This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
The following commit(s) were added to refs/heads/main by this push:
new 51ce115ff feat(install): remove unnecessary rbac
51ce115ff is described below
commit 51ce115ff425bc14907e3a49e29592c4c88851d1
Author: Pasquale Congiusti <[email protected]>
AuthorDate: Sat Dec 6 09:46:26 2025 +0100
feat(install): remove unnecessary rbac
---
e2e/common/git/git_test.go | 19 +++-
e2e/support/test_support.go | 60 +-----------
helm/camel-k/templates/rbacs-common.yaml | 31 ++++++
helm/camel-k/templates/rbacs-descoped.yaml | 109 +++++++++------------
helm/camel-k/templates/rbacs-namespaced.yaml | 100 ++++++++-----------
pkg/controller/integrationplatform/kamelets.go | 31 ------
.../integrationplatform/kamelets_test.go | 7 --
pkg/controller/pipe/initialize.go | 2 +-
pkg/install/common.go | 57 -----------
.../rbac/descoped/operator-cluster-role-keda.yaml | 3 -
.../descoped/operator-cluster-role-knative.yaml | 24 ++---
.../descoped/operator-cluster-role-leases.yaml | 4 +-
.../operator-cluster-role-podmonitors.yaml | 6 +-
.../descoped/operator-cluster-role-strimzi.yaml | 2 +-
.../rbac/descoped/operator-cluster-role.yaml | 96 ++++++++++--------
.../rbac/kamelets-viewer-role-binding.yaml} | 0
.../rbac/kamelets-viewer-role.yaml} | 0
pkg/resources/config/rbac/kustomization.yaml | 4 +-
.../config/rbac/namespaced/operator-role-keda.yaml | 3 -
.../rbac/namespaced/operator-role-knative.yaml | 12 ---
.../rbac/namespaced/operator-role-leases.yaml | 2 -
.../rbac/namespaced/operator-role-podmonitors.yaml | 3 -
.../rbac/namespaced/operator-role-strimzi.yaml | 2 +-
.../config/rbac/namespaced/operator-role.yaml | 84 ++++++++--------
.../resources/addons/master/master-role-lease.tmpl | 2 -
25 files changed, 261 insertions(+), 402 deletions(-)
diff --git a/e2e/common/git/git_test.go b/e2e/common/git/git_test.go
index 4e147f25c..251e4bf51 100644
--- a/e2e/common/git/git_test.go
+++ b/e2e/common/git/git_test.go
@@ -40,7 +40,24 @@ func TestGitRepository(t *testing.T) {
t.Run("Camel Quarkus", func(t *testing.T) {
itName := "sample"
g.Expect(KamelRun(t, ctx, ns,
- "--git",
"https://github.com/squakez/sample.git";).Execute()).To(Succeed())
+ "--git",
"https://github.com/squakez/sample.git";,
+ ).Execute()).To(Succeed())
+ g.Eventually(IntegrationConditionStatus(t, ctx, ns,
itName, v1.IntegrationConditionReady), TestTimeoutLong).
+ Should(Equal(corev1.ConditionTrue))
+ g.Eventually(IntegrationPodPhase(t, ctx, ns,
itName)).Should(Equal(corev1.PodRunning))
+ g.Eventually(IntegrationLogs(t, ctx, ns,
itName)).Should(ContainSubstring("Hello Camel from route1"))
+ })
+ })
+}
+func TestPodStrategyGitRepository(t *testing.T) {
+ t.Parallel()
+ WithNewTestNamespace(t, func(ctx context.Context, g *WithT, ns string) {
+ t.Run("Camel Quarkus", func(t *testing.T) {
+ itName := "sample"
+ g.Expect(KamelRun(t, ctx, ns,
+ "--git",
"https://github.com/squakez/sample.git";,
+ "-t", "builder.strategy=pod",
+ ).Execute()).To(Succeed())
g.Eventually(IntegrationConditionStatus(t, ctx, ns,
itName, v1.IntegrationConditionReady), TestTimeoutLong).
