Generate operator RBACs using controller-gen (#638)

At operator-sdk 1.y.z the RBACs are generate from annotations at Reconcile function in controllers, this PR do this but only for operator. Signed-off-by: Quique Llorente <[email protected]>
nmstate · Nov 19, 2020 · 402aa3a · 402aa3a
1 parent 0ba469e
commit 402aa3a
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 43 deletions.
diff --git a/Makefile b/Makefile
@@ -110,10 +110,13 @@ gen-k8s: $(CONTROLLER_GEN)
 gen-crds: $(CONTROLLER_GEN)
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./..." output:crd:artifacts:config=deploy/crds
 
+gen-rbac: $(CONTROLLER_GEN)
+	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=nmstate-operator paths="./controllers/nmstate_controller.go" output:rbac:artifacts:config=deploy/operator
+
 check-gen: generate
 	./hack/check-gen.sh
 
-generate: gen-k8s gen-crds
+generate: gen-k8s gen-crds gen-rbac
 
 manifests: $(GO)
 	$(GO) run hack/render-manifests.go -handler-prefix=$(HANDLER_PREFIX) -handler-namespace=$(HANDLER_NAMESPACE) -operator-namespace=$(OPERATOR_NAMESPACE) -handler-image=$(HANDLER_IMAGE) -operator-image=$(OPERATOR_IMAGE) -handler-pull-policy=$(HANDLER_PULL_POLICY) -operator-pull-policy=$(OPERATOR_PULL_POLICY) -input-dir=deploy/ -output-dir=$(MANIFESTS_DIR)

diff --git a/controllers/nmstate_controller.go b/controllers/nmstate_controller.go
@@ -49,9 +49,9 @@ type NMStateReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-// +kubebuilder:rbac:groups="",resources=services;endpoints;persistentvolumeclaims;events;configmaps;secrets;pods,verbs="*",namespace=nmstate
-// +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs="*",namespace=nmstate
-// +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs="*",namespace=nmstate
+// +kubebuilder:rbac:groups="",resources=services;endpoints;persistentvolumeclaims;events;configmaps;secrets;pods,verbs="*",namespace="{{ .OperatorNamespace }}"
+// +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs="*",namespace="{{ .OperatorNamespace }}"
+// +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs="*",namespace="{{ .OperatorNamespace }}"
 // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs="*"
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;rolebindings;roles,verbs="*"
 // +kubebuilder:rbac:groups=nmstate.io,resources="*",verbs="*"

diff --git a/deploy/operator/role.yaml b/deploy/operator/role.yaml
@@ -1,87 +1,89 @@
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: nmstate-operator
-  namespace: {{ .OperatorNamespace }}
 rules:
 - apiGroups:
   - ""
   resources:
-  - services
-  - endpoints
-  - persistentvolumeclaims
-  - events
   - configmaps
-  - secrets
-  - pods
+  - namespaces
+  - serviceaccounts
+  - statefulsets
+  verbs:
+  - '*'
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - '*'
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - '*'
   verbs:
   - '*'
 - apiGroups:
   - apps
   resources:
-  - deployments
   - daemonsets
+  - deployments
   - replicasets
   - statefulsets
   verbs:
   - '*'
 - apiGroups:
-  - policy
+  - nmstate.io
   resources:
-  - poddisruptionbudgets
-  verbs:
   - '*'
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  creationTimestamp: null
-  name: nmstate-operator
-  namespace: {{ .OperatorNamespace }}
-rules:
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
   verbs:
   - '*'
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - clusterroles
   - clusterrolebindings
+  - clusterroles
   - rolebindings
   - roles
   verbs:
   - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: nmstate-operator
+  namespace: '{{ .OperatorNamespace }}'
+rules:
 - apiGroups:
-  - nmstate.io
-  resources:
-  - '*'
-  verbs:
-  - '*'
-- apiGroups:
-  - apiextensions.k8s.io
+  - ""
   resources:
-  - '*'
+  - configmaps
+  - endpoints
+  - events
+  - persistentvolumeclaims
+  - pods
+  - secrets
+  - services
   verbs:
   - '*'
 - apiGroups:
   - apps
   resources:
-  - deployments
   - daemonsets
+  - deployments
   - replicasets
   - statefulsets
   verbs:
   - '*'
 - apiGroups:
-  - ""
+  - policy
   resources:
-  - serviceaccounts
-  - configmaps
-  - namespaces
+  - poddisruptionbudgets
   verbs:
-  - "*"
+  - '*'