diff --git a/addon/v1alpha1/0000_03_addon.open-cluster-management.io_addontemplates.crd.yaml b/addon/v1alpha1/0000_03_addon.open-cluster-management.io_addontemplates.crd.yaml index ade1103ff..62e016b95 100644 --- a/addon/v1alpha1/0000_03_addon.open-cluster-management.io_addontemplates.crd.yaml +++ b/addon/v1alpha1/0000_03_addon.open-cluster-management.io_addontemplates.crd.yaml @@ -384,38 +384,59 @@ spec: to bind the user provided ClusterRole/Role to the "system:open-cluster-management:cluster::addon:" Group. properties: - roleRef: - description: RoleRef is an reference to the permission - resource. it could be a role or a cluster role, - the user must make sure it exist on the hub cluster. + currentCluster: + description: CurrentCluster contains the configuration + of CurrentCluster type binding. It is required when + the type is CurrentCluster. properties: - apiGroup: - description: APIGroup is the group for the resource - being referenced - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced + clusterRoleName: + description: ClusterRoleName is the name of the + clusterrole the addon agent is bound. A rolebinding + will be created referring to this cluster role + in each cluster namespace. The user must make + sure the clusterrole exists on the hub cluster. type: string required: - - apiGroup - - kind - - name + - clusterRoleName type: object - x-kubernetes-map-type: atomic singleNamespace: description: SingleNamespace contains the configuration of SingleNamespace type binding. It is required when the type is SingleNamespace properties: namespace: + description: Namespace is the namespace the addon + agent has permissions to bind to. A rolebinding + will be created in this namespace referring + to the RoleRef. type: string + roleRef: + description: RoleRef is an reference to the permission + resource. it could be a role or a cluster role, + the user must make sure it exist on the hub + cluster. + properties: + apiGroup: + description: APIGroup is the group for the + resource being referenced + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - apiGroup + - kind + - name + type: object + x-kubernetes-map-type: atomic required: - namespace + - roleRef type: object type: description: 'Type of the permissions setting. It @@ -429,7 +450,6 @@ spec: - SingleNamespace type: string required: - - roleRef - type type: object type: array diff --git a/addon/v1alpha1/types_addontemplate.go b/addon/v1alpha1/types_addontemplate.go index 199acc557..a373c6c36 100644 --- a/addon/v1alpha1/types_addontemplate.go +++ b/addon/v1alpha1/types_addontemplate.go @@ -123,19 +123,33 @@ type HubPermissionConfig struct { // +kubebuilder:validation:Enum:=CurrentCluster;SingleNamespace Type HubPermissionsBindingType `json:"type"` - // RoleRef is an reference to the permission resource. it could be a role or a cluster role, - // the user must make sure it exist on the hub cluster. - // +kubebuilder:validation:Required - RoleRef rbacv1.RoleRef `json:"roleRef"` + // CurrentCluster contains the configuration of CurrentCluster type binding. + // It is required when the type is CurrentCluster. + CurrentCluster *CurrentClusterBindingConfig `json:"currentCluster,omitempty"` // SingleNamespace contains the configuration of SingleNamespace type binding. // It is required when the type is SingleNamespace SingleNamespace *SingleNamespaceBindingConfig `json:"singleNamespace,omitempty"` } +type CurrentClusterBindingConfig struct { + // ClusterRoleName is the name of the clusterrole the addon agent is bound. A rolebinding + // will be created referring to this cluster role in each cluster namespace. + // The user must make sure the clusterrole exists on the hub cluster. + // +kubebuilder:validation:Required + ClusterRoleName string `json:"clusterRoleName"` +} + type SingleNamespaceBindingConfig struct { + // Namespace is the namespace the addon agent has permissions to bind to. A rolebinding + // will be created in this namespace referring to the RoleRef. // +kubebuilder:validation:Required Namespace string `json:"namespace"` + + // RoleRef is an reference to the permission resource. it could be a role or a cluster role, + // the user must make sure it exist on the hub cluster. + // +kubebuilder:validation:Required + RoleRef rbacv1.RoleRef `json:"roleRef"` } type CustomSignerRegistrationConfig struct { diff --git a/addon/v1alpha1/zz_generated.deepcopy.go b/addon/v1alpha1/zz_generated.deepcopy.go index 279031426..f4e7e2ede 100644 --- a/addon/v1alpha1/zz_generated.deepcopy.go +++ b/addon/v1alpha1/zz_generated.deepcopy.go @@ -453,6 +453,22 @@ func (in *ConfigSpecHash) DeepCopy() *ConfigSpecHash { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CurrentClusterBindingConfig) DeepCopyInto(out *CurrentClusterBindingConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CurrentClusterBindingConfig. +func (in *CurrentClusterBindingConfig) DeepCopy() *CurrentClusterBindingConfig { + if in == nil { + return nil + } + out := new(CurrentClusterBindingConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomSignerRegistrationConfig) DeepCopyInto(out *CustomSignerRegistrationConfig) { *out = *in @@ -532,7 +548,11 @@ func (in *HealthCheck) DeepCopy() *HealthCheck { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HubPermissionConfig) DeepCopyInto(out *HubPermissionConfig) { *out = *in - out.RoleRef = in.RoleRef + if in.CurrentCluster != nil { + in, out := &in.CurrentCluster, &out.CurrentCluster + *out = new(CurrentClusterBindingConfig) + **out = **in + } if in.SingleNamespace != nil { in, out := &in.SingleNamespace, &out.SingleNamespace *out = new(SingleNamespaceBindingConfig) @@ -971,6 +991,7 @@ func (in *SigningCARef) DeepCopy() *SigningCARef { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SingleNamespaceBindingConfig) DeepCopyInto(out *SingleNamespaceBindingConfig) { *out = *in + out.RoleRef = in.RoleRef return } diff --git a/addon/v1alpha1/zz_generated.swagger_doc_generated.go b/addon/v1alpha1/zz_generated.swagger_doc_generated.go index e6d4ab716..148e1b36c 100644 --- a/addon/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/addon/v1alpha1/zz_generated.swagger_doc_generated.go @@ -113,6 +113,14 @@ func (AddOnTemplateSpec) SwaggerDoc() map[string]string { return map_AddOnTemplateSpec } +var map_CurrentClusterBindingConfig = map[string]string{ + "clusterRoleName": "ClusterRoleName is the name of the clusterrole the addon agent is bound. A rolebinding will be created referring to this cluster role in each cluster namespace. The user must make sure the clusterrole exists on the hub cluster.", +} + +func (CurrentClusterBindingConfig) SwaggerDoc() map[string]string { + return map_CurrentClusterBindingConfig +} + var map_CustomSignerRegistrationConfig = map[string]string{ "signerName": "signerName is the name of signer that addon agent will use to create csr.", "subject": "Subject is the user subject of the addon agent to be registered to the hub. If it is not set, the addon agent will have the default subject \"subject\": {\n \"user\": \"system:open-cluster-management:cluster:{clusterName}:addon:{addonName}:agent:{agentName}\",\n \"groups: [\"system:open-cluster-management:cluster:{clusterName}:addon:{addonName}\",\n \"system:open-cluster-management:addon:{addonName}\", \"system:authenticated\"]\n}", @@ -126,7 +134,7 @@ func (CustomSignerRegistrationConfig) SwaggerDoc() map[string]string { var map_HubPermissionConfig = map[string]string{ "": "HubPermissionConfig configures the permission of the addon agent to access the hub cluster. Will create a RoleBinding in the same namespace as the managedClusterAddon to bind the user provided ClusterRole/Role to the \"system:open-cluster-management:cluster::addon:\" Group.", "type": "Type of the permissions setting. It defines how to bind the roleRef on the hub cluster. It can be: - CurrentCluster: Bind the roleRef to the namespace with the same name as the managedCluster. - SingleNamespace: Bind the roleRef to the namespace specified by SingleNamespaceBindingConfig.", - "roleRef": "RoleRef is an reference to the permission resource. it could be a role or a cluster role, the user must make sure it exist on the hub cluster.", + "currentCluster": "CurrentCluster contains the configuration of CurrentCluster type binding. It is required when the type is CurrentCluster.", "singleNamespace": "SingleNamespace contains the configuration of SingleNamespace type binding. It is required when the type is SingleNamespace", } @@ -162,6 +170,15 @@ func (SigningCARef) SwaggerDoc() map[string]string { return map_SigningCARef } +var map_SingleNamespaceBindingConfig = map[string]string{ + "namespace": "Namespace is the namespace the addon agent has permissions to bind to. A rolebinding will be created in this namespace referring to the RoleRef.", + "roleRef": "RoleRef is an reference to the permission resource. it could be a role or a cluster role, the user must make sure it exist on the hub cluster.", +} + +func (SingleNamespaceBindingConfig) SwaggerDoc() map[string]string { + return map_SingleNamespaceBindingConfig +} + var map_AddOnMeta = map[string]string{ "": "AddOnMeta represents a collection of metadata information for the add-on.", "displayName": "displayName represents the name of add-on that will be displayed.",