ContainerImage.Pinniped/deploy/supervisor/rbac.yaml

#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")
#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")

#! Give permission to various objects within the app's own namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: #@ defaultResourceName()
  namespace: #@ namespace()
  labels: #@ labels()
rules:
  - apiGroups: [""]
    resources: [secrets]
    verbs: [create, get, list, patch, update, watch, delete]
  - apiGroups: [config.pinniped.dev]
    resources: [oidcproviderconfigs]
    verbs: [update, get, list, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ defaultResourceName()
  namespace: #@ namespace()
  labels: #@ labels()
subjects:
  - kind: ServiceAccount
    name: #@ defaultResourceName()
    namespace: #@ namespace()
roleRef:
  kind: Role
  name: #@ defaultResourceName()
  apiGroup: rbac.authorization.k8s.io
Implement very rough skeleton of the start of a supervisor server - This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page 2020-10-06 00:28:19 +00:00			`#! Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`#! SPDX-License-Identifier: Apache-2.0`

			`#@ load("@ytt:data", "data")`
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels` 2020-10-14 22:05:42 +00:00			`#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")`
Implement very rough skeleton of the start of a supervisor server - This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page 2020-10-06 00:28:19 +00:00
			`#! Give permission to various objects within the app's own namespace`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels` 2020-10-14 22:05:42 +00:00			`name: #@ defaultResourceName()`
			`namespace: #@ namespace()`
			`labels: #@ labels()`
Implement very rough skeleton of the start of a supervisor server - This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page 2020-10-06 00:28:19 +00:00			`rules:`
supervisor-generate-key: initial spike Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-14 13:47:34 +00:00			`- apiGroups: [""]`
			`resources: [secrets]`
			`verbs: [create, get, list, patch, update, watch, delete]`
supervisor-oidc: checkpoint: controller watches OIDCProviderConfig Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-07 14:53:05 +00:00			`- apiGroups: [config.pinniped.dev]`
			`resources: [oidcproviderconfigs]`
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 17:27:45 +00:00			`verbs: [update, get, list, watch]`
Implement very rough skeleton of the start of a supervisor server - This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page 2020-10-06 00:28:19 +00:00			`---`
			`kind: RoleBinding`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`metadata:`
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels` 2020-10-14 22:05:42 +00:00			`name: #@ defaultResourceName()`
			`namespace: #@ namespace()`
			`labels: #@ labels()`
Implement very rough skeleton of the start of a supervisor server - This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page 2020-10-06 00:28:19 +00:00			`subjects:`
			`- kind: ServiceAccount`
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels` 2020-10-14 22:05:42 +00:00			`name: #@ defaultResourceName()`
			`namespace: #@ namespace()`
Implement very rough skeleton of the start of a supervisor server - This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page 2020-10-06 00:28:19 +00:00			`roleRef:`
			`kind: Role`
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels` 2020-10-14 22:05:42 +00:00			`name: #@ defaultResourceName()`
Implement very rough skeleton of the start of a supervisor server - This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page 2020-10-06 00:28:19 +00:00			`apiGroup: rbac.authorization.k8s.io`