Skip to content

Commit 49d899e

Browse files
joelanfordjoelanford
committed
wip with all-client validation
Signed-off-by: Joe Lanford <[email protected]>
1 parent cab8b49 commit 49d899e

File tree

23 files changed

+1219
-136
lines changed

23 files changed

+1219
-136
lines changed

Diff for: Makefile

+2-1
Original file line numberDiff line numberDiff line change
@@ -135,7 +135,8 @@ manifests: $(CONTROLLER_GEN) #EXHELP Generate WebhookConfiguration, ClusterRole,
135135

136136
.PHONY: generate
137137
generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
138-
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
138+
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
139+
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./catalogd/api/..."
139140

140141
.PHONY: verify
141142
verify: tidy fmt generate manifests crd-ref-docs #HELP Verify all generated code is up-to-date.

Diff for: cmd/operator-controller/main.go

+2-4
Original file line numberDiff line numberDiff line change
@@ -298,8 +298,6 @@ func run() error {
298298
return err
299299
}
300300

301-
rbacAuthorizer := authorization.NewRBACAuthorizer(mgr.GetClient())
302-
303301
coreClient, err := corev1client.NewForConfig(mgr.GetConfig())
304302
if err != nil {
305303
setupLog.Error(err, "unable to create core client")
@@ -417,9 +415,9 @@ func run() error {
417415
helmApplier := &applier.Helm{
418416
ActionClientGetter: acg,
419417
Preflights: preflights,
420-
Authorizer: rbacAuthorizer,
418+
Authorizer: authorization.NewRBACAuthorizer(mgr.GetClient()),
419+
RuleResolver: authorization.NewRBACRulesResolver(mgr.GetClient()),
421420
RestMapper: mgr.GetRESTMapper(),
422-
Client: mgr.GetClient(),
423421
}
424422

425423
cm := contentmanager.NewManager(clientRestConfigMapper, mgr.GetConfig(), mgr.GetRESTMapper())

Diff for: config/base/operator-controller/manager/manager.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ spec:
4646
- "--health-probe-bind-address=:8081"
4747
- "--metrics-bind-address=:8443"
4848
- "--leader-elect"
49-
- "--v=8"
49+
- "--v=2"
5050
image: controller:latest
5151
imagePullPolicy: IfNotPresent
5252
name: manager

Diff for: config/samples/crb.yaml

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"creationTimestamp":null,"labels":{"olm.operatorframework.io/owner-kind":"ClusterExtension","olm.operatorframework.io/owner-name":"argocd"},"name":"argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx","ownerReferences":[{"apiVersion":"olm.operatorframework.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"ClusterExtension","name":"argocd","uid":"215deb97-34f3-42e7-9c18-fda75b265db4"}]},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-admin"},"subjects":[{"kind":"ServiceAccount","name":"argocd-operator-controller-manager","namespace":"argocd"}]}

Diff for: config/samples/crb2.yaml

+24
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
{
2+
"apiVersion": "rbac.authorization.k8s.io/v1",
3+
"kind": "ClusterRoleBinding",
4+
"metadata": {
5+
"creationTimestamp": null,
6+
"labels": {
7+
"olm.operatorframework.io/owner-kind": "ClusterExtension",
8+
"olm.operatorframework.io/owner-name": "argocd"
9+
},
10+
"name": "argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx"
11+
},
12+
"roleRef": {
13+
"apiGroup": "rbac.authorization.k8s.io",
14+
"kind": "ClusterRole",
15+
"name": "foobar"
16+
},
17+
"subjects": [
18+
{
19+
"kind": "ServiceAccount",
20+
"name": "argocd-operator-controller-manager",
21+
"namespace": "argocd"
22+
}
23+
]
24+
}

