airship/treasuremap
Code Issues Proposed changes

Add SIP function

Browse Source 
This change adds a function to deploy SIP, the Support Infrastructure
Provider.

Signed-off-by: Drew Walters <andrew.walters@att.com>
Change-Id: I4b6ac2707d495217bec14c09bec34f305a12e8e3
This commit is contained in:
Drew Walters 2021-03-05 17:48:50 +00:00
parent 29784c4dd7
commit 3561c823bb
33 changed files with 969 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
manifests/function/sip/Kptfile Normal file
View File

@ -0,0 +1,23 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
dependencies:
- name: upstream/crd
git:
repo: "https://opendev.org/airship/sip"
directory: "config/crd"
ref: "194346b22e1df3e922a8fd32dd2fb785856731a9"
- name: upstream/default
git:
repo: "https://opendev.org/airship/sip"
directory: "config/default"
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b"
- name: upstream/manager
git:
repo: "https://opendev.org/airship/sip"
directory: "config/manager"
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b"
- name: upstream/rbac
git:
repo: "https://opendev.org/airship/sip"
directory: "config/rbac"
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b"

17
manifests/function/sip/README.md Normal file
View File

@ -0,0 +1,17 @@
# Support Infrastructure Provider (SIP)
The Support Infrastructure Provider (SIP) provisions tenant Kubernetes clusters
using BaremetalHost (BMH) objects and deploys supporting infrastructure to
access sub-clusters.
View the source code for SIP on [OpenDev][repo].
[repo]: https://opendev.org/airship/sip
## Update Manifests
To update the upstream manifests in this function:
1. Update the git references in `Kptfile`.
2. Run `kpt pkg sync .` from this directory.
3. Update any `sip` container image references defined in version catalogs.

4
manifests/function/sip/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- upstream/default

2
manifests/function/sip/replacements/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
resources:
- versions.yaml

29
manifests/function/sip/replacements/versions.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: airshipit.org/v1alpha1
kind: ReplacementTransformer
metadata:
name: sip-versions-replacements
annotations:
config.kubernetes.io/function: |-
container:
image: quay.io/airshipit/replacement-transformer:latest
replacements:
- source:
objref:
kind: VersionsCatalogue
name: versions-treasuremap
fieldref: "{.spec.images.sip.manager}"
target:
objref:
kind: Deployment
name: sipcluster-controller-manager
fieldrefs: ["{.spec.template.spec.containers[?(.name == 'manager')].image}"]
- source:
objref:
kind: VersionsCatalogue
name: versions-treasuremap
fieldref: "{.spec.images.sip.kube-rbac-proxy}"
target:
objref:
kind: Deployment
name: sipcluster-controller-manager
fieldrefs: ["{.spec.template.spec.containers[?(.name == 'kube-rbac-proxy')].image}"]

11
manifests/function/sip/upstream/crd/Kptfile Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
metadata:
name: upstream/crd
upstream:
type: git
git:
commit: 194346b22e1df3e922a8fd32dd2fb785856731a9
repo: https://opendev.org/airship/sip
directory: config/crd
ref: 194346b22e1df3e922a8fd32dd2fb785856731a9

291
manifests/function/sip/upstream/crd/bases/airship.airshipit.org_sipclusters.yaml Normal file
View File

@ -0,0 +1,291 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
name: sipclusters.airship.airshipit.org
spec:
group: airship.airshipit.org
names:
kind: SIPCluster
listKind: SIPClusterList
plural: sipclusters
singular: sipcluster
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: SIPCluster is the Schema for the sipclusters API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SIPClusterSpec defines the desired state of a SIPCluster
properties:
nodes:
additionalProperties:
description: 'NodeSet are the the list of Nodes objects workers, or
ControlPlane that define expectations for the Tenant Clusters Includes
artifacts to associate with each defined namespace Such as : - Roles
for the Nodes - Flavor for theh Nodes image - Scheduling expectations
- Scale of the group of Nodes'
properties:
count:
description: Count defines the scale expectations for the Nodes
properties:
active:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed
state of cluster Important: Run "make" to regenerate code
after modifying this file'
type: integer
standby:
type: integer
type: object
spreadTopology:
description: PlaceHolder until we define the real expected Implementation
Scheduling define constraints that allow the SIP Scheduler to
identify the required BMH's to allow CAPI to build a cluster
enum:
- PerRack
- PerHost
type: string
vmFlavor: {}
labelSelector:
description: LabelSelector is the BMH label selector to use.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If
the operator is In or NotIn, the values array must
be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced
during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A
single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is "key",
the operator is "In", and the values array contains only
"value". The requirements are ANDed.
type: object
type: object
type: object
description: Nodes defines the set of nodes to schedule for each BMH
role.
type: object
services:
description: Services defines the services that are deployed when a
SIPCluster is provisioned.
properties:
auth:
description: Auth defines the sub-cluster authentication services.
items:
properties:
clusterIP:
type: string
image:
type: string
nodeInterfaceId:
type: string
nodeLabels:
additionalProperties:
type: string
type: object
nodePort:
type: integer
required:
- image
- nodePort
type: object
type: array
jumpHost:
description: JumpHost defines the sub-cluster jump host services.
items:
description: JumpHostService is an infrastructure service type
that represents the sub-cluster jump-host service.
properties:
bmc:
description: BMCOpts contains options for BMC communication.
properties:
proxy:
type: boolean
type: object
clusterIP:
type: string
image:
type: string
nodeInterfaceId:
type: string
nodeLabels:
additionalProperties:
type: string
type: object
nodePort:
type: integer
sshkey: {}
nodeSSHPrivateKeys:
description: NodeSSHPrivateKeys holds the name of a Secret
in the same namespace as the SIPCluster CR, whose key values
each represent an ssh private key that can be used to access
the cluster nodes. They are mounted into the jumphost with
the secret keys serving as file names relative to a common
directory, and then configured as identity files in the
SSH config file of the default user.
type: string
sshAuthorizedKeys:
items:
type: string
type: array
required:
- image
- nodePort
- nodeSSHPrivateKeys
type: object
type: array
loadBalancer:
description: LoadBalancer defines the sub-cluster load balancer
services.
items:
properties:
clusterIP:
type: string
image:
type: string
nodeInterfaceId:
type: string
nodeLabels:
additionalProperties:
type: string
type: object
nodePort:
type: integer
required:
- image
- nodePort
type: object
type: array
type: object
required:
- services
type: object
status:
description: SIPClusterStatus defines the observed state of SIPCluster
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a foo's
current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type //
+patchStrategy=merge // +listType=map // +listMapKey=type
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details
about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers of
specific condition types may define expected values and meanings
for this field, and whether the values are considered a guaranteed
API. The value should be a CamelCase string. This field may
not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
type: object
type: object
version: v1
versions:
- name: v1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

