-role*; do \ diff --git a/install/setup/kustomization.yaml b/install/setup/kustomization.yaml index 9598726ca..c10dfd653 100644 --- a/install/setup/kustomization.yaml +++ b/install/setup/kustomization.yaml @@ -19,15 +19,3 @@ kind: Kustomization resources: - ../config/rbac - -transformers: -- |- - apiVersion: builtin - kind: PatchTransformer - metadata: - name: fix-local-registry-rbac-namespace - patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]' - target: - group: rbac.authorization.k8s.io - kind: RoleBinding - name: camel-k-operator-local-registry diff --git a/pkg/install/operator.go b/pkg/install/operator.go index 9daf61ee0..2db3fde3d 100644 --- a/pkg/install/operator.go +++ b/pkg/install/operator.go @@ -260,7 +260,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, } // Install Kubernetes RBAC resources (roles and bindings) - if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { return err } @@ -289,7 +289,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, return err } if isKnative { - if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { return err } if err := installClusterRoleBinding(ctx, c, collection, cfg.Namespace, "camel-k-operator-bind-addressable-resolver", "/rbac/operator-cluster-role-binding-addressable-resolver.yaml"); err != nil { @@ -301,35 +301,35 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, } } - if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to publish Kubernetes events. Try installing as cluster-admin to allow it to generate events.") } - if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create KEDA resources. Try installing as cluster-admin.") } - if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create PodMonitor resources. Try installing as cluster-admin.") } - if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to lookup strimzi kafka resources. Try installing as cluster-admin to allow the lookup of strimzi kafka resources.") } - if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } @@ -491,12 +491,20 @@ func installOpenShiftRoles(ctx context.Context, c client.Client, namespace strin ) } -func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/manager/operator-service-account.yaml", - "/rbac/operator-role.yaml", - "/rbac/operator-role-binding.yaml", - ) +func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/manager/operator-service-account.yaml", + "/rbac/descoped/operator-cluster-role.yaml", + "/rbac/descoped/operator-cluster-role-binding.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/manager/operator-service-account.yaml", + "/rbac/namespaced/operator-role.yaml", + "/rbac/namespaced/operator-role-binding.yaml", + ) + } } func installOperator(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { @@ -505,39 +513,74 @@ func installOperator(ctx context.Context, c client.Client, namespace string, cus ) } -func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-keda.yaml", - "/rbac/operator-role-binding-keda.yaml", - ) +func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-keda.yaml", + "/rbac/descoped/operator-cluster-role-binding-keda.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-keda.yaml", + "/rbac/namespaced/operator-role-binding-keda.yaml", + ) + } } -func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-knative.yaml", - "/rbac/operator-role-binding-knative.yaml", - ) +func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-knative.yaml", + "/rbac/descoped/operator-cluster-role-binding-knative.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-knative.yaml", + "/rbac/namespaced/operator-role-binding-knative.yaml", + ) + } } -func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-events.yaml", - "/rbac/operator-role-binding-events.yaml", - ) +func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-events.yaml", + "/rbac/descoped/operator-cluster-role-binding-events.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-events.yaml", + "/rbac/namespaced/operator-role-binding-events.yaml", + ) + } } -func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-podmonitors.yaml", - "/rbac/operator-role-binding-podmonitors.yaml", - ) +func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-podmonitors.yaml", + "/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-podmonitors.yaml", + "/rbac/namespaced/operator-role-binding-podmonitors.yaml", + ) + } } -func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-strimzi.yaml", - "/rbac/operator-role-binding-strimzi.yaml", - ) +func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-strimzi.yaml", + "/rbac/descoped/operator-cluster-role-binding-strimzi.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-strimzi.yaml", + "/rbac/namespaced/operator-role-binding-strimzi.yaml", + ) + } } func installMonitoringResources(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { @@ -547,11 +590,18 @@ func installMonitoringResources(ctx context.Context, c client.Client, namespace ) } -func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-leases.yaml", - "/rbac/operator-role-binding-leases.yaml", - ) +func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-leases.yaml", + "/rbac/descoped/operator-cluster-role-binding-leases.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-leases.yaml", + "/rbac/namespaced/operator-role-binding-leases.yaml", + ) + } } // NewPlatform creates a new IntegrationPlatform instance.
