diff --git a/manifests/function/synclabeller/Kptfile b/manifests/function/synclabeller/Kptfile new file mode 100644 index 000000000..3db216f21 --- /dev/null +++ b/manifests/function/synclabeller/Kptfile @@ -0,0 +1,23 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +dependencies: +- name: upstream/crd + git: + repo: "https://github.com/airshipit/synclabeller" + directory: "config/crd" + ref: "72766d8519e064ffeacb44ddb9afa85c994907ee" +- name: upstream/default + git: + repo: "https://github.com/airshipit/synclabeller" + directory: "config/default" + ref: "72766d8519e064ffeacb44ddb9afa85c994907ee" +- name: upstream/manager + git: + repo: "https://github.com/airshipit/synclabeller" + directory: "config/manager" + ref: "72766d8519e064ffeacb44ddb9afa85c994907ee" +- name: upstream/rbac + git: + repo: "https://github.com/airshipit/synclabeller" + directory: "config/rbac" + ref: "72766d8519e064ffeacb44ddb9afa85c994907ee" diff --git a/manifests/function/synclabeller/kustomization.yaml b/manifests/function/synclabeller/kustomization.yaml new file mode 100644 index 000000000..733300e7e --- /dev/null +++ b/manifests/function/synclabeller/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- upstream/default diff --git a/manifests/function/synclabeller/replacements/kustomization.yaml b/manifests/function/synclabeller/replacements/kustomization.yaml new file mode 100644 index 000000000..ee1becf0d --- /dev/null +++ b/manifests/function/synclabeller/replacements/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - versions.yaml diff --git a/manifests/function/synclabeller/replacements/versions.yaml b/manifests/function/synclabeller/replacements/versions.yaml new file mode 100644 index 000000000..5132a123f --- /dev/null +++ b/manifests/function/synclabeller/replacements/versions.yaml @@ -0,0 +1,29 @@ +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + name: synclabeller-versions-replacements + annotations: + config.kubernetes.io/function: |- + container: + image: quay.io/airshipit/replacement-transformer:latest +replacements: +- source: + objref: + kind: VariableCatalogue + name: versions-treasuremap + fieldref: "{.spec.images.synclabeller.manager}" + target: + objref: + kind: Deployment + name: synclabeller-controller-manager + fieldrefs: ["{.spec.template.spec.containers[?(.name == 'manager')].image}"] +- source: + objref: + kind: VariableCatalogue + name: versions-treasuremap + fieldref: "{.spec.images.synclabeller.kube-rbac-proxy}" + target: + objref: + kind: Deployment + name: synclabeller-controller-manager + fieldrefs: ["{.spec.template.spec.containers[?(.name == 'kube-rbac-proxy')].image}"] diff --git a/manifests/function/synclabeller/upstream/crd/Kptfile b/manifests/function/synclabeller/upstream/crd/Kptfile new file mode 100644 index 000000000..f3bd9e8e3 --- /dev/null +++ b/manifests/function/synclabeller/upstream/crd/Kptfile @@ -0,0 +1,11 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: upstream/crd +upstream: + type: git + git: + commit: 72766d8519e064ffeacb44ddb9afa85c994907ee + repo: https://github.com/airshipit/synclabeller + directory: config/crd + ref: 72766d8519e064ffeacb44ddb9afa85c994907ee diff --git a/manifests/function/synclabeller/upstream/crd/bases/airship.airshipit.org_metal3labelsyncs.yaml b/manifests/function/synclabeller/upstream/crd/bases/airship.airshipit.org_metal3labelsyncs.yaml new file mode 100644 index 000000000..5a1ec407a --- /dev/null +++ b/manifests/function/synclabeller/upstream/crd/bases/airship.airshipit.org_metal3labelsyncs.yaml @@ -0,0 +1,56 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null + name: metal3labelsyncs.airship.airshipit.org +spec: + group: airship.airshipit.org + names: + kind: Metal3LabelSync + listKind: Metal3LabelSyncList + plural: metal3labelsyncs + singular: metal3labelsync + scope: Namespaced + validation: + openAPIV3Schema: + description: Metal3LabelSync is the Schema for the metal3labelsyncs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Metal3LabelSyncSpec defines the desired state of Metal3LabelSync + properties: + foo: + description: Foo is an example field of Metal3LabelSync. Edit Metal3LabelSync_types.go + to remove/update + type: string + type: object + status: + description: Metal3LabelSyncStatus defines the observed state of Metal3LabelSync + type: object + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/synclabeller/upstream/crd/kustomization.yaml b/manifests/function/synclabeller/upstream/crd/kustomization.yaml new file mode 100644 index 000000000..a99e4d97b --- /dev/null +++ b/manifests/function/synclabeller/upstream/crd/kustomization.yaml @@ -0,0 +1,21 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: +- bases/airship.airshipit.org_metal3labelsyncs.yaml +# +kubebuilder:scaffold:crdkustomizeresource + +patchesStrategicMerge: +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. +# patches here are for enabling the conversion webhook for each CRD +#- patches/webhook_in_metal3labelsyncs.yaml +# +kubebuilder:scaffold:crdkustomizewebhookpatch + +# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. +# patches here are for enabling the CA injection for each CRD +#- patches/cainjection_in_metal3labelsyncs.yaml +# +kubebuilder:scaffold:crdkustomizecainjectionpatch + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: +- kustomizeconfig.yaml diff --git a/manifests/function/synclabeller/upstream/crd/kustomizeconfig.yaml b/manifests/function/synclabeller/upstream/crd/kustomizeconfig.yaml new file mode 100644 index 000000000..6f83d9a94 --- /dev/null +++ b/manifests/function/synclabeller/upstream/crd/kustomizeconfig.yaml @@ -0,0 +1,17 @@ +# This file is for teaching kustomize how to substitute name and namespace reference in CRD +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhookClientConfig/service/name + +namespace: +- kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhookClientConfig/service/namespace + create: false + +varReference: +- path: metadata/annotations diff --git a/manifests/function/synclabeller/upstream/crd/patches/cainjection_in_metal3labelsyncs.yaml b/manifests/function/synclabeller/upstream/crd/patches/cainjection_in_metal3labelsyncs.yaml new file mode 100644 index 000000000..f2c347a79 --- /dev/null +++ b/manifests/function/synclabeller/upstream/crd/patches/cainjection_in_metal3labelsyncs.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: metal3labelsyncs.airship.airshipit.org diff --git a/manifests/function/synclabeller/upstream/crd/patches/webhook_in_metal3labelsyncs.yaml b/manifests/function/synclabeller/upstream/crd/patches/webhook_in_metal3labelsyncs.yaml new file mode 100644 index 000000000..c7c9c93ba --- /dev/null +++ b/manifests/function/synclabeller/upstream/crd/patches/webhook_in_metal3labelsyncs.yaml @@ -0,0 +1,17 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: metal3labelsyncs.airship.airshipit.org +spec: + conversion: + strategy: Webhook + webhookClientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/synclabeller/upstream/default/Kptfile b/manifests/function/synclabeller/upstream/default/Kptfile new file mode 100644 index 000000000..0a83df3c3 --- /dev/null +++ b/manifests/function/synclabeller/upstream/default/Kptfile @@ -0,0 +1,11 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: upstream/default +upstream: + type: git + git: + commit: 72766d8519e064ffeacb44ddb9afa85c994907ee + repo: https://github.com/airshipit/synclabeller + directory: config/default + ref: 72766d8519e064ffeacb44ddb9afa85c994907ee diff --git a/manifests/function/synclabeller/upstream/default/kustomization.yaml b/manifests/function/synclabeller/upstream/default/kustomization.yaml new file mode 100644 index 000000000..9f7e61059 --- /dev/null +++ b/manifests/function/synclabeller/upstream/default/kustomization.yaml @@ -0,0 +1,70 @@ +# Adds namespace to all resources. +namespace: synclabeller-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: synclabeller- + +# Labels to add to all resources and selectors. +#commonLabels: +# someName: someValue + +bases: +- ../crd +- ../rbac +- ../manager +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +#- ../webhook +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. +#- ../certmanager +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +#- ../prometheus + +patchesStrategicMerge: + # Protect the /metrics endpoint by putting it behind auth. + # If you want your controller-manager to expose the /metrics + # endpoint w/o any authn/z, please comment the following line. +- manager_auth_proxy_patch.yaml + +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +#- manager_webhook_patch.yaml + +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. +# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. +# 'CERTMANAGER' needs to be enabled to use ca injection +#- webhookcainjection_patch.yaml + +# the following config is for teaching kustomize how to do var substitution +vars: +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. +#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR +# objref: +# kind: Certificate +# group: cert-manager.io +# version: v1alpha2 +# name: serving-cert # this name should match the one in certificate.yaml +# fieldref: +# fieldpath: metadata.namespace +#- name: CERTIFICATE_NAME +# objref: +# kind: Certificate +# group: cert-manager.io +# version: v1alpha2 +# name: serving-cert # this name should match the one in certificate.yaml +#- name: SERVICE_NAMESPACE # namespace of the service +# objref: +# kind: Service +# version: v1 +# name: webhook-service +# fieldref: +# fieldpath: metadata.namespace +#- name: SERVICE_NAME +# objref: +# kind: Service +# version: v1 +# name: webhook-service diff --git a/manifests/function/synclabeller/upstream/default/manager_auth_proxy_patch.yaml b/manifests/function/synclabeller/upstream/default/manager_auth_proxy_patch.yaml new file mode 100644 index 000000000..77e743d1c --- /dev/null +++ b/manifests/function/synclabeller/upstream/default/manager_auth_proxy_patch.yaml @@ -0,0 +1,25 @@ +# This patch inject a sidecar container which is a HTTP proxy for the +# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: manager + args: + - "--metrics-addr=127.0.0.1:8080" + - "--enable-leader-election" diff --git a/manifests/function/synclabeller/upstream/default/manager_webhook_patch.yaml b/manifests/function/synclabeller/upstream/default/manager_webhook_patch.yaml new file mode 100644 index 000000000..738de350b --- /dev/null +++ b/manifests/function/synclabeller/upstream/default/manager_webhook_patch.