From 4357756c5bb61a2c2222ac3c1a7035f81e65bea7 Mon Sep 17 00:00:00 2001 From: Andrew Karpow Date: Mon, 4 May 2026 13:49:04 -0400 Subject: [PATCH] Generate RBAC role directly into Chart template, adapt hardcoded path. helmify before did convert the controller-gen generated rbac role to helm, but now we can just use it directly in the charts. Seperated out the rbac role. Should work as before. --- Makefile | 2 +- Makefile.maker.yaml | 3 +- .../templates/manager-clusterrolebinding.yaml | 14 +++ .../templates/manager-rbac.yaml | 101 ------------------ .../templates}/role.yaml | 2 +- 5 files changed, 18 insertions(+), 104 deletions(-) create mode 100644 charts/openstack-hypervisor-operator/templates/manager-clusterrolebinding.yaml delete mode 100644 charts/openstack-hypervisor-operator/templates/manager-rbac.yaml rename {config/rbac => charts/openstack-hypervisor-operator/templates}/role.yaml (96%) diff --git a/Makefile b/Makefile index 7ad6a90a..14ff0c95 100644 --- a/Makefile +++ b/Makefile @@ -113,7 +113,7 @@ check: FORCE static-check build/cover.html build-all generate: install-controller-gen @printf "\e[1;36m>> controller-gen\e[0m\n" - @controller-gen crd:allowDangerousTypes=true rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=charts/openstack-hypervisor-operator/crds output:rbac:artifacts:config=config/rbac + @controller-gen crd:allowDangerousTypes=true rbac:roleName=hypervisor-operator-manager-role webhook paths="./..." output:crd:artifacts:config=charts/openstack-hypervisor-operator/crds output:rbac:artifacts:config=charts/openstack-hypervisor-operator/templates @controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./..." @controller-gen applyconfiguration paths="./..." diff --git a/Makefile.maker.yaml b/Makefile.maker.yaml index 3f7ffa96..63785c22 100644 --- a/Makefile.maker.yaml +++ b/Makefile.maker.yaml @@ -9,7 +9,8 @@ controllerGen: enabled: true crdOutputPath: charts/openstack-hypervisor-operator/crds objectHeaderFile: hack/boilerplate.go.txt - rbacRoleName: manager-role + rbacRoleName: hypervisor-operator-manager-role + rbacOutputPath: charts/openstack-hypervisor-operator/templates allowDangerousTypes: true coverageTest: diff --git a/charts/openstack-hypervisor-operator/templates/manager-clusterrolebinding.yaml b/charts/openstack-hypervisor-operator/templates/manager-clusterrolebinding.yaml new file mode 100644 index 00000000..34537573 --- /dev/null +++ b/charts/openstack-hypervisor-operator/templates/manager-clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "openstack-hypervisor-operator.fullname" . }}-manager-rolebinding + labels: + {{- include "openstack-hypervisor-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: hypervisor-operator-manager-role +subjects: +- kind: ServiceAccount + name: '{{ include "openstack-hypervisor-operator.serviceAccountName" . }}' + namespace: '{{ .Release.Namespace }}' diff --git a/charts/openstack-hypervisor-operator/templates/manager-rbac.yaml b/charts/openstack-hypervisor-operator/templates/manager-rbac.yaml deleted file mode 100644 index 53af34e9..00000000 --- a/charts/openstack-hypervisor-operator/templates/manager-rbac.yaml +++ /dev/null @@ -1,101 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "openstack-hypervisor-operator.fullname" . }}-manager-role - labels: - {{- include "openstack-hypervisor-operator.labels" . | nindent 4 }} -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - get -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - cert-manager.io - resources: - - certificates - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - kvm.cloud.sap - resources: - - evictions - - hypervisors - - hypervisors/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - kvm.cloud.sap - resources: - - evictions/finalizers - verbs: - - update -- apiGroups: - - kvm.cloud.sap - resources: - - evictions/status - verbs: - - get - - patch - - update -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "openstack-hypervisor-operator.fullname" . }}-manager-rolebinding - labels: - {{- include "openstack-hypervisor-operator.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: '{{ include "openstack-hypervisor-operator.fullname" . }}-manager-role' -subjects: -- kind: ServiceAccount - name: '{{ include "openstack-hypervisor-operator.serviceAccountName" . }}' - namespace: '{{ .Release.Namespace }}' diff --git a/config/rbac/role.yaml b/charts/openstack-hypervisor-operator/templates/role.yaml similarity index 96% rename from config/rbac/role.yaml rename to charts/openstack-hypervisor-operator/templates/role.yaml index 27fd80cb..edd53191 100644 --- a/config/rbac/role.yaml +++ b/charts/openstack-hypervisor-operator/templates/role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: manager-role + name: hypervisor-operator-manager-role rules: - apiGroups: - ""