Generate RBAC files using operator-sdk

Temporarily delete mariadbaccount sample files then run: operator-sdk create api --group mariadb --version v1beta1 --kind MariaDBAccount
openstack-k8s-operators · Nov 21, 2023 · 207ba9b · 207ba9b
1 parent a7cc39f
commit 207ba9b
Show file tree

Hide file tree

Showing 9 changed files with 155 additions and 8 deletions.
diff --git a/PROJECT b/PROJECT
@@ -1,3 +1,7 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: openstack.org
 layout:
 - go.kubebuilder.io/v3
@@ -42,4 +46,13 @@ resources:
     defaulting: true
     validation: true
     webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: openstack.org
+  group: mariadb
+  kind: MariaDBAccount
+  path: github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1
+  version: v1beta1
 version: "3"
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -14,13 +14,15 @@ patchesStrategicMerge:
 #- patches/webhook_in_galeras.yaml
 #- patches/webhook_in_mariadbs.yaml
 #- patches/webhook_in_mariadbdatabases.yaml
+#- patches/webhook_in_mariadbaccounts.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
 #- patches/cainjection_in_galeras.yaml
 #- patches/cainjection_in_mariadbs.yaml
 #- patches/cainjection_in_mariadbdatabases.yaml
+#- patches/cainjection_in_mariadbaccounts.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

diff --git a/config/crd/patches/cainjection_in_mariadbaccounts.yaml b/config/crd/patches/cainjection_in_mariadbaccounts.yaml
@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: mariadbaccounts.mariadb.openstack.org
diff --git a/config/crd/patches/webhook_in_mariadbaccounts.yaml b/config/crd/patches/webhook_in_mariadbaccounts.yaml
@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: mariadbaccounts.mariadb.openstack.org
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+      - v1
diff --git a/config/rbac/mariadbaccount_editor_role.yaml b/config/rbac/mariadbaccount_editor_role.yaml
@@ -0,0 +1,31 @@
+# permissions for end users to edit mariadbaccounts.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: mariadbaccount-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: mariadb-operator
+    app.kubernetes.io/part-of: mariadb-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: mariadbaccount-editor-role
+rules:
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts/status
+  verbs:
+  - get
diff --git a/config/rbac/mariadbaccount_viewer_role.yaml b/config/rbac/mariadbaccount_viewer_role.yaml
@@ -0,0 +1,27 @@
+# permissions for end users to view mariadbaccounts.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: mariadbaccount-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: mariadb-operator
+    app.kubernetes.io/part-of: mariadb-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: mariadbaccount-viewer-role
+rules:
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts/status
+  verbs:
+  - get
diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml
@@ -3,4 +3,5 @@ resources:
 - mariadb_v1beta1_mariadb.yaml
 - mariadb_v1beta1_mariadbdatabase.yaml
 - mariadb_v1beta1_galera.yaml
+- mariadb_v1beta1_mariadbaccount.yaml
 #+kubebuilder:scaffold:manifestskustomizesamples
diff --git a/config/samples/mike_mariadb_v1beta1_galera.yaml b/config/samples/mike_mariadb_v1beta1_galera.yaml
@@ -0,0 +1,57 @@
+apiVersion: mariadb.openstack.org/v1beta1
+kind: Galera
+metadata:
+  name: mikegalera
+spec:
+  containerImage: quay.io/podified-antelope-centos9/openstack-mariadb:current-podified
+  secret: osp-secret
+  storageClass: local-storage
+  storageRequest: 500M
+  replicas: 3
+
+---
+
+apiVersion: mariadb.openstack.org/v1beta1
+kind: MariaDBDatabase
+metadata:
+  name: neutron
+  labels:
+    dbName: mikegalera
+spec:
+  name: neutron
+  secret: openstackdb-secret
+
+---
+
+apiVersion: mariadb.openstack.org/v1beta1
+kind: MariaDBAccount
+metadata:
+  labels:
+    mariaDBDatabaseName: neutron
+  name: neutron1
+spec:
+  userName: neutron1
+  secret: neutrondb-secret
+
+---
+
+apiVersion: v1
+data:
+  # 12345678
+  DatabasePassword: MTIzNDU2Nzg=
+kind: Secret
+metadata:
+  name: openstackdb-secret
+type: Opaque
+
+---
+
+apiVersion: v1
+data:
+  # neutron123
+  DatabasePassword: bmV1dHJvbjEyMw==
+kind: Secret
+metadata:
+  name: neutrondb-secret
+type: Opaque
+