Should(Equal(corev1.ConditionTrue))
g.Eventually(IntegrationPodPhase(t, ctx, ns,
itName)).Should(Equal(corev1.PodRunning))
diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go
index 5f1e9db4d..dbacf8cd9 100644
--- a/e2e/support/test_support.go
+++ b/e2e/support/test_support.go
@@ -44,7 +44,6 @@ import (
"time"
consoleV1 "github.com/openshift/api/console/v1"
- "github.com/stretchr/testify/require"
"github.com/google/uuid"
"github.com/onsi/gomega"
@@ -78,7 +77,6 @@ import (
traitv1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1/trait"
"github.com/apache/camel-k/v2/pkg/client"
"github.com/apache/camel-k/v2/pkg/cmd"
- "github.com/apache/camel-k/v2/pkg/install"
"github.com/apache/camel-k/v2/pkg/platform"
v2util "github.com/apache/camel-k/v2/pkg/util"
"github.com/apache/camel-k/v2/pkg/util/defaults"
@@ -2557,50 +2555,6 @@ func ClusterDomainName(t *testing.T, ctx
context.Context) (string, error) {
return dns.Spec.BaseDomain, nil
}
-/*
- Tekton
-*/
-
-func CreateOperatorServiceAccount(t *testing.T, ctx context.Context, ns
string) error {
- return install.Resource(ctx, TestClient(t), ns, true,
install.IdentityResourceCustomizer,
"/config/manager/operator-service-account.yaml")
-}
-
-func CreateOperatorRole(t *testing.T, ctx context.Context, ns string) (err
error) {
- oc, err := openshift.IsOpenShift(TestClient(t))
- if err != nil {
- failTest(t, err)
- }
- customizer := install.IdentityResourceCustomizer
- if oc {
- // Remove Ingress permissions as it's not needed on OpenShift
- // This should ideally be removed from the common RBAC manifest.
- customizer = install.RemoveIngressRoleCustomizer
- }
- err = install.Resource(ctx, TestClient(t), ns, true, customizer,
"/config/rbac/namespaced/operator-role.yaml")
- if err != nil {
- return err
- }
- if oc {
- return install.Resource(ctx, TestClient(t), ns, true,
install.IdentityResourceCustomizer,
"/config/rbac/openshift/namespaced/operator-role-openshift.yaml")
- }
- return nil
-}
-
-func CreateOperatorRoleBinding(t *testing.T, ctx context.Context, ns string)
error {
- oc, err := openshift.IsOpenShift(TestClient(t))
- if err != nil {
- failTest(t, err)
- }
- err = install.Resource(ctx, TestClient(t), ns, true,
install.IdentityResourceCustomizer,
"/config/rbac/namespaced/operator-role-binding.yaml")
- if err != nil {
- return err
- }
- if oc {
- return install.Resource(ctx, TestClient(t), ns, true,
install.IdentityResourceCustomizer,
"/config/rbac/openshift/namespaced/operator-role-binding-openshift.yaml")
- }
- return nil
-}
-
// CreateKamelPodWithIntegrationSource generates and deploy a Pod from current
Camel K controller image that will run a `kamel xxxx` command.
// The integration parameter represent an Integration source file contained in
a ConfigMap or Secret defined and mounted on the as a Volume.
func CreateKamelPodWithIntegrationSource(t *testing.T, ctx context.Context, ns
string, name string, integration v1.ValueSource, command ...string) error {
@@ -2827,18 +2781,6 @@ func WithNewTestNamespace(t *testing.T, doRun
func(context.Context, *gomega.With
invokeUserTestCode(t, testContext, ns.GetName(), doRun)
}
-func WithGlobalOperatorNamespace(t *testing.T, test func(context.Context,
*gomega.WithT, string)) {
- ocp, err := openshift.IsOpenShift(TestClient(t))
- require.NoError(t, err)
- if ocp {
- // global operators are always installed in the
openshift-operators namespace
- invokeUserTestCode(t, testContext, "openshift-operators", test)
- } else {
- // create new namespace for the global operator
- WithNewTestNamespace(t, test)
- }
-}
-
func WithNewTestNamespaceWithKnativeBroker(t *testing.T, doRun
func(context.Context, *gomega.WithT, string)) {
ns := NewTestNamespace(t, testContext, true)
defer deleteTestNamespace(t, testContext, ns)
@@ -2867,6 +2809,8 @@ func userCleanup(t *testing.T) {
func invokeUserTestCode(t *testing.T, ctx context.Context, ns string, doRun
func(context.Context, *gomega.WithT, string)) {
defer func() {
DumpNamespace(t, ctx, ns)
+ // Also dump the operator namespace in case it's common
+ DumpNamespace(t, ctx, "camel-k")
}()
g := gomega.NewWithT(t)
diff --git a/helm/camel-k/templates/rbacs-common.yaml
b/helm/camel-k/templates/rbacs-common.yaml
index fd7718633..f63ab9031 100644
