Split rbac generation into experimental/standard

Signed-off-by: Per Goncalves da Silva <[email protected]>

Author: Per Goncalves da Silva

Makefile

@@ -149,8 +149,10 @@ KUSTOMIZE_OPCON_RBAC_DIR := config/base/operator-controller/rbac
 manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects.
 	# Generate CRDs via our own generator
 	hack/tools/update-crds.sh
-	# Generate the remaining operator-controller manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)
+	# Generate the remaining operator-controller standard manifests
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/standard
+	# Generate the remaining operator-controller experimental manifests
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/experimental
 	# Generate the remaining catalogd manifests
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)

config/base/operator-controller/kustomization.yaml

@@ -4,5 +4,4 @@ kind: Kustomization
 namespace: olmv1-system
 namePrefix: operator-controller-
 resources:
-- rbac
 - manager

config/base/operator-controller/manager/kustomization.yaml

@@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-
 resources:
 - manager.yaml
 - service.yaml

…/rbac/auth_proxy_client_clusterrole.yaml …ommon/auth_proxy_client_clusterrole.yamlconfig/base/operator-controller/rbac/auth_proxy_client_clusterrole.yaml renamed to config/base/operator-controller/rbac/common/auth_proxy_client_clusterrole.yaml config/base/operator-controller/rbac/auth_proxy_client_clusterrole.yaml renamed to config/base/operator-controller/rbac/common/auth_proxy_client_clusterrole.yaml

@@ -0,0 +1,26 @@
+resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+
+# The following resources are pre-defined roles for editors and viewers
+# of APIs provided by this project.
+- clusterextension_editor_role.yaml
+- clusterextension_viewer_role.yaml
+
+# The following RBAC configurations are used to protect
+# the metrics endpoint with authn/authz. These configurations
+# ensure that only authorized users and service accounts
+# can access the metrics endpoint. Comment the following
+# permissions if you want to disable this protection.
+# More info: https://book.kubebuilder.io/reference/metrics.html
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml
+