From bc6afe8a0cf3102f912b9f14f0295848d70bb987 Mon Sep 17 00:00:00 2001
From: David Grove <groved@us.ibm.com>
Date: Thu, 31 Oct 2024 14:06:54 -0400
Subject: [PATCH] Add RBAC aggregator cluster roles for appwrappers

---
 config/rbac/appwrapper_editor_role.yaml | 27 +++++++++++++++++++++++++
 config/rbac/appwrapper_viewer_role.yaml | 22 ++++++++++++++++++++
 config/rbac/kustomization.yaml          |  2 ++
 3 files changed, 51 insertions(+)
 create mode 100644 config/rbac/appwrapper_editor_role.yaml
 create mode 100644 config/rbac/appwrapper_viewer_role.yaml

diff --git a/config/rbac/appwrapper_editor_role.yaml b/config/rbac/appwrapper_editor_role.yaml
new file mode 100644
index 000000000..73fa98691
--- /dev/null
+++ b/config/rbac/appwrapper_editor_role.yaml
@@ -0,0 +1,27 @@
+# permissions for end users to edit appwrappers.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: appwrapper-editor-role
+rules:
+- apiGroups:
+  - workload.codeflare.dev
+  resources:
+  - appwrappers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - workload.codeflare.dev
+  resources:
+  - appwrappers/status
+  verbs:
+  - get
diff --git a/config/rbac/appwrapper_viewer_role.yaml b/config/rbac/appwrapper_viewer_role.yaml
new file mode 100644
index 000000000..1efbb8599
--- /dev/null
+++ b/config/rbac/appwrapper_viewer_role.yaml
@@ -0,0 +1,22 @@
+# permissions for end users to view appwrappers.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: viewer-role
+rules:
+- apiGroups:
+  - workload.codeflare.dev
+  resources:
+  - appwrappers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - workload.codeflare.dev
+  resources:
+  - appwrappers/status
+  verbs:
+  - get
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index 166fe7986..29b817651 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -9,3 +9,5 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
+- appwrapper_editor_role.yaml
+- appwrapper_viewer_role.yaml