diff --git a/.github/workflows/reuse-check.yaml b/.github/workflows/reuse-check.yaml new file mode 100644 index 00000000..9b47aaca --- /dev/null +++ b/.github/workflows/reuse-check.yaml @@ -0,0 +1,11 @@ +name: REUSE Compliance Check + +on: [push, pull_request] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - name: REUSE Compliance Check + uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4.0.0 diff --git a/.reuse/dep5 b/.reuse/dep5 index 6d13eba7..1cc691b3 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -9,6 +9,7 @@ Comment: # -------------------------------------------------- # source code Files: + .github/* .gitignore .golangci.yaml .github/dependabot.yaml @@ -16,12 +17,14 @@ Files: VERSION charts/gardener-extension-shoot-lakom-service/.helmignore charts/gardener-extension-shoot-lakom-service/templates/_helpers.tpl - charts/gardener-extension-shoot-lakom-service/templates/_versions.tpl + charts/gardener-extension-shoot-lakom-admission/.helmignore + charts/gardener-extension-shoot-lakom-admission/templates/_helpers.tpl charts/lakom/.helmignore charts/lakom/templates/_helpers.tpl charts/lakom/templates/_versions.tpl config/lakom/cosign/password example/controller-registration.yaml + local-setup/.gitignore go.mod go.sum *.json diff --git a/Dockerfile b/Dockerfile index 4f7d7a75..74ad1f60 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 ############# builder -FROM golang:1.23.1 AS builder +FROM golang:1.23.2 AS builder ARG EFFECTIVE_VERSION ARG TARGETARCH diff --git a/VERSION b/VERSION index 04d403d2..8347ddfd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v0.14.0-dev +v0.16.0-dev diff --git a/charts/gardener-extension-shoot-lakom-admission/Chart.yaml b/charts/gardener-extension-shoot-lakom-admission/Chart.yaml index 909517c3..0ce49a5a 100644 --- a/charts/gardener-extension-shoot-lakom-admission/Chart.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/Chart.yaml @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + apiVersion: v1 appVersion: "1.0" description: A Helm chart for the admission controller of gardener-extension-shoot-lakom diff --git a/charts/gardener-extension-shoot-lakom-admission/charts/application/Chart.yaml b/charts/gardener-extension-shoot-lakom-admission/charts/application/Chart.yaml index 875a60c7..65bb294b 100644 --- a/charts/gardener-extension-shoot-lakom-admission/charts/application/Chart.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/charts/application/Chart.yaml @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + apiVersion: v1 description: A Helm chart to deploy the gardener-extension-shoot-lakom-admission application related resources name: application diff --git a/charts/gardener-extension-shoot-lakom-admission/charts/application/templates/rbac.yaml b/charts/gardener-extension-shoot-lakom-admission/charts/application/templates/rbac.yaml index bf34397d..34542e3f 100644 --- a/charts/gardener-extension-shoot-lakom-admission/charts/application/templates/rbac.