✨ kustomize: remove extraneous labels and rules, include editor/viewer roles

config/e2e/manager_e2e_coverage_copy_pod.yaml

@@ -2,13 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: e2e-coverage-copy-pod
-  labels:
-    app.kubernetes.io/name: e2e-coverage-copy-pod
-    app.kubernetes.io/instance: controller-manager
-    app.kubernetes.io/component: e2e-coverage
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
 spec:
   restartPolicy: Never
   securityContext:

config/manager/manager.yaml

@@ -3,12 +3,6 @@ kind: Namespace
 metadata:
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: namespace
-    app.kubernetes.io/instance: system
-    app.kubernetes.io/component: manager
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
     pod-security.kubernetes.io/enforce: restricted
     pod-security.kubernetes.io/enforce-version: latest
   name: system
@@ -22,12 +16,6 @@ metadata:
     kubectl.kubernetes.io/default-logs-container: manager
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: deployment
-    app.kubernetes.io/instance: controller-manager
-    app.kubernetes.io/component: manager
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
 spec:
   selector:
     matchLabels:
@@ -102,4 +90,4 @@ spec:
       terminationGracePeriodSeconds: 10
       volumes:
         - name: cache
-          emptyDir: {}
+          emptyDir: {}

config/prometheus/monitor.yaml

@@ -5,12 +5,6 @@ kind: ServiceMonitor
 metadata:
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: servicemonitor
-    app.kubernetes.io/instance: controller-manager-metrics-monitor
-    app.kubernetes.io/component: metrics
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
   name: controller-manager-metrics-monitor
   namespace: system
 spec:

config/rbac/auth_proxy_client_clusterrole.yaml

@@ -1,13 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels:
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: metrics-reader
-    app.kubernetes.io/component: kube-rbac-proxy
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
   name: metrics-reader
 rules:
 - nonResourceURLs:

config/rbac/auth_proxy_role.yaml

@@ -1,13 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels:
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: proxy-role
-    app.kubernetes.io/component: kube-rbac-proxy
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
   name: proxy-role
 rules:
 - apiGroups:

config/rbac/auth_proxy_role_binding.yaml

@@ -1,13 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  labels:
-    app.kubernetes.io/name: clusterrolebinding
-    app.kubernetes.io/instance: proxy-rolebinding
-    app.kubernetes.io/component: kube-rbac-proxy
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
   name: proxy-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io

config/rbac/auth_proxy_service.yaml

@@ -3,12 +3,6 @@ kind: Service
 metadata:
   labels:
     control-plane: controller-manager
-    app.kubernetes.io/name: service
-    app.kubernetes.io/instance: controller-manager-metrics-service
-    app.kubernetes.io/component: kube-rbac-proxy
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
   name: controller-manager-metrics-service
   namespace: system
 spec:

config/rbac/clusterextension_editor_role.yaml

@@ -2,13 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels:
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: clusterextension-editor-role
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
   name: clusterextension-editor-role
 rules:
 - apiGroups:
@@ -23,9 +16,3 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - olm.operatorframework.io
-  resources:
-  - clusterextensions/status
-  verbs:
-  - get

config/rbac/clusterextension_viewer_role.yaml

@@ -2,13 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels:
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: clusterextension-viewer-role
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
   name: clusterextension-viewer-role
 rules:
 - apiGroups:
@@ -19,9 +12,3 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - olm.operatorframework.io
-  resources:
-  - clusterextensions/status
-  verbs:
-  - get

config/rbac/kustomization.yaml

@@ -9,6 +9,14 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
+
+# The following resources are pre-defined roles for editors and viewers
+# of APIs provided by this project.
+- clusterextension_editor_role.yaml
+- clusterextension_viewer_role.yaml
+- extension_editor_role.yaml
+- extension_viewer_role.yaml
+
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.

config/rbac/leader_election_role.yaml

@@ -2,13 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  labels:
-    app.kubernetes.io/name: role
-    app.kubernetes.io/instance: leader-election-role
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
   name: leader-election-role
 rules:
 - apiGroups:

config/rbac/leader_election_role_binding.yaml

@@ -1,13 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  labels:
-    app.kubernetes.io/name: rolebinding
-    app.kubernetes.io/instance: leader-election-rolebinding
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
   name: leader-election-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io

config/rbac/role.yaml

@@ -48,7 +48,6 @@ rules:
   resources:
   - clusterextensions/status
   verbs:
-  - get
   - patch
   - update
 - apiGroups:
@@ -74,6 +73,5 @@ rules:
   resources:
   - extensions/status
   verbs:
-  - get
   - patch
   - update

config/rbac/role_binding.yaml

@@ -1,13 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  labels:
-    app.kubernetes.io/name: clusterrolebinding
-    app.kubernetes.io/instance: manager-rolebinding
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
   name: manager-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io

config/rbac/service_account.yaml

@@ -1,12 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  labels:
-    app.kubernetes.io/name: serviceaccount
-    app.kubernetes.io/instance: controller-manager-sa
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: operator-controller
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
   name: controller-manager
   namespace: system

config/samples/olm_v1alpha1_clusterextension.yaml

@@ -1,12 +1,6 @@
 apiVersion: olm.operatorframework.io/v1alpha1
 kind: ClusterExtension
 metadata:
-  labels:
-    app.kubernetes.io/name: clusterextension
-    app.kubernetes.io/instance: clusterextension-sample
-    app.kubernetes.io/part-of: operator-controller
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/created-by: operator-controller
   name: clusterextension-sample
 spec:
   packageName: argocd-operator

internal/controllers/clusterextension_controller.go

@@ -56,7 +56,7 @@ type ClusterExtensionReconciler struct {
 }
 
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions,verbs=get;list;watch
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/status,verbs=update;patch
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/finalizers,verbs=update
 
 //+kubebuilder:rbac:groups=core.rukpak.io,resources=bundledeployments,verbs=get;list;watch;create;update;patch

internal/controllers/extension_controller.go

@@ -44,7 +44,7 @@ type ExtensionReconciler struct {
 }
 
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=extensions,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=extensions/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=extensions/status,verbs=update;patch
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=extensions/finalizers,verbs=update
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to