Initial commit for the operator

config/rbac/kustomization.yaml

@@ -0,0 +1,29 @@
+resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+# The following RBAC configurations are used to protect
+# the metrics endpoint with authn/authz. These configurations
+# ensure that only authorized users and service accounts
+# can access the metrics endpoint. Comment the following
+# permissions if you want to disable this protection.
+# More info: https://book.kubebuilder.io/reference/metrics.html
+- metrics_auth_role.yaml
+- metrics_auth_role_binding.yaml
+- metrics_reader_role.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. Those roles are
+# not used by the Project itself. You can comment the following lines
+# if you do not want those helpers be installed with your Project.
+- raczylo.com_clusterimage_editor_role.yaml
+- raczylo.com_clusterimage_viewer_role.yaml
+- raczylo.com_clusterimageexport_editor_role.yaml
+- raczylo.com_clusterimageexport_viewer_role.yaml
+

config/rbac/leader_election_role.yaml

@@ -0,0 +1,40 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: kubernetes-images-sync-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: raczylo-com-leader
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch

config/rbac/leader_election_role_binding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: kubernetes-images-sync-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: raczylo-com-leaderbinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: raczylo-com-leader
+subjects:
+  - kind: ServiceAccount
+    name: cm-raczylo-com
+    namespace: system

config/rbac/metrics_auth_role.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metrics-auth-raczylo
+rules:
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create

config/rbac/metrics_auth_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: metrics-auth-raczylobinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metrics-auth-raczylo
+subjects:
+  - kind: ServiceAccount
+    name: cm-raczylo-com
+    namespace: system

config/rbac/metrics_reader_role.yaml

@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metrics-raczylo
+rules:
+  - nonResourceURLs:
+      - "/metrics"
+    verbs:
+      - get

config/rbac/raczylo.com_clusterimage_editor_role.yaml

@@ -0,0 +1,27 @@
+# permissions for end users to edit clusterimages.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: kubernetes-images-sync-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: raczylo.com-clusterimage-editor-role
+rules:
+  - apiGroups:
+      - raczylo.com
+    resources:
+      - clusterimages
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - raczylo.com
+    resources:
+      - clusterimages/status
+    verbs:
+      - get

config/rbac/raczylo.com_clusterimage_viewer_role.yaml

@@ -0,0 +1,23 @@
+# permissions for end users to view clusterimages.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: kubernetes-images-sync-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: raczylo.com-clusterimage-viewer-role
+rules:
+  - apiGroups:
+      - raczylo.com
+    resources:
+      - clusterimages
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - raczylo.com
+    resources:
+      - clusterimages/status
+    verbs:
+      - get

config/rbac/raczylo.com_clusterimageexport_editor_role.yaml

@@ -0,0 +1,27 @@
+# permissions for end users to edit clusterimageexports.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: kubernetes-images-sync-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: raczylo.com-clusterimageexport-editor-role
+rules:
+  - apiGroups:
+      - raczylo.com
+    resources:
+      - clusterimageexports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - raczylo.com
+    resources:
+      - clusterimageexports/status
+    verbs:
+      - get

config/rbac/raczylo.com_clusterimageexport_viewer_role.yaml

@@ -0,0 +1,23 @@
+# permissions for end users to view clusterimageexports.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: kubernetes-images-sync-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: raczylo.com-clusterimageexport-viewer-role
+rules:
+  - apiGroups:
+      - raczylo.com
+    resources:
+      - clusterimageexports
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - raczylo.com
+    resources:
+      - clusterimageexports/status
+    verbs:
+      - get

config/rbac/role.yaml

@@ -0,0 +1,62 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: mr-raczylo-com
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - raczylo.com
+  resources:
+  - clusterimageexports
+  - clusterimages
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - raczylo.com
+  resources:
+  - clusterimageexports/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - raczylo.com
+  resources:
+  - clusterimageexports/status
+  verbs:
+  - get
+  - patch
+  - update

config/rbac/role_binding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: kubernetes-images-sync-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: mr-raczylo-combinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mr-raczylo-com
+subjects:
+  - kind: ServiceAccount
+    name: cm-raczylo-com
+    namespace: system

config/rbac/service_account.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: kubernetes-images-sync-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: cm-raczylo-com
+  namespace: system