15
manifests/function/sip/upstream/crd/kustomization.yaml Normal file
View File

@ -0,0 +1,15 @@
# This kustomization.yaml is not intended to be run by itself,
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/default
resources:
- bases/airship.airshipit.org_sipclusters.yaml
# +kubebuilder:scaffold:crdkustomizeresource
# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
# patches here are for enabling the CA injection for each CRD
#- patches/cainjection_in_sipclusters.yaml
# +kubebuilder:scaffold:crdkustomizecainjectionpatch
# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml

15
manifests/function/sip/upstream/crd/kustomizeconfig.yaml Normal file
View File

@ -0,0 +1,15 @@
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/name
namespace:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/namespace
create: false
varReference:
- path: metadata/annotations

8
manifests/function/sip/upstream/crd/patches/cainjection_in_sipclusters.yaml Normal file
View File

@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: sipclusters.airship.airshipit.org

17
manifests/function/sip/upstream/crd/patches/webhook_in_sipclusters.yaml Normal file
View File

@ -0,0 +1,17 @@
# The following patch enables conversion webhook for CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: sipclusters.airship.airshipit.org
spec:
conversion:
strategy: Webhook
webhookClientConfig:
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
caBundle: Cg==
service:
namespace: system
name: webhook-service
path: /convert

11
manifests/function/sip/upstream/default/Kptfile Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
metadata:
name: upstream/default
upstream:
type: git
git:
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
repo: https://opendev.org/airship/sip
directory: config/default
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b

70
manifests/function/sip/upstream/default/kustomization.yaml Normal file
View File

@ -0,0 +1,70 @@
# Adds namespace to all resources.
namespace: sipcluster-system
# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: sipcluster-
# Labels to add to all resources and selectors.
#commonLabels:
# someName: someValue
bases:
- ../crd
- ../rbac
- ../manager
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
#- ../webhook
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
#- ../certmanager
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus
patchesStrategicMerge:
# Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line.
- manager_auth_proxy_patch.yaml
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
#- manager_webhook_patch.yaml
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
# 'CERTMANAGER' needs to be enabled to use ca injection
#- webhookcainjection_patch.yaml
# the following config is for teaching kustomize how to do var substitution
vars:
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
# objref:
# kind: Certificate
# group: cert-manager.io
# version: v1alpha2
# name: serving-cert # this name should match the one in certificate.yaml
# fieldref:
# fieldpath: metadata.namespace
#- name: CERTIFICATE_NAME
# objref:
# kind: Certificate
# group: cert-manager.io
# version: v1alpha2
# name: serving-cert # this name should match the one in certificate.yaml
#- name: SERVICE_NAMESPACE # namespace of the service
# objref:
# kind: Service
# version: v1
# name: webhook-service
# fieldref:
# fieldpath: metadata.namespace
#- name: SERVICE_NAME
# objref:
# kind: Service
# version: v1
# name: webhook-service

25
manifests/function/sip/upstream/default/manager_auth_proxy_patch.yaml Normal file
View File

@ -0,0 +1,25 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: kube-rbac-proxy
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=10"
ports:
- containerPort: 8443
name: https
- name: manager
args:
- "--metrics-addr=127.0.0.1:8080"
- "--enable-leader-election"

23
manifests/function/sip/upstream/default/manager_webhook_patch.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
volumes:
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert

15
manifests/function/sip/upstream/default/webhookcainjection_patch.yaml Normal file
View File

@ -0,0 +1,15 @@
# This patch add annotation to admission webhook config and
# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: mutating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

11
manifests/function/sip/upstream/manager/Kptfile Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
metadata:
name: upstream/manager
upstream:
type: git
git:
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
repo: https://opendev.org/airship/sip
directory: config/manager
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b

2
manifests/function/sip/upstream/manager/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
resources:
- manager.yaml

40
manifests/function/sip/upstream/manager/manager.yaml Normal file
View File

@ -0,0 +1,40 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
labels:
control-plane: controller-manager
spec:
selector:
matchLabels:
control-plane: controller-manager
replicas: 1
template:
metadata:
labels:
control-plane: controller-manager
spec:
containers:
- command:
- /manager
args:
- --enable-leader-election
image: quay.io/airshipit/sip
imagePullPolicy: IfNotPresent
name: manager
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
terminationGracePeriodSeconds: 10

11
manifests/function/sip/upstream/rbac/Kptfile Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
metadata:
name: upstream/rbac
upstream:
type: git
git:
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
repo: https://opendev.org/airship/sip
directory: config/rbac
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b

7
manifests/function/sip/upstream/rbac/auth_proxy_client_clusterrole.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: metrics-reader
rules:
- nonResourceURLs: ["/metrics"]
verbs: ["get"]

13
manifests/function/sip/upstream/rbac/auth_proxy_role.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: proxy-role
rules:
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources:
- subjectaccessreviews
verbs: ["create"]

12
manifests/function/sip/upstream/rbac/auth_proxy_role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-role
subjects:
- kind: ServiceAccount
name: default
namespace: sipcluster-system

14
manifests/function/sip/upstream/rbac/auth_proxy_service.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
name: controller-manager-metrics-service
namespace: system
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
control-plane: controller-manager

15
manifests/function/sip/upstream/rbac/kustomization.yaml Normal file
View File

@ -0,0 +1,15 @@
resources:
- role.yaml
- role_binding.yaml
- sipcluster_scheduler_role.yaml
- sipcluster_scheduler_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# Comment the following 4 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml

44
manifests/function/sip/upstream/rbac/leader_election_role.yaml Normal file
View File

@ -0,0 +1,44 @@
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: leader-election-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- apiGroups:
- "coordination.k8s.io"
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete

12
manifests/function/sip/upstream/rbac/leader_election_role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: leader-election-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: default
namespace: sipcluster-system

37
manifests/function/sip/upstream/rbac/role.yaml Normal file
View File

@ -0,0 +1,37 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: manager-role
rules:
- apiGroups:
- airship.airshipit.org
resources:
- sipclusters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- airship.airshipit.org
resources:
- sipclusters/status
verbs:
- get
- patch
- update
- apiGroups:
- metal3.io
resources:
- baremetalhosts
verbs:
- get
- list
- patch
- update

12
manifests/function/sip/upstream/rbac/role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: manager-role
subjects:
- kind: ServiceAccount
name: default
namespace: sipcluster-system

24
manifests/function/sip/upstream/rbac/sipcluster_editor_role.yaml Normal file
View File

@ -0,0 +1,24 @@
# permissions for end users to edit sipclusters.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sipcluster-editor-role
rules:
- apiGroups:
- airship.airshipit.org
resources:
- sipclusters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- airship.airshipit.org
resources:
- sipclusters/status
verbs:
- get

39
manifests/function/sip/upstream/rbac/sipcluster_scheduler_binding.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: scheduler-rolebinding
namespace: metal3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: scheduler-role
subjects:
- kind: ServiceAccount
name: default
namespace: sipcluster-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-scheduler-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-scheduler-role
subjects:
- kind: ServiceAccount
name: default
namespace: sipcluster-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-infra-service-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: sipcluster-infra-service
subjects:
- kind: ServiceAccount
name: default
namespace: sipcluster-system

80
manifests/function/sip/upstream/rbac/sipcluster_scheduler_role.yaml Normal file
View File

@ -0,0 +1,80 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: scheduler-role
namespace: metal3
rules:
- apiGroups:
- metal3.io
resources:
- baremetalhosts
verbs:
- get
- list
- patch
- watch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-scheduler-role
rules:
- apiGroups:
- metal3.io
resources:
- baremetalhosts
verbs:
- get
- list
- patch
- watch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- secrets
verbs:
- create
- delete
- update
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sipcluster-infra-service
rules:
- apiGroups:
- ""
- apps
resources:
- configmaps
- deployments
- services
verbs:
- create
- delete
- update
- get
- list
- watch

20
manifests/function/sip/upstream/rbac/sipcluster_viewer_role.yaml Normal file
View File

@ -0,0 +1,20 @@
# permissions for end users to view sipclusters.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sipcluster-viewer-role
rules:
- apiGroups:
- airship.airshipit.org
resources:
- sipclusters
verbs:
- get
- list
- watch
- apiGroups:
- airship.airshipit.org
resources:
- sipclusters/status
verbs:
- get