Skip to content

Commit

Permalink
Update permission config in addontemplate api
Browse files Browse the repository at this point in the history 
Signed-off-by: Jian Qiu <jqiu@redhat.com>
  • Loading branch information
@qiujian16
qiujian16 committed Sep 19, 2023
1 parent 0146ddf commit 08cba46
Show file tree
Hide file tree
Showing 4 changed files with 95 additions and 25 deletions.
57 changes: 38 additions & 19 deletions addon/v1alpha1/0000_03_addon.open-cluster-management.io_addontemplates.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -385,37 +385,57 @@ spec:
Group.
properties:
roleRef:
description: RoleRef is an reference to the permission
resource. it could be a role or a cluster role,
the user must make sure it exist on the hub cluster.
description: CurrentCluster contains the configuration
of CurrentCluster type binding. It is required when
the type is CurrentCluster.
properties:
apiGroup:
description: APIGroup is the group for the resource
being referenced
type: string
kind:
description: Kind is the type of resource being
referenced
type: string
name:
description: Name is the name of resource being
referenced
clusterRoleName:
description: ClusterRoleName is the name of the
clusterrole the addon agent is bound. A rolebinding
will be created referring to this cluster role
in each cluster namespace.
type: string
required:
- apiGroup
- kind
- name
- clusterRoleName
type: object
x-kubernetes-map-type: atomic
singleNamespace:
description: SingleNamespace contains the configuration
of SingleNamespace type binding. It is required
when the type is SingleNamespace
properties:
namespace:
description: Namespace is the namespace the addon
agent has permissions to bind to. A rolebinding
will be created in this namespace referring
to the RoleRef.
type: string
roleRef:
description: RoleRef is an reference to the permission
resource. it could be a role or a cluster role,
the user must make sure it exist on the hub
cluster.
properties:
apiGroup:
description: APIGroup is the group for the
resource being referenced
type: string
kind:
description: Kind is the type of resource
being referenced
type: string
name:
description: Name is the name of resource
being referenced
type: string
required:
- apiGroup
- kind
- name
type: object
x-kubernetes-map-type: atomic
required:
- namespace
- roleRef
type: object
type:
description: 'Type of the permissions setting. It
Expand All @@ -429,7 +449,6 @@ spec:
- SingleNamespace
type: string
required:
- roleRef
- type
type: object
type: array
Expand Down
21 changes: 17 additions & 4 deletions addon/v1alpha1/types_addontemplate.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,19 +123,32 @@ type HubPermissionConfig struct {
// +kubebuilder:validation:Enum:=CurrentCluster;SingleNamespace
Type HubPermissionsBindingType `json:"type"`

// RoleRef is an reference to the permission resource. it could be a role or a cluster role,
// the user must make sure it exist on the hub cluster.
// +kubebuilder:validation:Required
RoleRef rbacv1.RoleRef `json:"roleRef"`
// CurrentCluster contains the configuration of CurrentCluster type binding.
// It is required when the type is CurrentCluster.
CurrentCluster *CurrentCluster `json:"roleRef"`

// SingleNamespace contains the configuration of SingleNamespace type binding.
// It is required when the type is SingleNamespace
SingleNamespace *SingleNamespaceBindingConfig `json:"singleNamespace,omitempty"`
}

type CurrentCluster struct {
// ClusterRoleName is the name of the clusterrole the addon agent is bound. A rolebinding
// will be created referring to this cluster role in each cluster namespace.
// +kubebuilder:validation:Required
ClusterRoleName string `json:"clusterRoleName"`
}

type SingleNamespaceBindingConfig struct {
// Namespace is the namespace the addon agent has permissions to bind to. A rolebinding
// will be created in this namespace referring to the RoleRef.
// +kubebuilder:validation:Required
Namespace string `json:"namespace"`

// RoleRef is an reference to the permission resource. it could be a role or a cluster role,
// the user must make sure it exist on the hub cluster.
// +kubebuilder:validation:Required
RoleRef rbacv1.RoleRef `json:"roleRef"`
}

type CustomSignerRegistrationConfig struct {
Expand Down
23 changes: 22 additions & 1 deletion addon/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 18 additions & 1 deletion addon/v1alpha1/zz_generated.swagger_doc_generated.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 08cba46

Please sign in to comment.