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/charts/application/templates/rbac.yaml @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/charts/gardener-extension-shoot-lakom-admission/charts/application/templates/serviceaccount.yaml b/charts/gardener-extension-shoot-lakom-admission/charts/application/templates/serviceaccount.yaml index 3d7d77ff..1b0da45e 100644 --- a/charts/gardener-extension-shoot-lakom-admission/charts/application/templates/serviceaccount.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/charts/application/templates/serviceaccount.yaml @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + {{- if and .Values.global.virtualGarden.enabled ( not .Values.global.virtualGarden.user.name ) }} apiVersion: v1 kind: ServiceAccount diff --git a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/Chart.yaml b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/Chart.yaml index 6e24ace4..e86ded70 100644 --- a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/Chart.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/Chart.yaml @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + apiVersion: v1 description: A Helm chart to deploy the gardener-extension-shoot-lakom-admission runtime related resources name: runtime diff --git a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/deployment.yaml b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/deployment.yaml index 5fd71bc4..54148c60 100644 --- a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/deployment.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/deployment.yaml @@ -1,3 +1,8 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +--- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/poddisruptionbudget.yaml b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/poddisruptionbudget.yaml index 083ba43b..afc16af2 100644 --- a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/poddisruptionbudget.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/poddisruptionbudget.yaml @@ -1,3 +1,8 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +--- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: diff --git a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/rbac.yaml b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/rbac.yaml index 986e0061..c327ac16 100644 --- a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/rbac.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/rbac.yaml @@ -1,3 +1,8 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/secret-kubeconfig.yaml b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/secret-kubeconfig.yaml index 5559f807..ff926564 100644 --- a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/secret-kubeconfig.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/secret-kubeconfig.yaml @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + {{- if .Values.global.kubeconfig }} apiVersion: v1 kind: Secret diff --git a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/service.yaml b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/service.yaml index 85db13e3..12681101 100644 --- a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/service.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/service.yaml @@ -1,3 +1,8 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +--- apiVersion: v1 kind: Service metadata: diff --git a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/serviceaccount.yaml b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/serviceaccount.yaml index caf3aa7c..f0730c92 100644 --- a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/serviceaccount.