--- a/helm/camel-k/templates/rbacs-common.yaml
+++ b/helm/camel-k/templates/rbacs-common.yaml
@@ -108,6 +108,22 @@ rules:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app: camel-k
+ name: camel-k-kamelet-viewer
+rules:
+- apiGroups:
+ - camel.apache.org
+ resources:
+ - kamelets
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
@@ -134,3 +150,18 @@ roleRef:
subjects:
- kind: ServiceAccount
name: camel-k-builder
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app: camel-k
+ name: camel-k-kamelet-viewer
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: camel-k-kamelet-viewer
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: Group
+ name: system:authenticated
diff --git a/helm/camel-k/templates/rbacs-descoped.yaml
b/helm/camel-k/templates/rbacs-descoped.yaml
index c2ab8dbd3..627ad7a2d 100644
--- a/helm/camel-k/templates/rbacs-descoped.yaml
+++ b/helm/camel-k/templates/rbacs-descoped.yaml
@@ -44,6 +44,7 @@ rules:
- camel.apache.org
resources:
- builds
+ - integrations
verbs:
- delete
- apiGroups:
@@ -66,22 +67,33 @@ rules:
- apiGroups:
- ""
resources:
- - pods
- - services
- - endpoints
- - persistentvolumeclaims
- configmaps
- - secrets
- - serviceaccounts
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- watch
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - create
+ - patch
+ - list
+ - watch
+ - delete
- apiGroups:
- ""
resources:
@@ -96,66 +108,59 @@ rules:
verbs:
- get
- apiGroups:
- - policy
+ - apps
resources:
- - poddisruptionbudgets
+ - deployments
verbs:
- create
- delete
- get
- - update
- list
- patch
- watch
- apiGroups:
- - rbac.authorization.k8s.io
+ - batch
resources:
- - roles
- - rolebindings
- - clusterrolebindings
+ - cronjobs
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- watch
- apiGroups:
- - apps
+ - ""
resources:
- - deployments
+ - services
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
- apiGroups:
- - batch
+ - storage.k8s.io
resources:
- - cronjobs
+ - storageclasses
verbs:
- - create
- - delete
- - deletecollection
- get
- list
- - patch
- - update
- - watch
- apiGroups:
- - batch
+ - ""
resources:
- - jobs
+ - persistentvolumeclaims
verbs:
- - get
+ - create
+- apiGroups:
+ - policy
+ resources:
+ - poddisruptionbudgets
+ verbs:
+ - create
+ - delete
- list
- - watch
+ - patch
- apiGroups:
- networking.k8s.io
resources:
@@ -163,24 +168,27 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
- apiGroups:
- - storage.k8s.io
+ - rbac.authorization.k8s.io
resources:
- - storageclasses
+ - roles
+ - rolebindings
+ - clusterrolebindings
verbs:
+ - create
- get
- list
+ - patch
- apiGroups:
- ""
resources:
- - namespaces
+ - serviceaccounts
verbs:
+ - create
+ - delete
- get
- list
- apiGroups:
@@ -223,12 +231,9 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@@ -248,8 +253,6 @@ rules:
- get
- list
- patch
- - update
- - watch
- apiGroups:
- eventing.knative.dev
resources:
@@ -261,7 +264,6 @@ rules:
- get
- list
- patch
- - update
- apiGroups:
- messaging.knative.dev
resources:
@@ -274,7 +276,6 @@ rules:
- get
- list
- patch
- - update
- apiGroups:
- sources.knative.dev
resources:
@@ -285,14 +286,6 @@ rules:
- get
- list
- patch
- - update
-- apiGroups:
- - ""
- resources:
- - namespaces
- verbs:
- - get
- - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@@ -308,12 +301,10 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- update
- - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@@ -412,12 +403,9 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@@ -435,7 +423,6 @@ rules:
verbs:
- get
- list
- - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
diff --git a/helm/camel-k/templates/rbacs-namespaced.yaml
b/helm/camel-k/templates/rbacs-namespaced.yaml
index 83e49e73b..501921eaa 100644
--- a/helm/camel-k/templates/rbacs-namespaced.yaml
+++ b/helm/camel-k/templates/rbacs-namespaced.yaml
@@ -67,22 +67,33 @@ rules:
- apiGroups:
- ""
resources:
- - pods
- - services
- - endpoints
- - persistentvolumeclaims
- configmaps
- - secrets
- - serviceaccounts
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- watch
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - create
+ - patch
+ - list
+ - watch
+ - delete
- apiGroups:
- ""
resources:
@@ -97,66 +108,47 @@ rules:
verbs:
