Skip to content

Update deployment and rbac to work at a cluster level #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Update deployment and rbac to work at a cluster level #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4037e43
Update deployment and rbac to work at a cluster level
etsauer Jun 18, 2019
d0ae192
Add permissions
etsauer Jul 8, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions README.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,12 @@ operator-sdk test local ./test/e2e/ --namespace=cert-operator-test --up-local

[source,bash]
----
oc new-project cert-operator
oc process -f build/build.yml | oc apply -f-
oc apply -f deploy/service_account.yaml
oc apply -f deploy/role.yaml
oc apply -f deploy/role_binding.yaml
oc apply -f deploy/deployment.yaml
oc apply -f deploy/operator.yaml
----

== Configuration
Expand Down Expand Up @@ -208,4 +209,4 @@ oc annotate service dotnet-example openshift.io/cert-ctl-format=pkcs12 --overwri
oc annotate service dotnet-example openshift.io/cert-ctl-status=new --overwrite
----

You will notice two entries in the secret "tls.p12" and "tls-p12-secret.txt"
You will notice two entries in the secret "tls.p12" and "tls-p12-secret.txt"
9 changes: 7 additions & 2 deletions deploy/operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
alpha.image.policy.openshift.io/resolve-names: "*"
name: cert-operator
labels:
app: cert-operator
Expand All @@ -18,15 +20,18 @@ spec:
spec:
containers:
- name: cert-operator
image: cert-operator:latest
image: docker-registry.default.svc:5000/cert-operator/cert-operator:latest
ports:
- containerPort: 60000
name: metrics
imagePullPolicy: Always
env:
- name: WATCH_NAMESPACE
value: ""
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.namespace
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "cert-operator"
serviceAccountName: cert-operator
61 changes: 60 additions & 1 deletion deploy/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,72 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-operator-role
name: cert-operator-cluster
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- services
- secrets
- pods
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
Copy link
Collaborator

@mathianasj mathianasj Jun 21, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also need to include this one so it can update existing routes

- apiGroups:
  - "route.openshift.io"
  resources:
  - routes/custom-host
  verbs:
  - update

- ""
- route.openshift.io
attributeRestrictions: null
resources:
- routes
verbs:
- get
- list
- watch
- update
- apiGroups:
- "route.openshift.io"
resources:
- routes/custom-host
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-operator-local
rules:
- apiGroups:
Copy link
Collaborator

@mathianasj mathianasj Jun 21, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and these

  - apiGroups:
    - extensions
    resources:
    - replicasets
    - deployments
    verbs:
    - "get"
  - apiGroups:
    - monitoring.coreos.com
    resources:
    - servicemonitors
    verbs:
    - "get"
    - "create"
  - apiGroups:
    - extensions
    resources:
    - deployments/finalizers
    resourceNames:
    - cert-operator
    verbs:
    - "update"

- ""
attributeRestrictions: null
resources:
- pods
- configmaps
verbs:
- create
- get
- apiGroups:
- extensions
resources:
- replicasets
- deployments
verbs:
- "get"
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- "get"
- "create"
- apiGroups:
- extensions
resources:
- deployments/finalizers
resourceNames:
- cert-operator
verbs:
- "update"
19 changes: 16 additions & 3 deletions deploy/role_binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
kind: ClusterRoleBinding
metadata:
name: cert-operator-cluster
roleRef:
kind: ClusterRole
name: cert-operator-cluster
subjects:
- kind: ServiceAccount
name: cert-operator
namespace: cert-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-operator-local
roleRef:
kind: ClusterRole
name: cert-operator-role
name: cert-operator-local
subjects:
- kind: ServiceAccount
name: default
name: cert-operator
namespace: cert-operator