Diff for: config/samples/olm_v1_clusterextension.yaml

+202-9
Original file line numberDiff line numberDiff line change
@@ -36,14 +36,192 @@ rules:
3636
# Manage ArgoCD CRDs
3737
- apiGroups: [apiextensions.k8s.io]
3838
resources: [customresourcedefinitions]
39-
verbs: [get, list, watch, create, update, patch, delete]
39+
verbs: [create, list, watch]
40+
- apiGroups: [apiextensions.k8s.io]
41+
resources: [customresourcedefinitions]
42+
verbs: [get, update, patch, delete]
43+
resourceNames:
44+
- appprojects.argoproj.io
45+
- argocds.argoproj.io
46+
- applications.argoproj.io
47+
- argocdexports.argoproj.io
48+
- applicationsets.argoproj.io
4049
# Manage ArgoCD ClusterRoles and ClusterRoleBindings
4150
- apiGroups: [rbac.authorization.k8s.io]
4251
resources: [clusterroles]
43-
verbs: [get, list, watch, create, update, patch, delete]
52+
verbs: [create, list, watch]
53+
- apiGroups: [rbac.authorization.k8s.io]
54+
resources: [clusterroles]
55+
verbs: [get, update, patch, delete]
56+
resourceNames:
57+
- argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx
58+
- argocd-operator-metrics-reader
59+
- argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3
60+
- apiGroups: [rbac.authorization.k8s.io]
61+
resources: [clusterrolebindings]
62+
verbs: [create, list, watch]
4463
- apiGroups: [rbac.authorization.k8s.io]
4564
resources: [clusterrolebindings]
65+
verbs: [get, update, patch, delete]
66+
resourceNames:
67+
- argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx
68+
- argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3
69+
- apiGroups: [coordination.k8s.io]
70+
resources: [leases]
4671
verbs: [get, list, watch, create, update, patch, delete]
72+
- nonResourceURLs: ["/metrics"]
73+
verbs: [get]
74+
---
75+
apiVersion: rbac.authorization.k8s.io/v1
76+
kind: ClusterRoleBinding
77+
metadata:
78+
name: argocd-installer-rbac-binding
79+
roleRef:
80+
apiGroup: rbac.authorization.k8s.io
81+
kind: ClusterRole
82+
name: argocd-installer-rbac-clusterrole
83+
subjects:
84+
- kind: ServiceAccount
85+
name: argocd-installer
86+
namespace: argocd
87+
---
88+
apiVersion: rbac.authorization.k8s.io/v1
89+
kind: ClusterRole
90+
metadata:
91+
name: argocd-installer-rbac-clusterrole
92+
rules:
93+
# ArgoCD's operator requires the following permissions, which means the
94+
# installer also needs them in order to create ArgoCD's RBAC objects.
95+
- apiGroups: [""]
96+
resources: [configmaps]
97+
verbs: ['*']
98+
- apiGroups: [""]
99+
resources: [endpoints]
100+
verbs: ['*']
101+
- apiGroups: [""]
102+
resources: [events]
103+
verbs: ['*']
104+
- apiGroups: [""]
105+
resources: [namespaces]
106+
verbs: ['*']
107+
- apiGroups: [""]
108+
resources: [persistentvolumeclaims]
109+
verbs: ['*']
110+
- apiGroups: [""]
111+
resources: [pods]
112+
verbs: ['*', get]
113+
- apiGroups: [""]
114+
resources: [pods/log]
115+
verbs: [get]
116+
- apiGroups: [""]
117+
resources: [secrets]
118+
verbs: ['*']
119+
- apiGroups: [""]
120+
resources: [serviceaccounts]
121+
verbs: ['*']
122+
- apiGroups: [""]
123+
resources: [services]
124+
verbs: ['*']
125+
- apiGroups: [""]
126+
resources: [services/finalizers]
127+
verbs: ['*']
128+
- apiGroups: [apps]
129+
resources: [daemonsets]
130+
verbs: ['*']
131+
- apiGroups: [apps]
132+
resources: [deployments]
133+
verbs: ['*']
134+
- apiGroups: [apps]
135+
resources: [deployments/finalizers]
136+
resourceNames: [argocd-operator]
137+
verbs: [update]
138+
- apiGroups: [apps]
139+
resources: [replicasets]
140+
verbs: ['*']
141+
- apiGroups: [apps]
142+
resources: [statefulsets]
143+
verbs: ['*']
144+
- apiGroups: [apps.openshift.io]
145+
resources: [deploymentconfigs]
146+
verbs: ['*']
147+
- apiGroups: [argoproj.io]
148+
resources: [applications]
149+
verbs: ['*']
150+
- apiGroups: [argoproj.io]
151+
resources: [appprojects]
152+
verbs: ['*']
153+
- apiGroups: [argoproj.io]
154+
resources: [argocdexports]
155+