- get
- apiGroups:
- - policy
+ - apps
resources:
- - poddisruptionbudgets
+ - deployments
verbs:
- create
- delete
- get
- - update
- list
- patch
- watch
- apiGroups:
- - rbac.authorization.k8s.io
+ - batch
resources:
- - roles
- - rolebindings
- - clusterrolebindings
+ - cronjobs
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- watch
- apiGroups:
- - apps
+ - ""
resources:
- - deployments
+ - services
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- watch
- apiGroups:
- - batch
+ - policy
resources:
- - cronjobs
+ - poddisruptionbudgets
verbs:
- create
- delete
- - deletecollection
- - get
- list
- patch
- - update
- - watch
-- apiGroups:
- - batch
- resources:
- - jobs
- verbs:
- - get
- - list
- - watch
- apiGroups:
- networking.k8s.io
resources:
@@ -164,12 +156,15 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
+- apiGroups:
+ - ""
+ resources:
+ - persistentvolumeclaims
+ verbs:
+ - create
- apiGroups:
- storage.k8s.io
resources:
@@ -178,12 +173,16 @@ rules:
- get
- list
- apiGroups:
- - ""
+ - rbac.authorization.k8s.io
resources:
- - namespaces
+ - roles
+ - rolebindings
+ - clusterrolebindings
verbs:
+ - create
- get
- list
+ - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@@ -218,12 +217,9 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@@ -243,8 +239,6 @@ rules:
- get
- list
- patch
- - update
- - watch
- apiGroups:
- eventing.knative.dev
resources:
@@ -256,7 +250,6 @@ rules:
- get
- list
- patch
- - update
- apiGroups:
- messaging.knative.dev
resources:
@@ -269,7 +262,6 @@ rules:
- get
- list
- patch
- - update
- apiGroups:
- sources.knative.dev
resources:
@@ -280,14 +272,6 @@ rules:
- get
- list
- patch
- - update
-- apiGroups:
- - ""
- resources:
- - namespaces
- verbs:
- - get
- - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@@ -303,12 +287,10 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- update
- - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@@ -407,12 +389,9 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@@ -430,7 +409,6 @@ rules:
verbs:
- get
- list
- - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
diff --git a/pkg/controller/integrationplatform/kamelets.go
b/pkg/controller/integrationplatform/kamelets.go
index 7a2b04792..87b8f8de7 100644
--- a/pkg/controller/integrationplatform/kamelets.go
+++ b/pkg/controller/integrationplatform/kamelets.go
@@ -29,8 +29,6 @@ import (
"strings"
v1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1"
- "github.com/apache/camel-k/v2/pkg/install"
- "github.com/apache/camel-k/v2/pkg/platform"
"knative.dev/pkg/ptr"
"github.com/apache/camel-k/v2/pkg/client"
@@ -53,10 +51,6 @@ const (
// installKameletCatalog installs the version Apache Kamelet Catalog into the
specified namespace.
// It returns the number of Kamelets installed and errored if successful.
func installKameletCatalog(ctx context.Context, c client.Client, platform
*v1.IntegrationPlatform, version string) (int, int, error) {
- // Prepare proper privileges for Kamelets installed globally
- if err := prepareKameletsPermissions(ctx, c, platform.Namespace); err
!= nil {
- return -1, -1, err
- }
// Prepare directory to contains kamelets
kameletDir, err := prepareKameletDirectory()
if err != nil {
@@ -74,20 +68,6 @@ func installKameletCatalog(ctx context.Context, c
client.Client, platform *v1.In
return applyKamelets(ctx, c, platform, kameletDir)
}
-func prepareKameletsPermissions(ctx context.Context, c client.Client,
installingNamespace string) error {
- watchOperatorNamespace := platform.GetOperatorWatchNamespace()
- operatorNamespace := platform.GetOperatorNamespace()
- if watchOperatorNamespace == "" && operatorNamespace ==
installingNamespace {
- // Kamelets installed into the global operator namespace
- // They need to be visible publicly
- if err := kameletViewerRole(ctx, c, installingNamespace); err
!= nil {
- return err
- }
- }
-
- return nil
-}
-
func prepareKameletDirectory() (string, error) {
kameletDir := os.Getenv(kameletDirEnv)
if kameletDir == "" {
@@ -262,14 +242,3 @@ func loadKamelet(path string, platform
*v1.IntegrationPlatform) (*v1.Kamelet, er
return kamelet, nil
}
-
-// kameletViewerRole installs the role that allows any user ro access kamelets
in the global namespace.