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert diff --git a/manifests/function/synclabeller/upstream/default/webhookcainjection_patch.yaml b/manifests/function/synclabeller/upstream/default/webhookcainjection_patch.yaml new file mode 100644 index 000000000..7e79bf995 --- /dev/null +++ b/manifests/function/synclabeller/upstream/default/webhookcainjection_patch.yaml @@ -0,0 +1,15 @@ +# This patch add annotation to admission webhook config and +# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/manifests/function/synclabeller/upstream/manager/Kptfile b/manifests/function/synclabeller/upstream/manager/Kptfile new file mode 100644 index 000000000..92dba804b --- /dev/null +++ b/manifests/function/synclabeller/upstream/manager/Kptfile @@ -0,0 +1,11 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: upstream/manager +upstream: + type: git + git: + commit: 72766d8519e064ffeacb44ddb9afa85c994907ee + repo: https://github.com/airshipit/synclabeller + directory: config/manager + ref: 72766d8519e064ffeacb44ddb9afa85c994907ee diff --git a/manifests/function/synclabeller/upstream/manager/kustomization.yaml b/manifests/function/synclabeller/upstream/manager/kustomization.yaml new file mode 100644 index 000000000..adef851e3 --- /dev/null +++ b/manifests/function/synclabeller/upstream/manager/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- manager.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: digambarpat/synclabeller + newTag: latest diff --git a/manifests/function/synclabeller/upstream/manager/manager.yaml b/manifests/function/synclabeller/upstream/manager/manager.yaml new file mode 100644 index 000000000..46793c858 --- /dev/null +++ b/manifests/function/synclabeller/upstream/manager/manager.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - command: + - /manager + args: + - --enable-leader-election + image: digambarpat/synclabeller:latest + name: manager + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + terminationGracePeriodSeconds: 10 diff --git a/manifests/function/synclabeller/upstream/rbac/Kptfile b/manifests/function/synclabeller/upstream/rbac/Kptfile new file mode 100644 index 000000000..51da49eaa --- /dev/null +++ b/manifests/function/synclabeller/upstream/rbac/Kptfile @@ -0,0 +1,11 @@ +IapiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: upstream/rbac +upstream: + type: git + git: + commit: 72766d8519e064ffeacb44ddb9afa85c994907ee + repo: https://github.com/airshipit/synclabeller + directory: config/rbac + ref: 72766d8519e064ffeacb44ddb9afa85c994907ee diff --git a/manifests/function/synclabeller/upstream/rbac/auth_proxy_client_clusterrole.yaml b/manifests/function/synclabeller/upstream/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 000000000..7d62534c5 --- /dev/null +++ b/manifests/function/synclabeller/upstream/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,7 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: +- nonResourceURLs: ["/metrics"] + verbs: ["get"] diff --git a/manifests/function/synclabeller/upstream/rbac/auth_proxy_role.yaml b/manifests/function/synclabeller/upstream/rbac/auth_proxy_role.yaml new file mode 100644 index 000000000..618f5e417 --- /dev/null +++ b/manifests/function/synclabeller/upstream/rbac/auth_proxy_role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: proxy-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/manifests/function/synclabeller/upstream/rbac/auth_proxy_role_binding.yaml b/manifests/function/synclabeller/upstream/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 000000000..48ed1e4b8 --- /dev/null +++ b/manifests/function/synclabeller/upstream/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/synclabeller/upstream/rbac/auth_proxy_service.yaml b/manifests/function/synclabeller/upstream/rbac/auth_proxy_service.yaml new file mode 100644 index 000000000..6cf656be1 --- /dev/null +++ b/manifests/function/synclabeller/upstream/rbac/auth_proxy_service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager diff --git a/manifests/function/synclabeller/upstream/rbac/kustomization.yaml b/manifests/function/synclabeller/upstream/rbac/kustomization.yaml new file mode 100644 index 000000000..66c28338f --- /dev/null +++ b/manifests/function/synclabeller/upstream/rbac/kustomization.yaml @@ -0,0 +1,12 @@ +resources: +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 4 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml diff --git a/manifests/function/synclabeller/upstream/rbac/leader_election_role.yaml b/manifests/function/synclabeller/upstream/rbac/leader_election_role.yaml