verbs: ['*']
156+
- apiGroups: [argoproj.io]
157+
resources: [argocdexports/finalizers]
158+
verbs: ['*']
159+
- apiGroups: [argoproj.io]
160+
resources: [argocdexports/status]
161+
verbs: ['*']
162+
- apiGroups: [argoproj.io]
163+
resources: [argocds]
164+
verbs: ['*']
165+
- apiGroups: [argoproj.io]
166+
resources: [argocds/finalizers]
167+
verbs: ['*']
168+
- apiGroups: [argoproj.io]
169+
resources: [argocds/status]
170+
verbs: ['*']
171+
- apiGroups: [authentication.k8s.io]
172+
resources: [tokenreviews]
173+
verbs: [create]
174+
- apiGroups: [authorization.k8s.io]
175+
resources: [subjectaccessreviews]
176+
verbs: [create]
177+
- apiGroups: [autoscaling]
178+
resources: [horizontalpodautoscalers]
179+
verbs: ['*']
180+
- apiGroups: [batch]
181+
resources: [cronjobs]
182+
verbs: ['*']
183+
- apiGroups: [batch]
184+
resources: [jobs]
185+
verbs: ['*']
186+
- apiGroups: [config.openshift.io]
187+
resources: [clusterversions]
188+
verbs: [get, list, watch]
189+
- apiGroups: [monitoring.coreos.com]
190+
resources: [prometheuses]
191+
verbs: ['*']
192+
- apiGroups: [monitoring.coreos.com]
193+
resources: [servicemonitors]
194+
verbs: ['*']
195+
- apiGroups: [networking.k8s.io]
196+
resources: [ingresses]
197+
verbs: ['*']
198+
- apiGroups: [oauth.openshift.io]
199+
resources: [oauthclients]
200+
verbs: [create, delete, get, list, patch, update, watch]
201+
- apiGroups: [rbac.authorization.k8s.io]
202+
resources: ['*']
203+
verbs: ['*']
204+
- apiGroups: [rbac.authorization.k8s.io]
205+
resources: [clusterrolebindings]
206+
verbs: ['*']
207+
- apiGroups: [rbac.authorization.k8s.io]
208+
resources: [clusterroles]
209+
verbs: ['*']
210+
- apiGroups: [route.openshift.io]
211+
resources: [routes]
212+
verbs: ['*']
213+
- apiGroups: [route.openshift.io]
214+
resources: [routes/custom-host]
215+
verbs: ['*']
216+
- apiGroups: [template.openshift.io]
217+
resources: [templateconfigs]
218+
verbs: ['*']
219+
- apiGroups: [template.openshift.io]
220+
resources: [templateinstances]
221+
verbs: ['*']
222+
- apiGroups: [template.openshift.io]
223+
resources: [templates]
224+
verbs: ['*']
47225
---
48226
apiVersion: rbac.authorization.k8s.io/v1
49227
kind: Role
@@ -53,19 +231,32 @@ metadata:
53231
rules:
54232
- apiGroups: [""]
55233
resources: [serviceaccounts]
56-
verbs: [get, list, watch, create, update, patch, delete]
234+
verbs: [create, list, watch]
235+
- apiGroups: [""]
236+
resources: [serviceaccounts]
237+
verbs: [get, update, patch, delete]
238+
resourceNames: [argocd-operator-controller-manager]
57239
- apiGroups: [""]
58240
resources: [configmaps]
59-
verbs: [get, list, watch, create, update, patch, delete]
60-
- apiGroups: [coordination.k8s.io]
61-
resources: [leases]
62-
verbs: [get, list, watch, create, update, patch, delete]
241+
verbs: [create, list, watch]
242+
- apiGroups: [""]
243+
resources: [configmaps]
244+
verbs: [get, update, patch, delete]
245+
resourceNames: [argocd-operator-manager-config]
63246
- apiGroups: [""]
64247
resources: [services]
65-
verbs: [get, list, watch, create, update, patch, delete]
248+
verbs: [create, list, watch]
249+
- apiGroups: [""]
250+
resources: [services]
251+
verbs: [get, update, patch, delete]
252+
resourceNames: [argocd-operator-controller-manager-metrics-service]
66253
- apiGroups: [apps]
67254
resources: [deployments]
68-
verbs: [get, list, watch, create, update, patch, delete]
255+
verbs: [create, list, watch]
256+
- apiGroups: [apps]
257+
resources: [deployments]
258+
verbs: [get, update, patch, delete]
259+
resourceNames: [argocd-operator-controller-manager]
69260
---
70261
apiVersion: rbac.authorization.k8s.io/v1
71262
kind: RoleBinding
@@ -85,6 +276,8 @@ apiVersion: olm.operatorframework.io/v1
85276
kind: ClusterExtension
86277
metadata:
87278
name: argocd
279+
annotations:
280+
rev: "1"
88281
spec:
89282
namespace: argocd
90283
serviceAccount:

0 commit comments

Comments
 (0)