-func kameletViewerRole(ctx context.Context, c client.Client, namespace string)
error {
- if err := install.Resource(ctx, c, namespace, true,
install.IdentityResourceCustomizer,
- "/resources/viewer/user-global-kamelet-viewer-role.yaml"); err
!= nil {
- return err
- }
-
- return install.Resource(ctx, c, namespace, true,
install.IdentityResourceCustomizer,
-
"/resources/viewer/user-global-kamelet-viewer-role-binding.yaml")
-}
diff --git a/pkg/controller/integrationplatform/kamelets_test.go
b/pkg/controller/integrationplatform/kamelets_test.go
index 6c046535f..0dc7bd039 100644
--- a/pkg/controller/integrationplatform/kamelets_test.go
+++ b/pkg/controller/integrationplatform/kamelets_test.go
@@ -102,13 +102,6 @@ spec:
assert.Equal(t, "my-itp", kamelet.GetOwnerReferences()[0].Name)
}
-func TestPrepareKameletsPermissions(t *testing.T) {
- c, err := internal.NewFakeClient()
- assert.NoError(t, err)
- err = prepareKameletsPermissions(context.TODO(), c, "camel-k")
- assert.NoError(t, err)
-}
-
func TestPrepareKameletsDirectory(t *testing.T) {
kameletDir, err := prepareKameletDirectory()
assert.NoError(t, err)
diff --git a/pkg/controller/pipe/initialize.go
b/pkg/controller/pipe/initialize.go
index 624543233..e01f9d857 100644
--- a/pkg/controller/pipe/initialize.go
+++ b/pkg/controller/pipe/initialize.go
@@ -89,7 +89,7 @@ func initializePipe(ctx context.Context, c client.Client, l
log.Logger, pipe *v1
func propagateIcon(ctx context.Context, c client.Client, l log.Logger, pipe
*v1.Pipe) {
icon, err := findIcon(ctx, c, pipe)
if err != nil {
- l.Errorf(err, "cannot find icon for Pipe %q", pipe.Name)
+ l.Errorf(err, "some error happened while finding icon
annotation for Pipe %q", pipe.Name)
return
}
diff --git a/pkg/install/common.go b/pkg/install/common.go
index 932a09bae..a2f620be4 100644
--- a/pkg/install/common.go
+++ b/pkg/install/common.go
@@ -18,17 +18,10 @@ limitations under the License.
package install
import (
- "context"
-
networking "k8s.io/api/networking/v1"
rbacv1 "k8s.io/api/rbac/v1"
ctrl "sigs.k8s.io/controller-runtime/pkg/client"
-
- v1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1"
- "github.com/apache/camel-k/v2/pkg/client"
- "github.com/apache/camel-k/v2/pkg/resources"
- "github.com/apache/camel-k/v2/pkg/util/kubernetes"
)
// ResourceCustomizer can be used to inject code that changes the objects
before they are created.
@@ -55,53 +48,3 @@ var RemoveIngressRoleCustomizer = func(object ctrl.Object)
ctrl.Object {
return object
}
-
-// Resource installs a single named resource from the project resource
directory.
-func Resource(ctx context.Context, c client.Client, namespace string, force
bool, customizer ResourceCustomizer, name string) error {
- return ResourceOrCollect(ctx, c, namespace, nil, force, customizer,
name)
-}
-
-func ResourceOrCollect(ctx context.Context, c client.Client, namespace string,
collection *kubernetes.Collection,
- force bool, customizer ResourceCustomizer, name string) error {
- content, err := resources.ResourceAsString(name)
- if err != nil {
- return err
- }
-
- obj, err := kubernetes.LoadResourceFromYaml(c.GetScheme(), content)
- if err != nil {
- return err
- }
-
- return ObjectOrCollect(ctx, c, namespace, collection, force,
customizer(obj))
-}
-
-func ObjectOrCollect(ctx context.Context, c client.Client, namespace string,
collection *kubernetes.Collection, force bool, obj ctrl.Object) error {
- if collection != nil {
- // Adding to the collection before setting the namespace
- collection.Add(obj)
-
- return nil
- }
-
- obj.SetNamespace(namespace)
-
- if force {
- if _, err := kubernetes.ReplaceResource(ctx, c, obj); err !=
nil {
- return err
- }
- // For some resources, also reset the status
- if obj.GetObjectKind().GroupVersionKind().Kind ==
v1.IntegrationKitKind ||
- obj.GetObjectKind().GroupVersionKind().Kind ==