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/serviceaccount.yaml @@ -1,3 +1,8 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +--- apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/vpa.yaml b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/vpa.yaml index e677767c..4e593331 100644 --- a/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/vpa.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/vpa.yaml @@ -1,3 +1,8 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +--- {{- if .Values.global.vpa.enabled}} apiVersion: autoscaling.k8s.io/v1 kind: VerticalPodAutoscaler diff --git a/charts/gardener-extension-shoot-lakom-admission/values.yaml b/charts/gardener-extension-shoot-lakom-admission/values.yaml index ce1861a5..cd31bd2c 100644 --- a/charts/gardener-extension-shoot-lakom-admission/values.yaml +++ b/charts/gardener-extension-shoot-lakom-admission/values.yaml @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + global: virtualGarden: enabled: false diff --git a/example/controller-registration.yaml b/example/controller-registration.yaml index d5a2f16a..cbaa9b86 100644 --- a/example/controller-registration.yaml +++ b/example/controller-registration.yaml @@ -7,7 +7,7 @@ helm: rawChart: H4sIAAAAAAAAA+09a2/bOLbz2b+Cq8xi22Ilv5OOgV5c1/G0QdvEiDPdu7i4yNASY3MjiVpScuppu799D0lJ1suvJHXTuz4YpDLFxyF53jzUTDF3iE+4ST6FxBeU+aaYMRaaLr5lnikIn1Ob1H96CDQATrpd9S9A8V/13Gx3mq1u6/hYljdPWp3uT6j7oFG3hEiEmCP0E4dJr6u36f0PCtPt9t+aEdejU59xsvsYcoOPO52V+w/bnt//VrPTaP2EGo8/3TL8h+//ERrhMCTcFyhkSO8wupsRH00i6jrUn6IA27d4SoRVO0JXMyqQiIKA8RAegCpcNHXZBHk4tGdQ+6+IExeHdE6gXTjLlGPfgQ58MoW3zEfPAk5u6CfioDsK9f703EIXvrtAzFctJUooIBy51CdWzTodX49DwA26GDDPgw4+DsbIoVzUrCkN6+qvRr9mTf7gdfU3KZhN6/JP8lPM/fqyownMLwrQDXWJqL2wxF0Afyf4Fv6GHjz/C6p+xJyySKCz0yEMGHD2D2KHNYs6BNd1PSiqWXNhM4fUa997V7eHLfl/MMM8tBbYc+8xxib+b3U7Rf5vnrQP/L8PwAH9SLjc9x6aN2s4CNKfRtNqGDWHCJvTIFRFffQW9ACyJTWgG8ZROCPoTUxC6L0kGTTWJIOGCUGpimNJVCBCfOyRHtqO6mrzBJWGBbj8QFz148CW/O8w25qye46xif9PivZfq9FuHx/4fx9Qr6Px6PR/zF9B+w1YsACVOQuvgBh6qNVotdC4P0LjIQIOxr76gW9AUVIcEmQzL8D+Qir2pQywmR9yOolAV4tavV5L+n8PVOQLYp5BtZDeUMJBmoBlMSNmC1gb6k1Zbyq7kF2LGTJtZEwwPPz8+U3/8nR4Pry8ftsfvLs+Pbv8Wk9qmmo85rpAwZxMqQi5Mi8saFhBx8hCPz+zcYgsqw7/fRxejs8uzp/HP8kn7AUuqa/qU6q/pVjrVfRvyImARaUMplhMEh9PwLJAuflpC0pJxrhQWlpSmtqMc7At0BIJlEOiFmR7f7BM3JL/QwIrA5iL+3iCO/t/rWar0z74f/uAnff/Gmx+sMuFFQbb2oKb/b92Yf/b3ePuQf7vAz5/NhFywBMDt8ugHggWA5lfv9YQkm/oDZphMVKeGjLEDLe6xz0DWR+xG4FDqOpbIZ6itEXAqR/eIOPP4r//LIo1OQmYoKAaFuu6IK4gVR327t0hKCj4kXlUz8msXYIdAl4rSF0gf+roBVjLD6ZuYyaN0r5ly++9pTvBzvxvu8AxhIMRAH+F6bLpFFTXWtdwo/3X6Rb4//i4ffD/9gJH39D8O6odbWf8maZZyzqiN8DJfjihoaWfLMrq8yZ2AxBAtVvqOz000GT4qyLDmkdC7OAQ94DjXTwBCSKfUKajhM7r4SIAB9QQhDgG1NH+6AZml79qIiC27DWmfPkI0glzqKUHQ+iWLM5Vf8AVcVFcYZsRTF03bsiJfElO5axQyCMC5SqY1kO30YRwnwA3Wi/W9vtC/XqxTiLdl/81ro/D/93mSZn/Tw78vw/4wfl/pFkmy/9bc/SS33YRGYkY+IcATFWLkHrkHVkAl4ofS/dL2J3/mX9Dpx4OMi102UoZsIH/W2X9f9LuHvh/L/Ak+X/eTLhcEdYHHOzK4ZYmybiygLGgxefPyLoEkx0LYp0nxdIdSDrO0HEPfVHMnUVLjWCl44p4kFRQWLbLIieRVE3VPjuPSIdwVLkNfsvUH0UTl