Externalize registry rbac from default rbac

apache · Nov 9, 2023 · 7b45cbd · 7b45cbd
1 parent e3de890
commit 7b45cbd
Show file tree

Hide file tree

Showing 14 changed files with 100 additions and 15 deletions.
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -19,6 +19,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- operator-deployment.yaml
 - operator-service-account.yaml
+- operator-deployment.yaml
 
+patchesStrategicMerge:
+- patch-toleration.yaml
+- patch-node-selector.yaml
+- patch-resource-requirements.yaml
+patches:
+- path: patch-log-level.yaml
+  target:
+    kind: Deployment
diff --git a/config/manifests/bases/camel-k.clusterserviceversion.yaml b/config/manifests/bases/camel-k.clusterserviceversion.yaml
@@ -32,7 +32,7 @@ metadata:
     repository: https://github.com/apache/camel-k
     support: Camel
   name: camel-k.v2.2.0
-  namespace: placeholder
+  namespace: default
 spec:
   apiservicedefinitions: {}
   customresourcedefinitions:

diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -34,12 +34,10 @@ resources:
 - operator-role-binding-keda.yaml
 - operator-role-binding-knative.yaml
 - operator-role-binding-leases.yaml
-- operator-role-binding-local-registry.yaml
 - operator-role-binding-podmonitors.yaml
 - operator-role-binding-strimzi.yaml
 - operator-role-binding.yaml
 - operator-cluster-role-custom-resource-definitions.yaml
 - operator-cluster-role-binding-custom-resource-definitions.yaml
 - operator-cluster-role-addressable-resolver.yaml
 - operator-cluster-role-binding-addressable-resolver.yaml
-- operator-cluster-role-local-registry.yaml
diff --git a/config/rbac/registry/kustomization.yaml b/config/rbac/registry/kustomization.yaml
@@ -0,0 +1,26 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+#
+# rbac resources applicable for all kubernetes platforms
+#
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- operator-role-binding-local-registry.yaml
+- operator-cluster-role-local-registry.yaml
diff --git a/...operator-cluster-role-local-registry.yaml → ...operator-cluster-role-local-registry.yaml b/...operator-cluster-role-local-registry.yaml → ...operator-cluster-role-local-registry.yaml
@@ -25,4 +25,4 @@ rules:
   - apiGroups: [""]
     resources: ["configmaps"]
     resourceNames: ["local-registry-hosting"]
-    verbs: ["get"]
+    verbs: ["get"]
diff --git a/...operator-role-binding-local-registry.yaml → ...operator-role-binding-local-registry.yaml b/...operator-role-binding-local-registry.yaml → ...operator-role-binding-local-registry.yaml
diff --git a/install/overlays/common/kustomization.yaml b/install/overlays/common/kustomization.yaml
@@ -15,6 +15,6 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-resources:
-- resources/integration-platform.yaml
+#resources:
+#- resources/integration-platform.yaml
 
diff --git a/...overlays/common/patches/patch-namespace-camel-k-operator-custom-resource-definitions.yaml b/...overlays/common/patches/patch-namespace-camel-k-operator-custom-resource-definitions.yaml
@@ -0,0 +1,20 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+- op: replace
+  path: /subjects/0/namespace
+  value: default
diff --git a/install/overlays/common/patches/patch-namespace-role-binding-local-registry.yaml b/install/overlays/common/patches/patch-namespace-role-binding-local-registry.yaml
@@ -0,0 +1,20 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+- op: replace
+  path: /subjects/0/namespace
+  value: default
diff --git a/install/overlays/common/resources/integration-platform.yaml b/install/overlays/common/resources/integration-platform.yaml
@@ -10,6 +10,5 @@ spec:
     maven:
       settings: {}
       settingsSecurity: {}
-    registry: {}
   kamelet: {}
   traits: {}
diff --git a/install/overlays/kubernetes/kube-public-transformer.yaml b/install/overlays/kubernetes/kube-public-transformer.yaml
@@ -0,0 +1,9 @@
+apiVersion: builtin
+kind: PatchTransformer
+metadata:
+  name: fix-local-registry-rbac-namespace
+patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
+target:
+  group: rbac.authorization.k8s.io
+  kind: RoleBinding
+  name: camel-k-operator-local-registry
diff --git a/install/overlays/kubernetes/kustomization.yaml b/install/overlays/kubernetes/kustomization.yaml
@@ -27,12 +27,11 @@ sortOptions:
 resources:
 - ../../config/crd/
 - ../../config/rbac/
-- ../common
 - ../../config/manager/
 
-patches:
-- path: patch-kubernetes-integration-platform.yaml
-  target:
-    group: camel.apache.org
-    version: v1
-    kind: IntegrationPlatform
+
+transformers:
+- kube-public-transformer.yaml
+
+configurations:
+- namespace.yaml
diff --git a/install/overlays/kubernetes/namespace.yaml b/install/overlays/kubernetes/namespace.yaml
@@ -0,0 +1,5 @@
+namespace:
+  - kind: RoleBinding
+    name: camel-k-operator-local-registry
+    path: /subjects/namespace
+    create: false
diff --git a/pkg/util/registry/kep_1755.go b/pkg/util/registry/kep_1755.go
@@ -37,6 +37,7 @@ func GetRegistryAddress(ctx context.Context, c client.Client) (*string, error) {
 			return nil, nil
 		} else if k8serrors.IsNotFound(err) {
 			log.Debug("Cannot find registry configuration local-registry-hosting ConfigMap", "error", err)
+
 			return nil, nil
 		}
 		return nil, err