Add rbac standard/experimental split to catalogd

Signed-off-by: Per Goncalves da Silva <[email protected]>

Author: Per Goncalves da Silva

Makefile

@@ -153,9 +153,11 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration,
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/standard
 	# Generate the remaining operator-controller experimental manifests
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/experimental
-	# Generate the remaining catalogd manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)
+	# Generate the remaining catalogd standard manifests
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/standard
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)
+	# Generate the remaining catalogd experimental manifests
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/experimental
 	# Generate manifests stored in source-control
 	mkdir -p $(MANIFEST_HOME)
 	$(KUSTOMIZE) build $(KUSTOMIZE_STANDARD_OVERLAY) > $(STANDARD_MANIFEST)

config/base/catalogd/kustomization.yaml

@@ -4,5 +4,4 @@ kind: Kustomization
 namespace: olmv1-system
 namePrefix: catalogd-
 resources:
-- rbac
 - manager

…/rbac/auth_proxy_client_clusterrole.yaml …ommon/auth_proxy_client_clusterrole.yamlconfig/base/catalogd/rbac/auth_proxy_client_clusterrole.yaml renamed to config/base/catalogd/rbac/common/auth_proxy_client_clusterrole.yaml config/base/catalogd/rbac/auth_proxy_client_clusterrole.yaml renamed to config/base/catalogd/rbac/common/auth_proxy_client_clusterrole.yaml

@@ -0,0 +1,19 @@
+resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+# The following RBAC configurations are used to protect
+# the metrics endpoint with authn/authz. These configurations
+# ensure that only authorized users and service accounts
+# can access the metrics endpoint. Comment the following
+# permissions if you want to disable this protection.
+# More info: https://book.kubebuilder.io/reference/metrics.html
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml