Skip to content

Commit

Permalink
Update permission config in addontemplate api (#283)
Browse files Browse the repository at this point in the history 
Signed-off-by: Jian Qiu <jqiu@redhat.com>
  • Loading branch information
@qiujian16
qiujian16 committed Sep 21, 2023
1 parent 0146ddf commit 9cb6321
Show file tree
Hide file tree
Showing 4 changed files with 98 additions and 26 deletions.
60 changes: 40 additions & 20 deletions addon/v1alpha1/0000_03_addon.open-cluster-management.io_addontemplates.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -384,38 +384,59 @@ spec:
to bind the user provided ClusterRole/Role to the "system:open-cluster-management:cluster:<cluster-name>:addon:<addon-name>"
Group.
properties:
roleRef:
description: RoleRef is an reference to the permission
resource. it could be a role or a cluster role,
the user must make sure it exist on the hub cluster.
currentCluster:
description: CurrentCluster contains the configuration
of CurrentCluster type binding. It is required when
the type is CurrentCluster.
properties:
apiGroup:
description: APIGroup is the group for the resource
being referenced
type: string
kind:
description: Kind is the type of resource being
referenced
type: string
name:
description: Name is the name of resource being
referenced
clusterRoleName:
description: ClusterRoleName is the name of the
clusterrole the addon agent is bound. A rolebinding
will be created referring to this cluster role
in each cluster namespace. The user must make
sure the clusterrole exists on the hub cluster.
type: string
required:
- apiGroup
- kind
- name
- clusterRoleName
type: object
x-kubernetes-map-type: atomic
singleNamespace:
description: SingleNamespace contains the configuration
of SingleNamespace type binding. It is required
when the type is SingleNamespace
properties:
namespace:
description: Namespace is the namespace the addon
agent has permissions to bind to. A rolebinding
will be created in this namespace referring
to the RoleRef.
type: string
roleRef:
description: RoleRef is an reference to the permission
resource. it could be a role or a cluster role,
the user must make sure it exist on the hub
cluster.
properties:
apiGroup:
description: APIGroup is the group for the
resource being referenced
type: string
kind:
description: Kind is the type of resource
being referenced
type: string
name:
description: Name is the name of resource
being referenced
type: string
required:
- apiGroup
- kind
- name
type: object
x-kubernetes-map-type: atomic
required:
- namespace
- roleRef
type: object
type:
description: 'Type of the permissions setting. It
Expand All @@ -429,7 +450,6 @@ spec:
- SingleNamespace
type: string
required:
- roleRef
- type
type: object
type: array
Expand Down
22 changes: 18 additions & 4 deletions addon/v1alpha1/types_addontemplate.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,19 +123,33 @@ type HubPermissionConfig struct {
// +kubebuilder:validation:Enum:=CurrentCluster;SingleNamespace
Type HubPermissionsBindingType `json:"type"`

// RoleRef is an reference to the permission resource. it could be a role or a cluster role,
// the user must make sure it exist on the hub cluster.
// +kubebuilder:validation:Required
RoleRef rbacv1.RoleRef `json:"roleRef"`
// CurrentCluster contains the configuration of CurrentCluster type binding.
// It is required when the type is CurrentCluster.
CurrentCluster *CurrentClusterBindingConfig `json:"currentCluster,omitempty"`

// SingleNamespace contains the configuration of SingleNamespace type binding.
// It is required when the type is SingleNamespace
SingleNamespace *SingleNamespaceBindingConfig `json:"singleNamespace,omitempty"`
}

type CurrentClusterBindingConfig struct {
// ClusterRoleName is the name of the clusterrole the addon agent is bound. A rolebinding
// will be created referring to this cluster role in each cluster namespace.
// The user must make sure the clusterrole exists on the hub cluster.
// +kubebuilder:validation:Required
ClusterRoleName string `json:"clusterRoleName"`
}

type SingleNamespaceBindingConfig struct {
// Namespace is the namespace the addon agent has permissions to bind to. A rolebinding
// will be created in this namespace referring to the RoleRef.
// +kubebuilder:validation:Required
Namespace string `json:"namespace"`

// RoleRef is an reference to the permission resource. it could be a role or a cluster role,
// the user must make sure it exist on the hub cluster.
// +kubebuilder:validation:Required
RoleRef rbacv1.RoleRef `json:"roleRef"`
}

type CustomSignerRegistrationConfig struct {
Expand Down
23 changes: 22 additions & 1 deletion addon/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 18 additions & 1 deletion addon/v1alpha1/zz_generated.swagger_doc_generated.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 9cb6321

Please sign in to comment.