new file mode 100644 index 000000000..eaa79158f --- /dev/null +++ b/manifests/function/synclabeller/upstream/rbac/leader_election_role.yaml @@ -0,0 +1,32 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create diff --git a/manifests/function/synclabeller/upstream/rbac/leader_election_role_binding.yaml b/manifests/function/synclabeller/upstream/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..eed16906f --- /dev/null +++ b/manifests/function/synclabeller/upstream/rbac/leader_election_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/synclabeller/upstream/rbac/metal3labelsync_editor_role.yaml b/manifests/function/synclabeller/upstream/rbac/metal3labelsync_editor_role.yaml new file mode 100644 index 000000000..5e65d298f --- /dev/null +++ b/manifests/function/synclabeller/upstream/rbac/metal3labelsync_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit metal3labelsyncs. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metal3labelsync-editor-role +rules: +- apiGroups: + - airship.airshipit.org + resources: + - metal3labelsyncs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - airship.airshipit.org + resources: + - metal3labelsyncs/status + verbs: + - get diff --git a/manifests/function/synclabeller/upstream/rbac/metal3labelsync_viewer_role.yaml b/manifests/function/synclabeller/upstream/rbac/metal3labelsync_viewer_role.yaml new file mode 100644 index 000000000..55c6f662e --- /dev/null +++ b/manifests/function/synclabeller/upstream/rbac/metal3labelsync_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view metal3labelsyncs. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metal3labelsync-viewer-role +rules: +- apiGroups: + - airship.airshipit.org + resources: + - metal3labelsyncs + verbs: + - get + - list + - watch +- apiGroups: + - airship.airshipit.org + resources: + - metal3labelsyncs/status + verbs: + - get diff --git a/manifests/function/synclabeller/upstream/rbac/role.yaml b/manifests/function/synclabeller/upstream/rbac/role.yaml new file mode 100644 index 000000000..0a6609bfd --- /dev/null +++ b/manifests/function/synclabeller/upstream/rbac/role.yaml @@ -0,0 +1,100 @@ + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + verbs: + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters/status + verbs: + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - machines + - machines/status + verbs: + - get + - list + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - metal3clusters + verbs: + - get + - list + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - metal3clusters/status + verbs: + - get +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - metal3machines + verbs: + - get + - list + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - metal3machines/status + verbs: + - get +- apiGroups: + - metal3.io + resources: + - baremetalhosts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal3.io + resources: + - baremetalhosts/status + verbs: + - get + - patch + - update diff --git a/manifests/function/synclabeller/upstream/rbac/role_binding.yaml b/manifests/function/synclabeller/upstream/rbac/role_binding.yaml new file mode 100644 index 000000000..8f2658702 --- /dev/null +++ b/manifests/function/synclabeller/upstream/rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/treasuremap-base-catalogues/versions-treasuremap.yaml b/manifests/function/treasuremap-base-catalogues/versions-treasuremap.yaml index 60cd113ea..f1e754c84 100644 --- a/manifests/function/treasuremap-base-catalogues/versions-treasuremap.yaml +++ b/manifests/function/treasuremap-base-catalogues/versions-treasuremap.yaml @@ -113,3 +113,6 @@ spec: kube-rbac-proxy: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 libvirt: quay.io/airshipit/libvirt manager: quay.io/airshipit/vino:6480ddc3ba98fba21fd692b8489adb0177abb8b5 + synclabeller: + kube-rbac-proxy: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 + manager: quay.io/airshipit/synclabeller:72766d8519e064ffeacb44ddb9afa85c994907ee diff --git a/manifests/site/virtual-network-cloud/target/workload/kustomization.yaml b/manifests/site/virtual-network-cloud/target/workload/kustomization.yaml index 0cfe44a96..ed3e2b79c 100644 --- a/manifests/site/virtual-network-cloud/target/workload/kustomization.yaml +++ b/manifests/site/virtual-network-cloud/target/workload/kustomization.yaml @@ -4,4 +4,5 @@ resources: transformers: - ../../../../function/ingress/replacements - ../../../../function/sip/replacements + - ../../../../function/synclabeller/replacements - ../../../../function/vino/replacements diff --git a/manifests/type/multi-tenant/target/workload/kustomization.yaml b/manifests/type/multi-tenant/target/workload/kustomization.yaml index 239ed8485..3409d584c 100644 --- a/manifests/type/multi-tenant/target/workload/kustomization.yaml +++ b/manifests/type/multi-tenant/target/workload/kustomization.yaml @@ -1,5 +1,6 @@ resources: - ../../../airship-core/target/workload - ../../../../function/sip + - ../../../../function/synclabeller - ../../../../function/vino #- network-policy