From 56a753152738999a595c0362f146eccc1119df05 Mon Sep 17 00:00:00 2001 From: Pasquale Congiusti Date: Sat, 7 Dec 2024 11:19:54 +0100 Subject: [PATCH] feat(helm): align resources for helm Until now we were maintaining 2 separate set of installation resources. Here we make Helm to reuse the existing base resources instead, making easier any future evolution --- e2e/install/helm/setup_test.go | 2 +- e2e/support/test_support.go | 3 +- .../{platform.yaml => default-itp.yaml} | 0 .../operator-cluster-role-bindings.yaml | 196 --------- ...operator.yaml => operator-deployment.yaml} | 0 ...ervice-account.yaml => operator-svcs.yaml} | 9 + helm/camel-k/templates/rbacs-common.yaml | 243 +++++++++++ ...operator-role.yaml => rbacs-descoped.yaml} | 221 ++++++++-- ...uster-roles.yaml => rbacs-namespaced.yaml} | 401 +++++++++--------- install/base/kustomization.yaml | 12 - .../platform/integration-platform.yaml | 3 - pkg/platform/defaults.go | 4 +- .../config/helm/common/kustomization.yaml | 42 +- .../common/patch-rolebinding-subjects.yaml | 9 +- .../config/helm/descoped/kustomization.yaml | 30 ++ .../descoped/patch-rolebinding-subjects.yaml | 20 + .../config/helm/namespaced/kustomization.yaml | 25 ++ pkg/resources/config/rbac/kustomization.yaml | 16 +- pkg/trait/deployer.go | 4 +- script/Makefile | 1 + script/gen_helm.sh | 36 ++ 21 files changed, 788 insertions(+), 489 deletions(-) rename helm/camel-k/templates/{platform.yaml => default-itp.yaml} (100%) delete mode 100644 helm/camel-k/templates/operator-cluster-role-bindings.yaml rename helm/camel-k/templates/{operator.yaml => operator-deployment.yaml} (100%) rename helm/camel-k/templates/{operator-service-account.yaml => operator-svcs.yaml} (91%) create mode 100644 helm/camel-k/templates/rbacs-common.yaml rename helm/camel-k/templates/{operator-role.yaml => rbacs-descoped.yaml} (59%) rename helm/camel-k/templates/{operator-cluster-roles.yaml => rbacs-namespaced.yaml} (71%) rename helm/camel-k/templates/operator-role-binding.yaml => pkg/resources/config/helm/common/kustomization.yaml (57%) rename helm/camel-k/templates/builder-service-account.yaml => pkg/resources/config/helm/common/patch-rolebinding-subjects.yaml (90%) create mode 100644 pkg/resources/config/helm/descoped/kustomization.yaml create mode 100644 pkg/resources/config/helm/descoped/patch-rolebinding-subjects.yaml create mode 100644 pkg/resources/config/helm/namespaced/kustomization.yaml create mode 100755 script/gen_helm.sh diff --git a/e2e/install/helm/setup_test.go b/e2e/install/helm/setup_test.go index 8fe4bb2bae..607389f7a1 100644 --- a/e2e/install/helm/setup_test.go +++ b/e2e/install/helm/setup_test.go @@ -40,7 +40,7 @@ import ( func TestHelmInstallation(t *testing.T) { WithNewTestNamespace(t, func(ctx context.Context, g *WithT, ns string) { containerRegistry, ok := os.LookupEnv("KAMEL_INSTALL_REGISTRY") - g.Expect(ok).To(BeTrue(), "This test requires setting KAMEL_INSTALL_REGISTRY variable.") + g.Expect(ok).To(BeTrue(), "You must provide a registry address in KAMEL_INSTALL_REGISTRY env variable") // Let's make sure no CRD is yet available in the cluster // as we must make the procedure to install them accordingly g.Eventually(CRDs(t)).Should(BeNil(), "No Camel K CRDs should be previously installed for this test") diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go index d713df020e..e314b378d4 100644 --- a/e2e/support/test_support.go +++ b/e2e/support/test_support.go @@ -114,8 +114,7 @@ const ExpectedKubePromoteRoles = 7 // camel-k-edit // camel-k-operator-custom-resource-definitions // camel-k-operator-bind-addressable-resolver -// camel-k-operator-local-registry -const ExpectedKubeClusterRoles = 4 +const ExpectedKubeClusterRoles = 3 // camel-k-operator-openshift const ExpectedOSPromoteRoles = 1 diff --git a/helm/camel-k/templates/platform.yaml b/helm/camel-k/templates/default-itp.yaml similarity index 100% rename from helm/camel-k/templates/platform.yaml rename to helm/camel-k/templates/default-itp.yaml diff --git a/helm/camel-k/templates/operator-cluster-role-bindings.yaml b/helm/camel-k/templates/operator-cluster-role-bindings.yaml deleted file mode 100644 index 54715f734d..0000000000 --- a/helm/camel-k/templates/operator-cluster-role-bindings.yaml +++ /dev/null @@ -1,196 +0,0 @@ -# --------------------------------------------------------------------------- -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# --------------------------------------------------------------------------- - -{{- if eq .Values.operator.global "true" }} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: camel-k-operator - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: camel-k-operator - apiGroup: rbac.authorization.k8s.io - - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-custom-resource-definitions - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: camel-k-operator - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: camel-k-operator-custom-resource-definitions - apiGroup: rbac.authorization.k8s.io - - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-events - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: camel-k-operator - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: camel-k-operator-events - apiGroup: rbac.authorization.k8s.io - - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-knative - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: camel-k-operator - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: camel-k-operator-knative - apiGroup: rbac.authorization.k8s.io - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-keda - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: camel-k-operator - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: camel-k-operator-keda - apiGroup: rbac.authorization.k8s.io - - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-leases - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: camel-k-operator - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: camel-k-operator-leases - apiGroup: rbac.authorization.k8s.io - - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-podmonitors - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: camel-k-operator - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: camel-k-operator-podmonitors - apiGroup: rbac.authorization.k8s.io - - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-strimzi - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: camel-k-operator - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: camel-k-operator-strimzi - apiGroup: rbac.authorization.k8s.io - - -{{- if eq .Values.platform.cluster "OpenShift" }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-console-openshift - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: camel-k-operator - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: camel-k-operator-console-openshift - apiGroup: rbac.authorization.k8s.io ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-openshift - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: camel-k-operator - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: camel-k-operator-openshift - apiGroup: rbac.authorization.k8s.io -{{- end }} - -{{- end }} \ No newline at end of file diff --git a/helm/camel-k/templates/operator.yaml b/helm/camel-k/templates/operator-deployment.yaml similarity index 100% rename from helm/camel-k/templates/operator.yaml rename to helm/camel-k/templates/operator-deployment.yaml diff --git a/helm/camel-k/templates/operator-service-account.yaml b/helm/camel-k/templates/operator-svcs.yaml similarity index 91% rename from helm/camel-k/templates/operator-service-account.yaml rename to helm/camel-k/templates/operator-svcs.yaml index f5ad7fbaaf..5a670a06ee 100644 --- a/helm/camel-k/templates/operator-service-account.yaml +++ b/helm/camel-k/templates/operator-svcs.yaml @@ -26,3 +26,12 @@ metadata: annotations: {{ toYaml . | nindent 4 }} {{- end }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: camel-k-builder + labels: + app: "camel-k" diff --git a/helm/camel-k/templates/rbacs-common.yaml b/helm/camel-k/templates/rbacs-common.yaml new file mode 100644 index 0000000000..82363ca49d --- /dev/null +++ b/helm/camel-k/templates/rbacs-common.yaml @@ -0,0 +1,243 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: camel-k + name: camel-k-builder +rules: +- apiGroups: + - camel.apache.org + resources: + - builds + - camelcatalogs + - integrationkits + verbs: + - get + - list +- apiGroups: + - camel.apache.org + resources: + - builds/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: camel-k + name: camel-k-builder-openshift +rules: +- apiGroups: + - "" + - build.openshift.io + resources: + - buildconfigs + - buildconfigs/webhooks + - builds + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + - image.openshift.io + resources: + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreams/secrets + - imagestreamtags + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + - build.openshift.io + resources: + - buildconfigs/instantiate + - buildconfigs/instantiatebinary + - builds/clone + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: camel-k + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: