Trying to fix some operator issues: updating crds and rbac rules

rfelber · rfelber · commit a9bec42a5aeb · 2020-06-11T22:39:51.000+02:00
diff --git a/operator/crds/execution.experimental.securecodebox.io_scans.yaml b/operator/crds/execution.experimental.securecodebox.io_scans.yaml
@@ -113,6 +113,21 @@ spec:
               description: RawResultType determines which kind of ParseDefinition
                 will be used to turn the raw results of the scanner into findings
               type: string
+            readAndWriteHookStatus:
+              items:
+                properties:
+                  hookName:
+                    type: string
+                  jobName:
+                    type: string
+                  state:
+                    description: HookState Describes the State of a Hook on a Scan
+                    type: string
+                required:
+                - hookName
+                - state
+                type: object
+              type: array
             state:
               type: string
           type: object
diff --git a/operator/templates/rbac/auth_proxy_client_clusterrole.yaml b/operator/templates/rbac/auth_proxy_client_clusterrole.yaml
@@ -0,0 +1,7 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: metrics-reader
+rules:
+- nonResourceURLs: ["/metrics"]
+  verbs: ["get"]
diff --git a/operator/templates/rbac/auth_proxy_role.yaml b/operator/templates/rbac/auth_proxy_role.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: proxy-role
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources:
+  - tokenreviews
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources:
+  - subjectaccessreviews
+  verbs: ["create"]
diff --git a/operator/templates/rbac/auth_proxy_role_binding.yaml b/operator/templates/rbac/auth_proxy_role_binding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: proxy-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: {{ .Release.Namespace }}
+
diff --git a/operator/templates/rbac/auth_proxy_service.yaml b/operator/templates/rbac/auth_proxy_service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: controller-manager-metrics-service
+  namespace: system
+spec:
+  ports:
+  - name: https
+    port: 8443
+    targetPort: https
+  selector:
+    control-plane: controller-manager