v1.BuildKind ||
- obj.GetObjectKind().GroupVersionKind().Kind ==
v1.IntegrationPlatformKind {
- if err := c.Status().Update(ctx, obj); err != nil {
- return err
- }
- }
-
- return nil
- }
-
- // Just try to create them
- return c.Create(ctx, obj)
-}
diff --git a/pkg/resources/config/rbac/descoped/operator-cluster-role-keda.yaml
b/pkg/resources/config/rbac/descoped/operator-cluster-role-keda.yaml
index 3b3f432eb..7c69ca3e5 100644
--- a/pkg/resources/config/rbac/descoped/operator-cluster-role-keda.yaml
+++ b/pkg/resources/config/rbac/descoped/operator-cluster-role-keda.yaml
@@ -30,9 +30,6 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
diff --git
a/pkg/resources/config/rbac/descoped/operator-cluster-role-knative.yaml
b/pkg/resources/config/rbac/descoped/operator-cluster-role-knative.yaml
index 305d26b62..73e013f76 100644
--- a/pkg/resources/config/rbac/descoped/operator-cluster-role-knative.yaml
+++ b/pkg/resources/config/rbac/descoped/operator-cluster-role-knative.yaml
@@ -33,8 +33,8 @@ rules:
- get
- list
- patch
- - update
- - watch
+ # - update
+ # - watch
- apiGroups:
- eventing.knative.dev
resources:
@@ -46,7 +46,7 @@ rules:
- get
- list
- patch
- - update
+ # - update
- apiGroups:
- messaging.knative.dev
resources:
@@ -59,7 +59,7 @@ rules:
- get
- list
- patch
- - update
+ # - update
- apiGroups:
- sources.knative.dev
resources:
@@ -70,11 +70,11 @@ rules:
- get
- list
- patch
- - update
-- apiGroups:
- - ""
- resources:
- - namespaces
- verbs:
- - get
- - patch
+ # - update
+# - apiGroups:
+# - ""
+# resources:
+# - namespaces
+# verbs:
+# - get
+# - patch
diff --git
a/pkg/resources/config/rbac/descoped/operator-cluster-role-leases.yaml
b/pkg/resources/config/rbac/descoped/operator-cluster-role-leases.yaml
index 6ea671bd2..a8fe10427 100644
--- a/pkg/resources/config/rbac/descoped/operator-cluster-role-leases.yaml
+++ b/pkg/resources/config/rbac/descoped/operator-cluster-role-leases.yaml
@@ -29,9 +29,9 @@ rules:
verbs:
- create
- delete
- - deletecollection
+ # - deletecollection
- get
- list
- patch
- update
- - watch
+ # - watch
diff --git
a/pkg/resources/config/rbac/descoped/operator-cluster-role-podmonitors.yaml
b/pkg/resources/config/rbac/descoped/operator-cluster-role-podmonitors.yaml
index 2578103c3..765c9c80f 100644
--- a/pkg/resources/config/rbac/descoped/operator-cluster-role-podmonitors.yaml
+++ b/pkg/resources/config/rbac/descoped/operator-cluster-role-podmonitors.yaml
@@ -29,9 +29,9 @@ rules:
verbs:
- create
- delete
- - deletecollection
+ # - deletecollection
- get
- list
- patch
- - update
- - watch
+ # - update
+ # - watch
diff --git
a/pkg/resources/config/rbac/descoped/operator-cluster-role-strimzi.yaml
b/pkg/resources/config/rbac/descoped/operator-cluster-role-strimzi.yaml
index e27454bcf..3b0a96f16 100644
--- a/pkg/resources/config/rbac/descoped/operator-cluster-role-strimzi.yaml
+++ b/pkg/resources/config/rbac/descoped/operator-cluster-role-strimzi.yaml
@@ -31,4 +31,4 @@ rules:
verbs:
- get
- list
- - watch
+ # - watch
diff --git a/pkg/resources/config/rbac/descoped/operator-cluster-role.yaml
b/pkg/resources/config/rbac/descoped/operator-cluster-role.yaml
index dc20bfb86..fbbff3266 100644
--- a/pkg/resources/config/rbac/descoped/operator-cluster-role.yaml
+++ b/pkg/resources/config/rbac/descoped/operator-cluster-role.yaml
@@ -44,6 +44,7 @@ rules:
- camel.apache.org
resources:
- builds
+ - integrations
verbs:
- delete
- apiGroups:
@@ -66,22 +67,33 @@ rules:
- apiGroups:
- ""
resources:
- - pods
- - services
- - endpoints
- - persistentvolumeclaims
- configmaps
- - secrets
- - serviceaccounts
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- watch
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - create
+ - patch
+ - list
+ - watch
+ - delete
- apiGroups:
- ""
resources:
@@ -95,67 +107,66 @@ rules:
- pods/log
verbs:
- get
+# Controllers: manage deployments
- apiGroups:
- - policy
+ - apps
resources:
- - poddisruptionbudgets
+ - deployments
verbs:
- create
- delete
- get
- - update
- list
- patch
- watch
+# Controllers: manage cronjobs
- apiGroups:
- - rbac.authorization.k8s.io
+ - batch
resources:
- - roles
- - rolebindings
- - clusterrolebindings
+ - cronjobs
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- watch
+# Required by service trait
- apiGroups:
- - apps
+ - ""
resources:
- - deployments
+ - services
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
+# Required by mount trait
- apiGroups:
- - batch
+ - storage.k8s.io
resources:
- - cronjobs
+ - storageclasses
verbs:
- - create
- - delete
- - deletecollection
- get
- list
- - patch
- - update
- - watch
- apiGroups:
- - batch
+ - ""
resources:
- - jobs
+ - persistentvolumeclaims
verbs:
- - get
+ - create
+# Required by PDB trait
+- apiGroups:
+ - policy
+ resources:
+ - poddisruptionbudgets
+ verbs:
+ - create
+ - delete
- list
- - watch
+ - patch
+# Required by ingress trait
- apiGroups:
- networking.k8s.io
resources:
@@ -163,24 +174,29 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
+# Roles and RoleBindings
- apiGroups:
- - storage.k8s.io
+ - rbac.authorization.k8s.io
resources:
- - storageclasses
+ - roles
+ - rolebindings
+ - clusterrolebindings
verbs:
+ - create
- get
- list
+ - patch
+# Service Accounts (dynamic SA creation)
- apiGroups:
- ""
resources:
- - namespaces
+ - serviceaccounts
verbs:
+ - create
+ - delete
- get
- list
# Required to check if a ServiceAccount can access other namespaces resources
diff --git
a/pkg/resources/resources/viewer/user-global-kamelet-viewer-role-binding.yaml
b/pkg/resources/config/rbac/kamelets-viewer-role-binding.yaml
similarity index 100%
rename from
pkg/resources/resources/viewer/user-global-kamelet-viewer-role-binding.yaml
rename to pkg/resources/config/rbac/kamelets-viewer-role-binding.yaml
diff --git
a/pkg/resources/resources/viewer/user-global-kamelet-viewer-role.yaml
b/pkg/resources/config/rbac/kamelets-viewer-role.yaml
similarity index 100%
rename from pkg/resources/resources/viewer/user-global-kamelet-viewer-role.yaml
rename to pkg/resources/config/rbac/kamelets-viewer-role.yaml
diff --git a/pkg/resources/config/rbac/kustomization.yaml
b/pkg/resources/config/rbac/kustomization.yaml
index c1c7b13e2..017a33bbd 100644
--- a/pkg/resources/config/rbac/kustomization.yaml
+++ b/pkg/resources/config/rbac/kustomization.yaml
@@ -22,7 +22,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
+- kamelets-viewer-role.yaml
- builder-role.yaml
- builder-role-openshift.yaml
- builder-role-binding.yaml
-- builder-role-binding-openshift.yaml
\ No newline at end of file
+- builder-role-binding-openshift.yaml
+- kamelets-viewer-role-binding.yaml
diff --git a/pkg/resources/config/rbac/namespaced/operator-role-keda.yaml
b/pkg/resources/config/rbac/namespaced/operator-role-keda.yaml
index 22c026c15..aa66592bc 100644
--- a/pkg/resources/config/rbac/namespaced/operator-role-keda.yaml
+++ b/pkg/resources/config/rbac/namespaced/operator-role-keda.yaml
@@ -30,9 +30,6 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
diff --git a/pkg/resources/config/rbac/namespaced/operator-role-knative.yaml
b/pkg/resources/config/rbac/namespaced/operator-role-knative.yaml
index 3cba80931..f3eaeb2b9 100644
--- a/pkg/resources/config/rbac/namespaced/operator-role-knative.yaml
+++ b/pkg/resources/config/rbac/namespaced/operator-role-knative.yaml
@@ -33,8 +33,6 @@ rules:
- get
- list
- patch
- - update
- - watch
- apiGroups:
- eventing.knative.dev
resources:
@@ -46,7 +44,6 @@ rules:
- get
- list
- patch
- - update
- apiGroups:
- messaging.knative.dev
resources:
@@ -59,7 +56,6 @@ rules:
- get
- list
- patch
- - update
- apiGroups:
- sources.knative.dev
resources:
@@ -70,11 +66,3 @@ rules:
- get
- list
- patch
- - update
-- apiGroups:
- - ""
- resources:
- - namespaces
- verbs:
- - get
- - patch
diff --git a/pkg/resources/config/rbac/namespaced/operator-role-leases.yaml
b/pkg/resources/config/rbac/namespaced/operator-role-leases.yaml
index 4223e8e2e..bf7c82c4d 100644
--- a/pkg/resources/config/rbac/namespaced/operator-role-leases.yaml
+++ b/pkg/resources/config/rbac/namespaced/operator-role-leases.yaml
@@ -29,9 +29,7 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- update
- - watch
diff --git
a/pkg/resources/config/rbac/namespaced/operator-role-podmonitors.yaml
b/pkg/resources/config/rbac/namespaced/operator-role-podmonitors.yaml
index 7a3fe05c4..a4ce17e36 100644
--- a/pkg/resources/config/rbac/namespaced/operator-role-podmonitors.yaml
+++ b/pkg/resources/config/rbac/namespaced/operator-role-podmonitors.yaml
@@ -29,9 +29,6 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
diff --git a/pkg/resources/config/rbac/namespaced/operator-role-strimzi.yaml
b/pkg/resources/config/rbac/namespaced/operator-role-strimzi.yaml
index 0802191c3..a1f3958c7 100644
--- a/pkg/resources/config/rbac/namespaced/operator-role-strimzi.yaml
+++ b/pkg/resources/config/rbac/namespaced/operator-role-strimzi.yaml
@@ -31,4 +31,4 @@ rules:
verbs:
- get
- list
- - watch
+ # - watch
diff --git a/pkg/resources/config/rbac/namespaced/operator-role.yaml
b/pkg/resources/config/rbac/namespaced/operator-role.yaml
index 6d6eba6b6..c6f525bde 100644
--- a/pkg/resources/config/rbac/namespaced/operator-role.yaml
+++ b/pkg/resources/config/rbac/namespaced/operator-role.yaml
@@ -67,22 +67,33 @@ rules:
- apiGroups:
- ""
resources:
- - pods
- - services
- - endpoints
- - persistentvolumeclaims
- configmaps
- - secrets
- - serviceaccounts
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- watch
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - create
+ - patch
+ - list
+ - watch
+ - delete
- apiGroups:
- ""
resources:
@@ -97,66 +108,50 @@ rules:
verbs:
- get
- apiGroups:
- - policy
+ - apps
resources:
- - poddisruptionbudgets
+ - deployments
verbs:
- create
- delete
- get
- - update
- list
- patch
- watch
- apiGroups:
- - rbac.authorization.k8s.io
+ - batch
resources:
- - roles
- - rolebindings
- - clusterrolebindings
+ - cronjobs
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- watch
+# Required by Service trait
- apiGroups:
- - apps
+ - ""
resources:
- - deployments
+ - services
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- watch
+# Required by PDB trait
- apiGroups:
- - batch
+ - policy
resources:
- - cronjobs
+ - poddisruptionbudgets
verbs:
- create
- delete
- - deletecollection
- - get
- list
- patch
- - update
- - watch
-- apiGroups:
- - batch
- resources:
- - jobs
- verbs:
- - get
- - list
- - watch
+# Required by ingress trait
- apiGroups:
- networking.k8s.io
resources:
@@ -164,12 +159,16 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- - update
- - watch
+# Required by mount trait
+- apiGroups:
+ - ""
+ resources:
+ - persistentvolumeclaims
+ verbs:
+ - create
- apiGroups:
- storage.k8s.io
resources:
@@ -177,10 +176,15 @@ rules:
verbs:
- get
- list
+# Roles and RoleBindings
- apiGroups:
- - ""
+ - rbac.authorization.k8s.io
resources:
- - namespaces
+ - roles
+ - rolebindings
+ - clusterrolebindings
verbs:
+ - create
- get
- list
+ - patch
diff --git a/pkg/resources/resources/addons/master/master-role-lease.tmpl
b/pkg/resources/resources/addons/master/master-role-lease.tmpl
index 39ed526c0..96d81712e 100644
--- a/pkg/resources/resources/addons/master/master-role-lease.tmpl
+++ b/pkg/resources/resources/addons/master/master-role-lease.tmpl
@@ -13,12 +13,10 @@ rules:
verbs:
- create
- delete
- - deletecollection
- get
- list
- patch
- update
- - watch
- apiGroups:
- ""
resources:
