diff --git a/bundle/manifests/mgc-add-on-manager_v1_serviceaccount.yaml b/bundle/manifests/mgc-add-on-manager_v1_serviceaccount.yaml deleted file mode 100644 index 0d0f0921c..000000000 --- a/bundle/manifests/mgc-add-on-manager_v1_serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: kuadrant - app.kubernetes.io/instance: add-on-manager - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/part-of: multicluster-gateway-controller - name: mgc-add-on-manager diff --git a/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrole.yaml deleted file mode 100644 index 7c312f35d..000000000 --- a/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ /dev/null @@ -1,137 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: mgc-kuadrant-addon -rules: -- apiGroups: - - "" - resources: - - configmaps - - events - verbs: - - get - - list - - watch - - create - - update - - delete - - deletecollection - - patch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - get - - list - - watch - - create - - update - - delete -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - get - - create -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - - certificatesigningrequests/approval - verbs: - - get - - list - - watch - - create - - update -- apiGroups: - - certificates.k8s.io - resources: - - signers - verbs: - - approve -- apiGroups: - - cluster.open-cluster-management.io - resources: - - managedclusters - verbs: - - get - - list - - watch - - update -- apiGroups: - - work.open-cluster-management.io - resources: - - manifestworks - verbs: - - create - - update - - get - - list - - watch - - delete - - deletecollection - - patch -- apiGroups: - - addon.open-cluster-management.io - resources: - - managedclusteraddons/finalizers - verbs: - - update -- apiGroups: - - addon.open-cluster-management.io - resources: - - clustermanagementaddons/finalizers - verbs: - - update -- apiGroups: - - addon.open-cluster-management.io - resources: - - clustermanagementaddons - verbs: - - get - - list - - watch -- apiGroups: - - addon.open-cluster-management.io - resources: - - managedclusteraddons - verbs: - - get - - list - - watch - - create - - update - - delete -- apiGroups: - - addon.open-cluster-management.io - resources: - - managedclusteraddons/status - verbs: - - update - - patch -- apiGroups: - - kuadrant.io/v1beta1 - resources: - - kuadrant - verbs: - - get - - list - - watch - - create - - update diff --git a/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml b/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml deleted file mode 100644 index e7e5246ae..000000000 --- a/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - name: mgc-kuadrant-addon -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: mgc-kuadrant-addon -subjects: -- kind: ServiceAccount - name: mgc-add-on-manager - namespace: multicluster-gateway-controller-system diff --git a/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml b/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml index e6831eb10..19e8a48c1 100644 --- a/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml +++ b/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml @@ -4,7 +4,7 @@ metadata: annotations: alm-examples: '[]' capabilities: Basic Install - createdAt: "2024-02-02T12:19:59Z" + createdAt: "2024-02-21T15:02:50Z" operators.operatorframework.io/builder: operator-sdk-v1.28.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 name: multicluster-gateway-controller.v0.0.0 @@ -34,6 +34,20 @@ spec: - patch - update - watch + - apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch - apiGroups: - "" resources: @@ -43,6 +57,51 @@ spec: - get - list - watch + - apiGroups: + - addon.open-cluster-management.io + resources: + - clustermanagementaddons + verbs: + - get + - list + - watch + - apiGroups: + - addon.open-cluster-management.io + resources: + - clustermanagementaddons/finalizers + verbs: + - update + - apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/finalizers + verbs: + - update + - apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/status + verbs: + - patch + - update + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - get - apiGroups: - cert-manager.io resources: @@ -55,6 +114,23 @@ spec: - patch - update - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - certificates.k8s.io + resources: + - signers + verbs: + - approve - apiGroups: - cluster.open-cluster-management.io resources: @@ -62,6 +138,7 @@ spec: verbs: - get - list + - update - watch - apiGroups: - cluster.open-cluster-management.io @@ -75,6 +152,17 @@ spec: - patch - update - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - patch + - update + - watch - apiGroups: - gateway.networking.k8s.io resources: @@ -136,6 +224,28 @@ spec: - get - list - watch + - apiGroups: + - kuadrant.io + resources: + - kuadrant + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - work.open-cluster-management.io resources: @@ -143,6 +253,7 @@ spec: verbs: - create - delete + - deletecollection - get - list - patch diff --git a/cmd/gateway_controller/main.go b/cmd/gateway_controller/main.go index 9b80db709..5c56440fc 100644 --- a/cmd/gateway_controller/main.go +++ b/cmd/gateway_controller/main.go @@ -20,7 +20,6 @@ import ( "flag" "os" - certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" clusterv1 "open-cluster-management.io/api/cluster/v1" clusterv1beta2 "open-cluster-management.io/api/cluster/v1beta1" workv1 "open-cluster-management.io/api/work/v1" @@ -41,8 +40,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" - addon_manager "github.com/Kuadrant/multicluster-gateway-controller/cmd/gateway_controller/addon-manager" - "github.com/Kuadrant/multicluster-gateway-controller/pkg/apis/v1alpha1" + "github.com/Kuadrant/multicluster-gateway-controller/cmd/gateway_controller/ocm" "github.com/Kuadrant/multicluster-gateway-controller/pkg/controllers/gateway" "github.com/Kuadrant/multicluster-gateway-controller/pkg/placement" "github.com/Kuadrant/multicluster-gateway-controller/pkg/policysync" @@ -143,7 +141,7 @@ func main() { } // add addon-manager - if err = mgr.Add(addon_manager.AddonRunnable{}); err != nil { + if err = mgr.Add(ocm.AddonRunnable{}); err != nil { setupLog.Error(err, "unable to add addon manager runnable") os.Exit(1) } diff --git a/cmd/gateway_controller/addon-manager/addon-manager.go b/cmd/gateway_controller/ocm/addon-manager.go similarity index 99% rename from cmd/gateway_controller/addon-manager/addon-manager.go rename to cmd/gateway_controller/ocm/addon-manager.go index ab8b79bf5..5560da4a7 100644 --- a/cmd/gateway_controller/addon-manager/addon-manager.go +++ b/cmd/gateway_controller/ocm/addon-manager.go @@ -1,4 +1,4 @@ -package addon_manager +package ocm import ( "context" diff --git a/cmd/gateway_controller/addon-manager/manifests/cluster-role-binding.yaml b/cmd/gateway_controller/ocm/manifests/cluster-role-binding.yaml similarity index 100% rename from cmd/gateway_controller/addon-manager/manifests/cluster-role-binding.yaml rename to cmd/gateway_controller/ocm/manifests/cluster-role-binding.yaml diff --git a/cmd/gateway_controller/addon-manager/manifests/cluster-role.yaml b/cmd/gateway_controller/ocm/manifests/cluster-role.yaml similarity index 100% rename from cmd/gateway_controller/addon-manager/manifests/cluster-role.yaml rename to cmd/gateway_controller/ocm/manifests/cluster-role.yaml diff --git a/cmd/gateway_controller/addon-manager/manifests/kuadrant-namespace.yaml b/cmd/gateway_controller/ocm/manifests/kuadrant-namespace.yaml similarity index 100% rename from cmd/gateway_controller/addon-manager/manifests/kuadrant-namespace.yaml rename to cmd/gateway_controller/ocm/manifests/kuadrant-namespace.yaml diff --git a/cmd/gateway_controller/addon-manager/manifests/kuadrant.yaml b/cmd/gateway_controller/ocm/manifests/kuadrant.yaml similarity index 100% rename from cmd/gateway_controller/addon-manager/manifests/kuadrant.yaml rename to cmd/gateway_controller/ocm/manifests/kuadrant.yaml diff --git a/cmd/gateway_controller/addon-manager/manifests/operator-group.yaml b/cmd/gateway_controller/ocm/manifests/operator-group.yaml similarity index 100% rename from cmd/gateway_controller/addon-manager/manifests/operator-group.yaml rename to cmd/gateway_controller/ocm/manifests/operator-group.yaml diff --git a/cmd/gateway_controller/addon-manager/manifests/subscription.yaml b/cmd/gateway_controller/ocm/manifests/subscription.yaml similarity index 100% rename from cmd/gateway_controller/addon-manager/manifests/subscription.yaml rename to cmd/gateway_controller/ocm/manifests/subscription.yaml diff --git a/config/rbac/add-on-clusterrole-binding.yaml b/config/rbac/add-on-clusterrole-binding.yaml deleted file mode 100644 index 1fef77a55..000000000 --- a/config/rbac/add-on-clusterrole-binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kuadrant-addon -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kuadrant-addon -subjects: -- kind: ServiceAccount - name: add-on-manager - namespace: system \ No newline at end of file diff --git a/config/rbac/add-on-clusterrole.yaml b/config/rbac/add-on-clusterrole.yaml deleted file mode 100644 index 601671766..000000000 --- a/config/rbac/add-on-clusterrole.yaml +++ /dev/null @@ -1,47 +0,0 @@ - kind: ClusterRole - apiVersion: rbac.authorization.k8s.io/v1 - metadata: - name: kuadrant-addon - rules: - - apiGroups: [""] - resources: ["configmaps", "events"] - verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles", "rolebindings"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["get", "create"] - - apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests", "certificatesigningrequests/approval"] - verbs: ["get", "list", "watch", "create", "update"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - verbs: ["approve"] - - apiGroups: ["cluster.open-cluster-management.io"] - resources: ["managedclusters"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["work.open-cluster-management.io"] - resources: ["manifestworks"] - verbs: ["create", "update", "get", "list", "watch", "delete", "deletecollection", "patch"] - - apiGroups: ["addon.open-cluster-management.io"] - resources: ["managedclusteraddons/finalizers"] - verbs: ["update"] - - apiGroups: [ "addon.open-cluster-management.io" ] - resources: [ "clustermanagementaddons/finalizers" ] - verbs: [ "update" ] - - apiGroups: ["addon.open-cluster-management.io"] - resources: ["clustermanagementaddons"] - verbs: ["get", "list", "watch"] - - apiGroups: ["addon.open-cluster-management.io"] - resources: ["managedclusteraddons"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: ["addon.open-cluster-management.io"] - resources: ["managedclusteraddons/status"] - verbs: ["update", "patch"] - - apiGroups: ["kuadrant.io/v1beta1"] - resources: ["kuadrant"] - verbs: ["get", "list", "watch", "create", "update"] \ No newline at end of file diff --git a/config/rbac/add-on-service-account.yaml b/config/rbac/add-on-service-account.yaml deleted file mode 100644 index 808e02f15..000000000 --- a/config/rbac/add-on-service-account.