camel-k-edit +rules: +- apiGroups: + - camel.apache.org + resources: + - builds + - camelcatalogs + - integrationkits + - integrationplatforms + - integrationprofiles + - integrations + - pipes + - kamelets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - camel.apache.org + resources: + - builds/status + - camelcatalogs/status + - integrationkits/status + - integrationplatforms/status + - integrationprofiles/status + - integrations/scale + - integrations/status + - pipes/scale + - pipes/status + - kamelets/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: camel-k + name: camel-k-operator-bind-addressable-resolver +rules: +- apiGroups: + - rbac.authorization.k8s.io + resourceNames: + - addressable-resolver + resources: + - clusterroles + verbs: + - bind +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: camel-k + name: camel-k-operator-custom-resource-definitions +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: camel-k + name: camel-k-builder +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: camel-k-builder +subjects: +- kind: ServiceAccount + name: camel-k-builder +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: camel-k + name: camel-k-builder-openshift +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: camel-k-builder-openshift +subjects: +- kind: ServiceAccount + name: camel-k-builder +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-bind-addressable-resolver +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: camel-k-operator-bind-addressable-resolver +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: '{{ .Release.Namespace }}' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-custom-resource-definitions +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: camel-k-operator-custom-resource-definitions +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: '{{ .Release.Namespace }}' diff --git a/helm/camel-k/templates/operator-role.yaml b/helm/camel-k/templates/rbacs-descoped.yaml similarity index 59% rename from helm/camel-k/templates/operator-role.yaml rename to helm/camel-k/templates/rbacs-descoped.yaml index f9f7b6c823..0cd4dfcc63 100644 --- a/helm/camel-k/templates/operator-role.yaml +++ b/helm/camel-k/templates/rbacs-descoped.yaml @@ -14,15 +14,13 @@ # See the License for the specific language governing permissions and # limitations under the License. # --------------------------------------------------------------------------- - -{{- if eq .Values.operator.global "false" }} -kind: Role +{{- if eq .Values.operator.global "true" }} apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - name: camel-k-operator labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} + app: camel-k + name: camel-k-operator rules: - apiGroups: - camel.apache.org @@ -42,18 +40,10 @@ rules: - patch - update - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - apiGroups: - camel.apache.org resources: - builds - - integrations verbs: - delete - apiGroups: @@ -186,6 +176,21 @@ rules: verbs: - get - list +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: camel-k + name: camel-k-operator-events +rules: - apiGroups: - "" resources: @@ -196,6 +201,14 @@ rules: - get - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: camel-k + name: camel-k-operator-keda +rules: - apiGroups: - keda.sh resources: @@ -210,10 +223,19 @@ rules: - patch - update - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: camel-k + name: camel-k-operator-knative +rules: - apiGroups: - serving.knative.dev resources: - services + - routes verbs: - create - delete @@ -258,6 +280,21 @@ rules: - list - patch - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: camel-k + name: camel-k-operator-leases +rules: - apiGroups: - coordination.k8s.io resources: @@ -271,6 +308,14 @@ rules: - patch - update - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: camel-k + name: camel-k-operator-openshift +rules: - apiGroups: - camel.apache.org resources: @@ -346,6 +391,14 @@ rules: - routes/custom-host verbs: - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: camel-k + name: camel-k-operator-podmonitors +rules: - apiGroups: - monitoring.coreos.com resources: @@ -359,6 +412,14 @@ rules: - patch - update - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: camel-k + name: camel-k-operator-strimzi +rules: - apiGroups: - kafka.strimzi.io resources: @@ -369,16 +430,124 @@ rules: - get - list - watch -- apiGroups: - - "apiextensions.k8s.io" - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - bind +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: camel-k-operator +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: '{{ .Release.Namespace }}' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-events +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: camel-k-operator-events +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: '{{ .Release.Namespace }}' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-keda +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: camel-k-operator-keda +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: '{{ .Release.Namespace }}' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-knative +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: camel-k-operator-knative +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: '{{ .Release.Namespace }}' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-leases +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: camel-k-operator-leases +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: '{{ .Release.Namespace }}' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-openshift +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: camel-k-operator-openshift +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: '{{ .Release.Namespace }}' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-podmonitors +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: camel-k-operator-podmonitors +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: '{{ .Release.Namespace }}' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-strimzi +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: camel-k-operator-strimzi +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: '{{ .Release.Namespace }}' {{- end }} diff --git a/helm/camel-k/templates/operator-cluster-roles.yaml b/helm/camel-k/templates/rbacs-namespaced.yaml similarity index 71% rename from helm/camel-k/templates/operator-cluster-roles.yaml rename to helm/camel-k/templates/rbacs-namespaced.yaml index 8b37fabb6a..83e49e73b3 100644 --- a/helm/camel-k/templates/operator-cluster-roles.yaml +++ b/helm/camel-k/templates/rbacs-namespaced.yaml @@ -14,65 +14,13 @@ # See the License for the specific language governing permissions and # limitations under the License. # --------------------------------------------------------------------------- - -{{- if eq .Values.operator.global "true" }} -kind: ClusterRole +{{- if eq .Values.operator.global "false" }} apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: - name: camel-k-edit labels: - app: "camel-k" - # Add these permissions to the "admin" and "edit" default roles. - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - {{- include "camel-k.labels" . | nindent 4 }} -rules: -- apiGroups: - - camel.apache.org - resources: - - builds - - camelcatalogs - - integrationkits - - integrationplatforms - - integrationprofiles - - integrations - - pipes - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - camel.apache.org - resources: - - builds/status - - camelcatalogs/status - - integrationkits/status - - integrationplatforms/status - - integrationprofiles/status - - integrations/scale - - integrations/status - - pipes/status - - pipes/scale - - kamelets/status - verbs: - - get - - patch - - update - - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: + app: camel-k name: camel-k-operator - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} rules: - apiGroups: - camel.apache.org @@ -96,6 +44,7 @@ rules: - camel.apache.org resources: - builds + - integrations verbs: - delete - apiGroups: @@ -144,6 +93,7 @@ rules: - "" resources: - pods/proxy + - pods/log verbs: - get - apiGroups: @@ -163,6 +113,7 @@ rules: resources: - roles - rolebindings + - clusterrolebindings verbs: - create - delete @@ -219,58 +170,73 @@ rules: - patch - update - watch - - +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list --- -kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: - name: camel-k-operator-custom-resource-definitions labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} + app: camel-k + name: camel-k-operator-events rules: - apiGroups: - - apiextensions.k8s.io + - "" resources: - - customresourcedefinitions + - events verbs: + - create + - patch - get - - + - list + - watch --- -kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: - name: camel-k-operator-events labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} + app: camel-k + name: camel-k-operator-keda rules: - apiGroups: - - "" + - keda.sh resources: - - events + - scaledobjects + - triggerauthentications verbs: - create - - patch + - delete + - deletecollection - get - list + - patch + - update - watch - --- -kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: - name: camel-k-operator-knative labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} + app: camel-k + name: camel-k-operator-knative rules: - apiGroups: - serving.knative.dev resources: - services + - routes verbs: - create - delete @@ -315,43 +281,23 @@ rules: - list - patch - update - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-keda - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -rules: - apiGroups: - - "keda.sh" + - "" resources: - - scaledobjects - - triggerauthentications + - namespaces verbs: - - create - - delete - - deletecollection - get - - list - patch - - update - - watch - - --- -kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: - name: camel-k-operator-leases labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} + app: camel-k + name: camel-k-operator-leases rules: - apiGroups: - - "coordination.k8s.io" + - coordination.k8s.io resources: - leases verbs: @@ -363,99 +309,13 @@ rules: - patch - update - watch - - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-local-registry - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["local-registry-hosting"] - verbs: ["get"] - - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-podmonitors - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -rules: -- apiGroups: - - monitoring.coreos.com - resources: - - podmonitors - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - --- -kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: - name: camel-k-operator-strimzi labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -rules: -- apiGroups: - - "kafka.strimzi.io" - resources: - - kafkatopics - - kafkatopics/status - - kafkas - verbs: - - get - - list - - watch - - -{{- if eq .Values.platform.cluster "OpenShift" }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator-console-openshift - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -rules: -- apiGroups: - - console.openshift.io - resources: - - consoleclidownloads - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: + app: camel-k name: camel-k-operator-openshift - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} rules: - apiGroups: - camel.apache.org @@ -470,7 +330,7 @@ rules: - update - apiGroups: - "" - - "build.openshift.io" + - build.openshift.io resources: - buildconfigs - buildconfigs/webhooks @@ -486,7 +346,7 @@ rules: - watch - apiGroups: - "" - - "image.openshift.io" + - image.openshift.io resources: - imagestreamimages - imagestreammappings @@ -513,7 +373,7 @@ rules: - create - apiGroups: - "" - - "route.openshift.io" + - route.openshift.io resources: - routes verbs: @@ -532,6 +392,155 @@ rules: - routes/custom-host verbs: - create -{{- end }} - +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: camel-k + name: camel-k-operator-podmonitors +rules: +- apiGroups: + - monitoring.coreos.com + resources: + - podmonitors + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: camel-k + name: camel-k-operator-strimzi +rules: +- apiGroups: + - kafka.strimzi.io + resources: + - kafkatopics + - kafkatopics/status + - kafkas + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: camel-k-operator +subjects: +- kind: ServiceAccount + name: camel-k-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-events +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: camel-k-operator-events +subjects: +- kind: ServiceAccount + name: camel-k-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-keda +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: camel-k-operator-keda +subjects: +- kind: ServiceAccount + name: camel-k-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-knative +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: camel-k-operator-knative +subjects: +- kind: ServiceAccount + name: camel-k-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-leases +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: camel-k-operator-leases +subjects: +- kind: ServiceAccount + name: camel-k-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-openshift +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: camel-k-operator-openshift +subjects: +- kind: ServiceAccount + name: camel-k-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-podmonitors +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: camel-k-operator-podmonitors +subjects: +- kind: ServiceAccount + name: camel-k-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: camel-k + name: camel-k-operator-strimzi +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: camel-k-operator-strimzi +subjects: +- kind: ServiceAccount + name: camel-k-operator {{- end }} diff --git a/install/base/kustomization.yaml b/install/base/kustomization.yaml index fd44ce4a67..b13cf20478 100644 --- a/install/base/kustomization.yaml +++ b/install/base/kustomization.yaml @@ -21,15 +21,3 @@ resources: - ./config/crd - ./config/rbac - ./config/manager - -transformers: -- |- - apiVersion: builtin - kind: PatchTransformer - metadata: - name: fix-local-registry-rbac-namespace - patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]' - target: - group: rbac.authorization.k8s.io - kind: RoleBinding - name: camel-k-operator-local-registry diff --git a/install/overlays/platform/integration-platform.yaml b/install/overlays/platform/integration-platform.yaml index 01ef3cb6f4..a7e61cf077 100644 --- a/install/overlays/platform/integration-platform.yaml +++ b/install/overlays/platform/integration-platform.yaml @@ -23,9 +23,6 @@ metadata: app: "camel-k" spec: build: - # Registry is required unless your cluster has KEP-1755 enabled and you want to use the local registry. - # This is a feature recommended for development purpose only. - # more info at https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry registry: # For minikube local cluster you can enable a local registry with # diff --git a/pkg/platform/defaults.go b/pkg/platform/defaults.go index 930a926cef..f8444f4e98 100644 --- a/pkg/platform/defaults.go +++ b/pkg/platform/defaults.go @@ -100,7 +100,7 @@ func ConfigureDefaults(ctx context.Context, c client.Client, p *v1.IntegrationPl return err } - err = configureRegistry(ctx, c, p, verbose) + err = configureRegistry(ctx, c, p) if err != nil { return err } @@ -116,7 +116,7 @@ func ConfigureDefaults(ctx context.Context, c client.Client, p *v1.IntegrationPl return nil } -func configureRegistry(ctx context.Context, c client.Client, p *v1.IntegrationPlatform, verbose bool) error { +func configureRegistry(ctx context.Context, c client.Client, p *v1.IntegrationPlatform) error { if p.Status.Cluster == v1.IntegrationPlatformClusterOpenShift && p.Status.Build.PublishStrategy == v1.IntegrationPlatformBuildPublishStrategyS2I && p.Status.Build.Registry.Address == "" { diff --git a/helm/camel-k/templates/operator-role-binding.yaml b/pkg/resources/config/helm/common/kustomization.yaml similarity index 57% rename from helm/camel-k/templates/operator-role-binding.yaml rename to pkg/resources/config/helm/common/kustomization.yaml index 5b072d711d..313e06eec0 100644 --- a/helm/camel-k/templates/operator-role-binding.yaml +++ b/pkg/resources/config/helm/common/kustomization.yaml @@ -14,37 +14,17 @@ # See the License for the specific language governing permissions and # limitations under the License. # --------------------------------------------------------------------------- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization -{{- if eq .Values.operator.global "false" }} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-operator - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: camel-k-operator -roleRef: - kind: Role - name: camel-k-operator - apiGroup: rbac.authorization.k8s.io +# Labels to add to all resources and selectors. +commonLabels: + app: camel-k ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camel-k-builder-openshift - labels: - app: "camel-k" - {{- include "camel-k.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: camel-k-builder -roleRef: - kind: Role - name: camel-k-builder-openshift - apiGroup: rbac.authorization.k8s.io +resources: +- ../../rbac -{{- end }} \ No newline at end of file +patches: + - target: + kind: ClusterRoleBinding + path: patch-rolebinding-subjects.yaml diff --git a/helm/camel-k/templates/builder-service-account.yaml b/pkg/resources/config/helm/common/patch-rolebinding-subjects.yaml similarity index 90% rename from helm/camel-k/templates/builder-service-account.yaml rename to pkg/resources/config/helm/common/patch-rolebinding-subjects.yaml index 9952a77000..0b99b4063f 100644 --- a/helm/camel-k/templates/builder-service-account.yaml +++ b/pkg/resources/config/helm/common/patch-rolebinding-subjects.yaml @@ -15,9 +15,6 @@ # limitations under the License. # --------------------------------------------------------------------------- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: camel-k-builder - labels: - app: "camel-k" +- op: add + path: /subjects/0/namespace + value: "{{ .Release.Namespace }}" diff --git a/pkg/resources/config/helm/descoped/kustomization.yaml b/pkg/resources/config/helm/descoped/kustomization.yaml new file mode 100644 