Adde more role items

Author: psav

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.16 as builder
+FROM registry.access.redhat.com/ubi8/go-toolset:1.15.7 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -14,8 +14,10 @@ COPY main.go main.go
 COPY api/ api/
 COPY controllers/ controllers/
 
+USER 0
+
 # Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o manager main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details

Makefile

@@ -79,6 +79,9 @@ release: manifests kustomize controller-gen
 
 ##@ Development
 
+build-template: manifests kustomize controller-gen
+	$(KUSTOMIZE) build config/deployment-template | ./manifest2template.py > deploy.yml
+
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 

config/deployment-template/kustomization.yaml

@@ -0,0 +1,26 @@
+# Adds namespace to all resources.
+namespace: frontend-operator-system
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: frontend-operator-
+
+# Labels to add to all resources and selectors.
+#commonLabels:
+#  someName: someValue
+
+bases:
+- ../crd
+- ../rbac
+- ../manager
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
+# crd/kustomization.yaml
+#- ../webhook
+
+patchesStrategicMerge:
+- manager.yaml # Put template param refs into image field
+
+vars: []

config/deployment-template/manager.yaml

@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - image: ${IMAGE}:${IMAGE_TAG}
+        name: manager

config/rbac/bundle_viewer_role.yaml

@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: bundle-viewer-role
+  labels: 
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
 rules:
 - apiGroups:
   - cloud.redhat.com

config/rbac/frontend_viewer_role.yaml

@@ -3,6 +3,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: frontend-viewer-role
+  labels: 
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+
 rules:
 - apiGroups:
   - cloud.redhat.com

config/rbac/frontendenvironment_viewer_role.yaml

@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: frontendenvironment-viewer-role
+  labels: 
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
 rules:
 - apiGroups:
   - cloud.redhat.com

config/rbac/kustomization.yaml

@@ -16,3 +16,9 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+- frontend_editor_role.yaml
+- frontend_viewer_role.yaml
+- frontendenvironment_editor_role.yaml
+- frontendenvironment_viewer_role.yaml
+- bundle_editor_role.yaml
+- bundle_viewer_role.yaml

manifest2template.py

@@ -0,0 +1,13 @@
+#!/usr/bin/env python3
+
+import yaml
+import sys
+
+yamls = yaml.safe_load_all(sys.stdin)
+
+with open("template.yml") as fp:
+    template = yaml.safe_load(fp)
+
+template["objects"].extend(yamls)
+
+print(yaml.dump(template))

template.yml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Template
+metadata:
+  name: clowder
+parameters:
+- name: IMAGE_TAG
+  value: latest
+- name: IMAGE
+  value: quay.io/cloudservices/frontend-operator
+- name: DEBUG_TRIGGERS
+  value: "false"
+- name: DEBUG_CACHE_CREATE
+  value: "false"
+- name: DEBUG_CACHE_UPDATE
+  value: "false"
+- name: DEBUG_CACHE_APPLY
+  value: "false"
+- name: CREATE_SERVICE_MONITORS
+  value: "false"
+- name: WATCH_STRIMZI_RESOURCES
+  value: "false"
+objects: []