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/instance: add-on-manager - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: kuadrant - app.kubernetes.io/part-of: multicluster-gateway-controller - app.kubernetes.io/managed-by: kustomize - name: add-on-manager - namespace: system diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 02adf2b00..731832a6a 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -16,6 +16,3 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml -- add-on-service-account.yaml -- add-on-clusterrole.yaml -- add-on-clusterrole-binding.yaml diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 82d2d04ee..cb914d7ba 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -17,6 +17,20 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch - apiGroups: - "" resources: @@ -26,6 +40,51 @@ rules: - get - list - watch +- apiGroups: + - addon.open-cluster-management.io + resources: + - clustermanagementaddons + verbs: + - get + - list + - watch +- apiGroups: + - addon.open-cluster-management.io + resources: + - clustermanagementaddons/finalizers + verbs: + - update +- apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/finalizers + verbs: + - update +- apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/status + verbs: + - patch + - update +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - get - apiGroups: - cert-manager.io resources: @@ -38,6 +97,23 @@ rules: - patch - update - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - certificates.k8s.io + resources: + - signers + verbs: + - approve - apiGroups: - cluster.open-cluster-management.io resources: @@ -45,6 +121,7 @@ rules: verbs: - get - list + - update - watch - apiGroups: - cluster.open-cluster-management.io @@ -58,6 +135,17 @@ rules: - patch - update - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - patch + - update + - watch - apiGroups: - gateway.networking.k8s.io resources: @@ -119,6 +207,28 @@ rules: - get - list - watch +- apiGroups: + - kuadrant.io + resources: + - kuadrant + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - work.open-cluster-management.io resources: @@ -126,6 +236,7 @@ rules: verbs: - create - delete + - deletecollection - get - list - patch diff --git a/pkg/controllers/gateway/gateway_controller.go b/pkg/controllers/gateway/gateway_controller.go index 002a52162..8170cbad4 100644 --- a/pkg/controllers/gateway/gateway_controller.go +++ b/pkg/controllers/gateway/gateway_controller.go @@ -78,14 +78,27 @@ type GatewayPlacer interface { GetAddresses(ctx context.Context, gateway *gatewayapiv1.Gateway, downstream string) ([]gatewayapiv1.GatewayAddress, error) } +// +kubebuilder:rbac:groups="",resources=configmaps;events,verbs=get;list;watch;create;update;delete;deletecollection;patch +// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;delete +// +kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=get;create +// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests;certificatesigningrequests/approval,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups=certificates.k8s.io,resources=signers,verbs=approve +// +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclusters,verbs=get;list;watch;update +// +kubebuilder:rbac:groups=work.open-cluster-management.io,resources=manifestworks,verbs=get;list;watch;create;update;delete;deletecollection;patch +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=managedclusteraddons/finalizers,verbs=update +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=clustermanagementaddons/finalizers,verbs=update +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=clustermanagementaddons,verbs=get;list;watch +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=managedclusteraddons,verbs=get;list;watch;create;update;delete +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=managedclusteraddons/status,verbs=update;patch +// +kubebuilder:rbac:groups=kuadrant.io,resources=kuadrant,verbs=get;list;watch;create;update + // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/status,verbs=get;update;patch // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/finalizers,verbs=update -// +kubebuilder:rbac:groups=work.open-cluster-management.io,resources=manifestworks,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=placementdecisions,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;delete // +kubebuilder:rbac:groups="cert-manager.io",resources=certificates,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclusters,verbs=get;list;watch // +kubebuilder:rbac:groups="kuadrant.io",resources=authpolicies;ratelimitpolicies,verbs=get;list;watch