9ogPED4AHYh+7sMMSWuzDIEJJ/z9dEXBD3DcqJj7eggJOXTaxllDzkOEpOE3QFi51usga5+hP5G0B2GbkMGDo2IOEHhDCdRLAfMEpvQOREIS/8JR26I5hJbxMBHk2aKIZ1GGcjCvs9CfdZHBYJnsIWESM77ZI3Z8ixhrmecYjGYEfsWzcIwEL16fQotogmsgVeXbfQfKgQ0qb8Ea+FIPcNrDxbEfNluN7q/dH5pqPAa0C35BLLL16jAf3ezBXLoVGEFS0ac5bCnUMzkKSQsoTx8gHmCpBMICBr9Hm/L77IhzBbDlGZA8lI7WOgK5vO7R/iUoGcOtcPnv0vTL5Qd+QLw8ASiIWwZLCuWfSZjxuuqNkYiZSTEZMQKBxnLhRSqUBN4iRgLVKg7jrkCOx4sUSyqY5oykv16Fk8MSCo7gecJVUSCyJPZM+lYjyLXHRObk1BoWqog1RX1k+6w67K736C6VOCOqrW6r6rKuY7OQK7YQKWXOkZKN/VVrp9055BJNNWM2sttzogzKfP86cqeM02tQhtY1IRPbnAa2Fh2Dq1CKRSZf59hKlpXDbhG/j9A/6tIy5zYIOtNBtxyx2lIqoyADfq/2Thu5fV/u9FpNQ76fx/wZPR/HG7MhfE+KuK6SGhLkvLOZkIFgWfYK6ZvqQmh92qS3tKIyLsROAisjJ8ODszu6KzoiPpAsn4VLllbRk1FXOcZU1o1ZTujcq1T+6JTiJ1+b4o9wGPCzvLfIYHLFtLQ2jodaL38b7ZaJ82C/9dpNw/5f3uBJyP/s4IdZJ6op9L9NKW4B4r3LQV5UROppMFLIljE7cRczNjkWt7z5H3RDtfNe7GxnRWk30hhSOfIErO6cqz2oHDUmEA2Jp5jCjMC8ggXSUho5bLomNrSuk3japzMqcTyLZjnjC/eU4/CLLrqTQDOL84b+HHhgEWgqhQ2Qh3KsTgor0Lm7zPr/IgrfZ+1SgRpjF2GnlV/RbJSRwicQb0ZiTK4ljr/gv4ZsTCDWrGdzDdZ6VlAPU5tMZI5KRt7EjbHwZKik0q2dNlF5K2JEKrxqW+7kUNkAjC4w+hn6ypeEus1zGYkk4aNTVFG4zmyAFF9IA1jLpHd0ozcCulKa/A+c1jtKa2fSCooJLg5In5UMr4f00uA6neM38oToCKDM5MDT1KPmCDa1VkWSH3lgxNnu/YOcMFuLQIVHzPjOru2nrjMviWOaVOHF9om0ilDYtMQPZObXyWJnqNmRkiAyvRBJmY4mjl9WJp+6YVkNXJDOCfOaQSkNR0DgTqR9OvPlB6Ji4efiB2plNxMUxPdEam+e6jZaGTK9XjxWFeEe73cy5iyxjmxmQUlQoefADMVQhLlGqY8+eytoMhSbYRYIDPeYCx05le81sHA8jByoHtR90Y8E2J/XFzXMY6GkAXMZdOFOj4y8jjNmAjl+hmrBALIHgaCZDFwsRDned4XCwGaxvwlJYR4Zfq2Lenz/L6SQgXP5Jgy8ARWYjof4PW+OGf+JZjJ6Xm1BsVHI07nYGNOyVDY2MU6nVwFqNJ60Le0KXUki2SXVBsLl1qcnOroVvxaajFM/fhAXq/7A+SgktQ5EZ8kRVmlajK2OWLA84ucXtUJSEH6Midm+TRDKyYyY6X2qk5Cu553uTLqLtfCpTfEXtguMT38SbaHHeEy7s2J/CFvsbxaoebTptay2Xjh2yKLoxxjRrAbzpRy3H2UTONN42jj2NQ8JndoaQCt6l03uUha9JenDIW+CylaJnVeZbe1nPVlVawCDycEh2bqNrzacH5SbAgzJ3cmqAnYVOzC3sJUnHUrp9tZqt1Z3GysW1VvkjkBJ8nEjiPF86ve2j1R9l2hl9j0266brJ2YtQ/lbbAsXadcOdrW6syJRs3A8euccmQhs5nbQ1eDUVru0jmslhAgOCY5sSGPj96QMC+c5a20HqrrBfmjoCbXIFu9ghIEkLrE9+3V1SjzQqpbit1T4uJFvINSMy8lJhAg3Rlv2Wqxd7S7aQXiz7MbrXfq/bB/Ory8Hr4fDq7OLs6vz/sfhuNRfzDM9KsU5a/gSOSndUOJ61ySm6IGVeUjNefESbJSLkzr7mjtJ/iefei/GX4EZC8ury8+Di//dnl2VcIVFlu50JkYar0yqJrDJqehSwjyfBQhIYS4sOoMeNniC2hV6i3jss1GcaDC2HPmRh75IPW9KO9ZPiEmPS5PwJPN9PqXdVOmnqRHedpX0Pn33JgNvtcK/ErbtB1+ueXSi1UyItaukp0cO2SJd6fkhAQAaa9gRMa2apUVoEELhPL7nZZ+14VfM+VHOWhJID7C/MAc6LnTamTmdjiGeEzYOf4PvqRDBY/UjdBJ5EzJxoOATee/7Xbx/sdxq3W4/7EXeJLx/0A5TssTgBFzTlOae61obj9HAU/kTDeJPoEr9psfh9nBQ0bNJx7ujlWRIB6I+IGkFw6e13+9Qk2rdWw2wOUa4ECfGFDo7x10HdOA9YaG8aMePvK1JbsAWhgCZirnJXa+++4dXoi+DDMcDqp3hJ3lP59ge8cPQWyQ/+1up5j/3250Dvm/e4EnIf+P0NXF6cWzeeDLsvnzHrokHpiFwPU6Q1N+CSbOYBSIgbyJr0qnV6SpUJb+oqxLFL3iKJwxTv/QV6hvXwp9oyB/l+CSuWRdnnHxDLO3Tlw+Cb3BI1e6NKbMYn7DWRTEt5bk+Xot53jK0mVmh3wJEnsSv5DqVv7rUqEf7qSWKXe7cqXKY8W3iO450KpT5fI4HvbB0XDS0vx4xguj3LlhlLtJbYVvvzLLqoWfddjpMNoOAX01LXmKAqBost1M00NLPbzQubsalXmZNCpX0GaMO9TPMlt5IEWphd5gLKzcwM0rutsYSbky7vS7rWLBledNaZQ2j3y8ysmuPEwOvYYC6k//n4kjmFgc6kt2c8261NLLExnx/JBVENFEfrVLCUTd8zh3KPYtHYnvreZXws72XxLD2sEE3HT/q9lolb//cMj/2wustf/a3/v+V8ygD03rlhdptvb4SzlYmZyRlelsN1zesnFdNZSpM6RMICzQBMKME0lMfUyG/vK/nw35aGx3yvZXIzn2MnrG1WBkfP2/v2yNVzplM4kTxAhkAgWARyH1IHfiAqPqTo2vu4wcMMdUWicdeXmKCitCZR5fztZ5EioqibTojINY85yNSnGW74Zg5rDVrDgn3TrLLx6+fKKqiXaHc9vvLcEO8BC4r/7H2mbaygzY9P2H45Pi/e9us9s56P99wJOI/2zS/4mB/p8U8weXiKlD7vwaXLFbkmbOPcL+78z/8wDv+h3gTed/5e+/tE5azQP/7wOeDP8X0hYkmcV34wu3Pg3JGTKJVJqfaQjFiCUGVAspvBwxpx/Xq/w+zDcQHIntWDGTxErOZoTmy7S0yeTNQSFN8lEyCXX3ztz1qN/XfsgydcMjHuM6e5WTf0aUEwcZq/G2ln1YuqmOu+uWxpoZV7Qsfp0vsTzTXLCqC2GyvHQp7H4pKPJMUUXssuuvS3TWSaalnFC2srWs96Nfjt1S/sff57jfB+A3xX+Oy99/7bQO33/eCzwJ+Z/hzF7VZ5tr2bs1PdSu1XSevpKiyRdAe4hEnAXEdOQtHm4Ft1PLIfN6SuHx/7Whri8JpeX17BFLxdhSME1lJiBYP1LYBJm0/7ObcxaO5Kf6QA7VqlLtQI5IUXMU38fvqedCfmFclp/MDWPWBPNKNPOtFHrzptWy2rXCZdXEUKzlDkakxIa5xMrFDqIe6ja8WlYjNFsvP9AayD1ZJ/1GTZxCWaW5yuol6eq4Az1tEraGVNZGrZYJM6iPGKxK9l/eHUnvNKQaNHvhQJJxTd6JTa8kbKimT3aSO73lJHygPlmz9Pkmvc1yS4LMN510SbLZt2TRjIvkrZipvL0z83roctwfj/vm6N1g3DTnzeuuOX7bb3WP07oqE/SLmf4G+pHwevjm7ByNfnv9/myA3g3/rgozlZqtdqfYZnh+uqJFBsvWPrHEE9vZDstlLnsPvWy8lPuQCUWpMrm+K79XlJBM9ReIcm+rPiuUVCh9KKj0maDlvaY1H/l5NBfuAAc4wAEOcIADHOAABzjAAbaCfwODb+9PAHgAAA== values: image: - tag: v0.14.0-dev + tag: v0.16.0-dev --- apiVersion: core.gardener.cloud/v1beta1 kind: ControllerRegistration diff --git a/pkg/controller/lifecycle/actuator.go b/pkg/controller/lifecycle/actuator.go index 4d76fc79..26378e13 100644 --- a/pkg/controller/lifecycle/actuator.go +++ b/pkg/controller/lifecycle/actuator.go @@ -685,11 +685,10 @@ func getShootResources(webhookCaBundle []byte, extensionNamespace, shootAccessSe ObjectSelector: &objectSelector, }}, }, - &rbacv1.Role{ + &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ - Name: constants.LakomResourceReader, - Namespace: metav1.NamespaceSystem, - Labels: getLabels(), + Name: constants.LakomResourceReader, + Labels: getLabels(), }, Rules: []rbacv1.PolicyRule{ { @@ -699,25 +698,7 @@ func getShootResources(webhookCaBundle []byte, extensionNamespace, shootAccessSe }, }, }, - &rbacv1.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{ - Name: constants.LakomResourceReader, - Namespace: metav1.NamespaceSystem, - Labels: getLabels(), - }, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "Role", - Name: constants.LakomResourceReader, - }, - Subjects: []rbacv1.Subject{ - { - Kind: rbacv1.ServiceAccountKind, - Name: shootAccessServiceAccountName, - Namespace: metav1.NamespaceSystem, - }, - }, - }, + getRoleBinding(scope, shootAccessServiceAccountName), ) if err != nil { @@ -752,3 +733,38 @@ func getClientKeys(ctx context.Context, client client.Client, resources []v1beta return clientKeys, nil } +func getRoleBinding(scope lakom.ScopeType, shootAccessServiceAccountName string) client.Object { + roleRef := rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "ClusterRole", + Name: constants.LakomResourceReader, + } + subjects := []rbacv1.Subject{ + { + Kind: rbacv1.ServiceAccountKind, + Name: shootAccessServiceAccountName, + Namespace: metav1.NamespaceSystem, + }, + } + + if scope == lakom.Cluster { + return &rbacv1.ClusterRoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: constants.LakomResourceReader, + Labels: getLabels(), + }, + RoleRef: roleRef, + Subjects: subjects, + } + } + + return &rbacv1.RoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: constants.LakomResourceReader, + Namespace: metav1.NamespaceSystem, + Labels: getLabels(), + }, + RoleRef: roleRef, + Subjects: subjects, + } +} diff --git a/pkg/controller/lifecycle/actuator_test.go b/pkg/controller/lifecycle/actuator_test.go index 409463ba..fba22ae5 100644 --- a/pkg/controller/lifecycle/actuator_test.go +++ b/pkg/controller/lifecycle/actuator_test.go @@ -84,8 +84,8 @@ var _ = Describe("Actuator", func() { Expect(manifests).To(ConsistOf( expectedSeedValidatingWebhook(caBundle, extensionNamespace, managedByGardenerObjectSelector, kubeSystemNamespaceSelector), expectedShootMutatingWebhook(caBundle, extensionNamespace, managedByGardenerObjectSelector, kubeSystemNamespaceSelector), - expectedShootRole(), - expectedShootRoleBinding(shootAccessServiceAccountName), + expectedShootClusterRole(), + expectedShootRoleBinding(shootAccessServiceAccountName, scope), )) }) @@ -132,16 +132,17 @@ var _ = Describe("Actuator", func() { ) DescribeTable("Should ensure the rolebinding is correctly set", - func(saName string) { - resources, err := getShootResources(caBundle, extensionNamespace, saName, scope) + func(saName string, lakomScope lakom.ScopeType) { + resources, err := getShootResources(caBundle, extensionNamespace, saName, lakomScope) Expect(err).ToNot(HaveOccurred()) manifests, err := test.ExtractManifestsFromManagedResourceData(resources) Expect(err).ToNot(HaveOccurred()) - Expect(manifests).To(ContainElement(expectedShootRoleBinding(saName))) + Expect(manifests).To(ContainElement(expectedShootRoleBinding(saName, lakomScope))) }, - Entry("ServiceAccount name: test", "test"), - Entry("ServiceAccount name: foo-bar", "foo-bar"), + Entry("ServiceAccount name: test, scope: KubeSystemManagedByGardener", "test", lakom.KubeSystemManagedByGardener), + Entry("ServiceAccount name: foo-bar, scope: KubeSystem", "foo-bar", lakom.KubeSystem), + Entry("ServiceAccount name: foo-bar, scope: Cluster", "foo-bar", lakom.Cluster), ) DescribeTable("Should return the correct object and namespace selectors based on scope", @@ -326,16 +327,15 @@ webhooks: ` } -func expectedShootRole() string { +func expectedShootClusterRole() string { return `apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: creationTimestamp: null labels: app.kubernetes.io/name: lakom app.kubernetes.io/part-of: shoot-lakom-service name: gardener-extension-shoot-lakom-service-resource-reader - namespace: kube-system rules: - apiGroups: - "" @@ -346,7 +346,27 @@ rules: ` } -func expectedShootRoleBinding(saName string) string { +func expectedShootRoleBinding(saName string, lakomScope lakom.ScopeType) string { + if lakomScope == lakom.Cluster { + return `apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/name: lakom + app.kubernetes.io/part-of: shoot-lakom-service + name: gardener-extension-shoot-lakom-service-resource-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gardener-extension-shoot-lakom-service-resource-reader +subjects: +- kind: ServiceAccount + name: ` + saName + ` + namespace: kube-system +` + } + return `apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -358,7 +378,7 @@ metadata: namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role + kind: ClusterRole name: gardener-extension-shoot-lakom-service-resource-reader subjects: - kind: ServiceAccount