Skip to content
This repository was archived by the owner on Jul 19, 2024. It is now read-only.

feat(template-controller): aggregated user-facing cluster roles for all custom resources #33

Open
erikgb wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(template-controller): aggregated user-facing cluster roles for all custom resources #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
/.idea/
package/
*.iml
256 changes: 30 additions & 226 deletions charts/template-controller/templates/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: {{ include "template-controller.fullname" . }}-manager-role
rules:
- apiGroups:
Expand Down Expand Up @@ -255,242 +254,62 @@ rules:
- patch
- update
---
# permissions for end users to edit gitprojectors.
# permissions for end users to view template-controller resources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "template-controller.fullname" . }}-viewer-role
labels:
app.kubernetes.io/name: {{ include "template-controller.fullname" . }}-clusterrole
app.kubernetes.io/instance: gitprojector-editor-role
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: template-controller
app.kubernetes.io/part-of: template-controller
app.kubernetes.io/managed-by: kustomize
name: {{ include "template-controller.fullname" . }}-gitprojector-editor-role
rules:
- apiGroups:
- templates.kluctl.io
resources:
- gitprojectors
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- templates.kluctl.io
resources:
- gitprojectors/status
verbs:
- get
---
# permissions for end users to view gitprojectors.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: {{ include "template-controller.fullname" . }}-clusterrole
app.kubernetes.io/instance: gitprojector-viewer-role
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: template-controller
app.kubernetes.io/part-of: template-controller
app.kubernetes.io/managed-by: kustomize
name: {{ include "template-controller.fullname" . }}-gitprojector-viewer-role
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- templates.kluctl.io
resources:
- githubcomments
- gitlabcomments
- gitprojectors
verbs:
- get
- list
- watch
- apiGroups:
- templates.kluctl.io
resources:
- gitprojectors/status
verbs:
- get
---
# permissions for end users to edit listgithubpullrequests.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: {{ include "template-controller.fullname" . }}-clusterrole
app.kubernetes.io/instance: listgithubpullrequests-editor-role
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: template-controller
app.kubernetes.io/part-of: template-controller
app.kubernetes.io/managed-by: kustomize
name: {{ include "template-controller.fullname" . }}-listgithubpullrequests-editor-role
rules:
- apiGroups:
- templates.kluctl.io
resources:
- listgithubpullrequests
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- templates.kluctl.io
resources:
- listgithubpullrequests/status
verbs:
- get
---
# permissions for end users to view listgithubpullrequests.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: {{ include "template-controller.fullname" . }}-clusterrole
app.kubernetes.io/instance: listgithubpullrequests-viewer-role
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: template-controller
app.kubernetes.io/part-of: template-controller
app.kubernetes.io/managed-by: kustomize
name: {{ include "template-controller.fullname" . }}-listgithubpullrequests-viewer-role
rules:
- apiGroups:
- templates.kluctl.io
resources:
- listgithubpullrequests
verbs:
- get
- list
- watch
- apiGroups:
- templates.kluctl.io
resources:
- listgithubpullrequests/status
verbs:
- get
---
# permissions for end users to edit listgitlabmergerequests.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: {{ include "template-controller.fullname" . }}-clusterrole
app.kubernetes.io/instance: listgitlabmergerequests-editor-role
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: template-controller
app.kubernetes.io/part-of: template-controller
app.kubernetes.io/managed-by: kustomize
name: {{ include "template-controller.fullname" . }}-listgitlabmergerequests-editor-role
rules:
- apiGroups:
- templates.kluctl.io
resources:
- listgitlabmergerequests
- objecthandlers
- objecttemplates
- texttemplates
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- templates.kluctl.io
resources:
- githubcomments/status
- gitlabcomments/status
- gitprojectors/status
- listgithubpullrequests/status
- listgitlabmergerequests/status
- objecthandlers/status
- objecttemplates/status
- texttemplates/status
verbs:
- get
---
# permissions for end users to view listgitlabmergerequests.
# permissions for end users to edit template-controller resources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "template-controller.fullname" . }}-editor-role
labels:
app.kubernetes.io/name: {{ include "template-controller.fullname" . }}-clusterrole
app.kubernetes.io/instance: listgitlabmergerequests-viewer-role
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: template-controller
app.kubernetes.io/part-of: template-controller
app.kubernetes.io/managed-by: kustomize
name: {{ include "template-controller.fullname" . }}-listgitlabmergerequests-viewer-role
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:
- templates.kluctl.io
resources:
- githubcomments
- gitlabcomments
- gitprojectors
- listgithubpullrequests
- listgitlabmergerequests
verbs:
- get
- list
- watch
- apiGroups:
- templates.kluctl.io
resources:
- listgitlabmergerequests/status
verbs:
- get
---
# permissions for end users to edit objecthandlers.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "template-controller.fullname" . }}-objecthandler-editor-role
rules:
- apiGroups:
- templates.kluctl.io
resources:
- objecthandlers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- templates.kluctl.io
resources:
- objecthandlers/status
verbs:
- get
---
# permissions for end users to view objecthandlers.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "template-controller.fullname" . }}-objecthandler-viewer-role
rules:
- apiGroups:
- templates.kluctl.io
resources:
- objecthandlers
verbs:
- get
- list
- watch
- apiGroups:
- templates.kluctl.io
resources:
- objecthandlers/status
verbs:
- get
---
# permissions for end users to edit objecttemplates.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "template-controller.fullname" . }}-objecttemplate-editor-role
rules:
- apiGroups:
- templates.kluctl.io
resources:
- objecttemplates
- texttemplates
verbs:
- create
- delete
Expand All @@ -502,28 +321,13 @@ rules:
- apiGroups:
- templates.kluctl.io
resources:
- githubcomments/status
- gitlabcomments/status
- gitprojectors/status
- listgithubpullrequests/status
- listgitlabmergerequests/status
- objecthandlers/status
- objecttemplates/status
- texttemplates/status
verbs:
- get
---
# permissions for end users to view objecttemplates.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "template-controller.fullname" . }}-objecttemplate-viewer-role
rules:
- apiGroups:
- templates.kluctl.io
resources:
- objecttemplates
verbs:
- get
- list
- watch
- apiGroups:
- templates.kluctl.io
resources:
- objecttemplates/status
verbs:
- get
---