wip: k8s config

cmd/controller/main.go

@@ -36,16 +36,15 @@ func main() {
 
 	sharedmain.MainWithContext(ctx, "typhoon-controller",
 		cloudeventssource.NewController,
-		httppollersource.NewController,
-		kafkasource.NewController,
-		webhooksource.NewController,
-
 		cloudeventstarget.NewController,
+		httppollersource.NewController,
 		httptarget.NewController,
+		kafkasource.NewController,
 		kafkatarget.NewController,
-		logztarget.NewController,
 		logzmetricstarget.NewController,
+		logztarget.NewController,
 		splunktarget.NewController,
+		webhooksource.NewController,
 		// flow
 		jqtransformation.NewController,
 		synchronizer.NewController,

config/200-clusterrole-namespaced.yaml

@@ -0,0 +1,54 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: typhoon-namespaced-admin
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    app.kubernetes.io/part-of: typhoon
+rules:
+- apiGroups:
+  - flow.typhoon.zeiss.com
+  - routing.typhoon.zeiss.com
+  - sources.typhoon.zeiss.com
+  - targets.typhoon.zeiss.com
+  resources: ["*"]
+  verbs: ["*"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: typhoon-namespaced-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    app.kubernetes.io/part-of: typhoon
+rules:
+- apiGroups:
+  - flow.typhoon.zeiss.com
+  - routing.typhoon.zeiss.com
+  - sources.typhoon.zeiss.com
+  - targets.typhoon.zeiss.com
+  resources: ["*"]
+  verbs:
+  - create
+  - update
+  - patch
+  - delete
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: typhoon-namespaced-view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    app.kubernetes.io/part-of: typhoon
+rules:
+- apiGroups:
+  - flow.typhoon.zeiss.com
+  - routing.typhoon.zeiss.com
+  - sources.typhoon.zeiss.com
+  - targets.typhoon.zeiss.com
+  resources: ["*"]
+  verbs:
+  - get
+  - list
+  - watch

config/200-clusterrole-webhook.yaml

@@ -0,0 +1,112 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: typhoon-webhook
+  labels:
+    app.kubernetes.io/part-of: typhoon
+
+rules:
+# Routing admin
+- apiGroups:
+  - routing.typhoon.zeiss.com
+  resources:
+  - filters
+  - splitters
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+
+# Routing statuses update
+- apiGroups:
+  - routing.typhoon.zeiss.com
+  resources:
+  - splitters/status
+  - filters/status
+  verbs:
+  - update
+
+
+- apiGroups:
+  - flow.typhoon.zeiss.com
+  resources:
+  - xslttransformations
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+
+- apiGroups:
+  - flow.typhoon.zeiss.com
+  resources:
+  - xslttransformations/status
+  verbs:
+  - update
+
+# Events admin
+- apiGroups:
+  - ''
+  resources:
+  - events
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+
+# For manipulating certs into secrets.
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+  - update
+  - list
+  - watch
+
+# Validation webhook gets system namespace to use it as an owner.
+- apiGroups:
+  - ''
+  resources:
+  - namespaces
+  verbs:
+  - get
+
+# For actually registering our webhook.
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+
+# Acquire leases for leader election
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - create
+  - update