Skip to content

Commit c7e1b21

Browse files
authored
KFLUXINFRA-2779: Deploying group-sync-operator in staging using Helm charts (redhat-appstudio#10400)
* Add group-sync-operator helm charts Signed-off-by: Gal Levi <glevi@redhat.com> Signed-off-by: Claude Sonnet 4.5 <noreply@anthropic.com> * Use helm charts for group-sync in staging Signed-off-by: Gal Levi <glevi@redhat.com> Signed-off-by: Claude Sonnet 4.5 <noreply@anthropic.com> * fixed kube-linter errors Signed-off-by: Gal Levi <glevi@redhat.com> --------- Signed-off-by: Gal Levi <glevi@redhat.com> Signed-off-by: Claude Sonnet 4.5 <noreply@anthropic.com>
1 parent 962c946 commit c7e1b21

27 files changed

Lines changed: 1519 additions & 1 deletion

components/authentication/base/kustomization.yaml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
22
kind: Kustomization
33
resources:
44
- admin-checker
5-
- group-sync
65
- component-maintainer.yaml
76
- everyone-can-view.yaml
87
- konflux-admins.yaml

components/authentication/helm-charts/crd.yaml

Lines changed: 919 additions & 0 deletions
Large diffs are not rendered by default.
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
# Patterns to ignore when building packages.
2+
# This supports shell glob matching, relative path matching, and
3+
# negation (prefixed with !). Only one pattern per line.
4+
.DS_Store
5+
# Common VCS dirs
6+
.git/
7+
.gitignore
8+
.bzr/
9+
.bzrignore
10+
.hg/
11+
.hgignore
12+
.svn/
13+
# Common backup files
14+
*.swp
15+
*.bak
16+
*.tmp
17+
*.orig
18+
*~
19+
# Various IDEs
20+
.project
21+
.idea/
22+
*.tmproj
23+
.vscode/
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
apiVersion: v1
2+
name: group-sync-operator
3+
version: 0.1.0
4+
appVersion: latest
5+
description: Helm chart that deploys the group-sync-operator
6+
keywords:
7+
- authorization
8+
- security
9+
sources:
10+
- https://github.com/glevi-rh/group-sync-operator
Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
{{/* vim: set filetype=mustache: */}}
2+
{{/*
3+
Expand the name of the chart.
4+
*/}}
5+
{{- define "group-sync-operator.name" -}}
6+
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
7+
{{- end }}
8+
9+
{{/*
10+
Create a default fully qualified app name.
11+
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
12+
If release name contains chart name it will be used as a full name.
13+
*/}}
14+
{{- define "group-sync-operator.fullname" -}}
15+
{{- if .Values.fullnameOverride }}
16+
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
17+
{{- else }}
18+
{{- $name := default .Chart.Name .Values.nameOverride }}
19+
{{- if contains $name .Release.Name }}
20+
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
21+
{{- else }}
22+
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
23+
{{- end }}
24+
{{- end }}
25+
{{- end }}
26+
27+
{{/*
28+
Create chart name and version as used by the chart label.
29+
*/}}
30+
{{- define "group-sync-operator.chart" -}}
31+
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
32+
{{- end }}
33+
34+
{{/*
35+
Common labels
36+
*/}}
37+
{{- define "group-sync-operator.labels" -}}
38+
helm.sh/chart: {{ include "group-sync-operator.chart" . }}
39+
{{ include "group-sync-operator.selectorLabels" . }}
40+
{{- if .Chart.AppVersion }}
41+
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
42+
{{- end }}
43+
app.kubernetes.io/managed-by: {{ .Release.Service }}
44+
{{- if .Values.commonLabels }}
45+
{{ toYaml .Values.commonLabels }}
46+
{{- end }}
47+
{{- end }}
48+
49+
{{/*
50+
Selector labels
51+
*/}}
52+
{{- define "group-sync-operator.selectorLabels" -}}
53+
app.kubernetes.io/name: {{ include "group-sync-operator.name" . }}
54+
app.kubernetes.io/instance: {{ .Release.Name }}
55+
{{- end }}
56+
57+
58+
{{/*
59+
Service Acount Name
60+
*/}}
61+
{{- define "group-sync-operator.serviceAccountName" -}}
62+
{{- printf "%s-%s" (include "group-sync-operator.name" .) "controller-manager" }}
63+
{{- end }}
64+
65+
{{/*
66+
Create the image path for the passed in image field
67+
*/}}
68+
{{- define "group-sync-operator.image" -}}
69+
{{- if eq (substr 0 7 .version) "sha256:" -}}
70+
{{- printf "%s@%s" .repository .version -}}
71+
{{- else -}}
72+
{{- printf "%s:%s" .repository .version -}}
73+
{{- end -}}
74+
{{- end -}}
75+
76+
{{/*
77+
Check if WATCH_NAMESPACE environment variable has been provided
78+
*/}}
79+
{{- define "group-sync-operator.checkWatchNamespace" -}}
80+
{{- range .Values.env -}}
81+
{{- if eq .name "WATCH_NAMESPACE" -}}
82+
{{- print "true" -}}
83+
{{- end -}}
84+
{{- end -}}
85+
{{- end -}}
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRole
3+
metadata:
4+
name: metrics-reader
5+
rules:
6+
- nonResourceURLs: ["/metrics"]
7+
verbs: ["get"]
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRole
3+
metadata:
4+
name: proxy-role
5+
rules:
6+
- apiGroups: ["authentication.k8s.io"]
7+
resources:
8+
- tokenreviews
9+
verbs: ["create"]
10+
- apiGroups: ["authorization.k8s.io"]
11+
resources:
12+
- subjectaccessreviews
13+
verbs: ["create"]
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRoleBinding
3+
metadata:
4+
name: proxy-rolebinding
5+
roleRef:
6+
apiGroup: rbac.authorization.k8s.io
7+
kind: ClusterRole
8+
name: proxy-role
9+
subjects:
10+
- kind: ServiceAccount
11+
name: {{ include "group-sync-operator.serviceAccountName" . }}
12+
namespace: {{ .Release.Namespace }}
Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
apiVersion: v1
2+
kind: Service
3+
metadata:
4+
labels:
5+
control-plane: group-sync-operator
6+
{{- include "group-sync-operator.labels" . | nindent 4 }}
7+
annotations:
8+
service.alpha.openshift.io/serving-cert-secret-name: group-sync-operator-certs
9+
name: controller-manager-metrics-service
10+
namespace: {{ .Release.Namespace }}
11+
spec:
12+
ports:
13+
- name: https
14+
port: 8443
15+
targetPort: https
16+
selector:
17+
control-plane: group-sync-operator
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
# permissions for end users to edit groupsyncs.
2+
apiVersion: rbac.authorization.k8s.io/v1
3+
kind: ClusterRole
4+
metadata:
5+
name: groupsync-editor-role
6+
rules:
7+
- apiGroups:
8+
- redhatcop.redhat.io
9+
resources:
10+
- groupsyncs
11+
verbs:
12+
- create
13+
- delete
14+
- get
15+
- list
16+
- patch
17+
- update
18+
- watch
19+
- apiGroups:
20+
- redhatcop.redhat.io
21+
resources:
22+
- groupsyncs/status
23+
verbs:
24+
- get

0 commit comments

Comments
 (0)