index 0000000000..546dff1802 --- /dev/null +++ b/pkg/resources/config/helm/descoped/kustomization.yaml @@ -0,0 +1,30 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +# Labels to add to all resources and selectors. +commonLabels: + app: camel-k + +resources: +- ../../rbac/descoped + +patches: + - target: + kind: ClusterRoleBinding + path: patch-rolebinding-subjects.yaml diff --git a/pkg/resources/config/helm/descoped/patch-rolebinding-subjects.yaml b/pkg/resources/config/helm/descoped/patch-rolebinding-subjects.yaml new file mode 100644 index 0000000000..0b99b4063f --- /dev/null +++ b/pkg/resources/config/helm/descoped/patch-rolebinding-subjects.yaml @@ -0,0 +1,20 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +- op: add + path: /subjects/0/namespace + value: "{{ .Release.Namespace }}" diff --git a/pkg/resources/config/helm/namespaced/kustomization.yaml b/pkg/resources/config/helm/namespaced/kustomization.yaml new file mode 100644 index 0000000000..7c7a6d1b9b --- /dev/null +++ b/pkg/resources/config/helm/namespaced/kustomization.yaml @@ -0,0 +1,25 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +# Labels to add to all resources and selectors. +commonLabels: + app: camel-k + +resources: +- ../../rbac/namespaced diff --git a/pkg/resources/config/rbac/kustomization.yaml b/pkg/resources/config/rbac/kustomization.yaml index 153db714fd..a0c41da10a 100644 --- a/pkg/resources/config/rbac/kustomization.yaml +++ b/pkg/resources/config/rbac/kustomization.yaml @@ -27,15 +27,7 @@ resources: - operator-cluster-role-binding-custom-resource-definitions.yaml - operator-cluster-role-addressable-resolver.yaml - operator-cluster-role-binding-addressable-resolver.yaml - -transformers: -- |- - apiVersion: builtin - kind: PatchTransformer - metadata: - name: fix-local-registry-rbac-namespace - patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]' - target: - group: rbac.authorization.k8s.io - kind: RoleBinding - name: camel-k-operator-local-registry \ No newline at end of file +- builder-role.yaml +- builder-role-openshift.yaml +- builder-role-binding.yaml +- builder-role-binding-openshift.yaml \ No newline at end of file diff --git a/pkg/trait/deployer.go b/pkg/trait/deployer.go index 49d24a1dd3..f88670ee4e 100644 --- a/pkg/trait/deployer.go +++ b/pkg/trait/deployer.go @@ -52,7 +52,7 @@ func newDeployerTrait() Trait { func (t *deployerTrait) Configure(e *Environment) (bool, *TraitCondition, error) { var condition *TraitCondition - //nolint:staticcheck + //nolint: staticcheck if !ptr.Deref(t.UseSSA, true) { condition = NewIntegrationCondition( "Deployer", @@ -70,7 +70,7 @@ func (t *deployerTrait) Apply(e *Environment) error { e.PostActions = append(e.PostActions, func(env *Environment) error { applier := e.Client.ServerOrClientSideApplier() for _, resource := range env.Resources.Items() { - //nolint:staticcheck + //nolint: staticcheck if ptr.Deref(t.UseSSA, true) { if err := applier.Apply(e.Ctx, resource); err != nil { return err diff --git a/script/Makefile b/script/Makefile index cd55de9a34..9e13b2cc6a 100644 --- a/script/Makefile +++ b/script/Makefile @@ -221,6 +221,7 @@ generate: codegen-tools-install ./script/gen_doc.sh cd pkg/apis/camel && $(CONTROLLER_GEN) paths="./..." object cd addons/keda/duck && $(CONTROLLER_GEN) paths="./..." object + ./script/gen_helm.sh codegen-tools-install: @# We must force the installation to make sure we are using the correct version diff --git a/script/gen_helm.sh b/script/gen_helm.sh new file mode 100755 index 0000000000..35b2c5f40f --- /dev/null +++ b/script/gen_helm.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +location=$(dirname "$0") + +cd $location/../ + +cat ./script/headers/yaml.txt > ./helm/camel-k/templates/rbacs-common.yaml +cat ./script/headers/yaml.txt > ./helm/camel-k/templates/rbacs-descoped.yaml +cat ./script/headers/yaml.txt > ./helm/camel-k/templates/rbacs-namespaced.yaml + +kustomize build ./pkg/resources/config/helm/common/. >> ./helm/camel-k/templates/rbacs-common.yaml + +printf "{{- if eq .Values.operator.global \"false\" }}\n" >> ./helm/camel-k/templates/rbacs-namespaced.yaml +kustomize build ./pkg/resources/config/helm/namespaced/. >> ./helm/camel-k/templates/rbacs-namespaced.yaml +printf "{{- end }}\n" >> ./helm/camel-k/templates/rbacs-namespaced.yaml + +printf "{{- if eq .Values.operator.global \"true\" }}\n" >> ./helm/camel-k/templates/rbacs-descoped.yaml +kustomize build ./pkg/resources/config/helm/descoped/. >> ./helm/camel-k/templates/rbacs-descoped.yaml +printf "{{- end }}\n" >> ./helm/camel-k/templates/rbacs-descoped.yaml