trusted-execution-clusters
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 1 deletion b/‎.gitignore‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Makefile‎
Lines changed: 12 additions & 4 deletions b/‎Makefile‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎api/v1alpha1/crds.go‎
Lines changed: 7 additions & 10 deletions b/‎api/v1alpha1/crds.go‎
Lines changed: 7 additions & 10 deletions
diff --git a/‎config/rbac/approvedimage_admin_role.yaml‎ ‎…/rbac/base/approvedimage_admin_role.yaml‎config/rbac/approvedimage_admin_role.yaml renamed to config/rbac/base/approvedimage_admin_role.yaml b/‎config/rbac/approvedimage_admin_role.yaml‎ ‎…/rbac/base/approvedimage_admin_role.yaml‎config/rbac/approvedimage_admin_role.yaml renamed to config/rbac/base/approvedimage_admin_role.yaml
diff --git a/‎…nfig/rbac/approvedimage_viewer_role.yaml‎ ‎…rbac/base/approvedimage_viewer_role.yaml‎config/rbac/approvedimage_viewer_role.yaml renamed to config/rbac/base/approvedimage_viewer_role.yaml b/‎…nfig/rbac/approvedimage_viewer_role.yaml‎ ‎…rbac/base/approvedimage_viewer_role.yaml‎config/rbac/approvedimage_viewer_role.yaml renamed to config/rbac/base/approvedimage_viewer_role.yaml
diff --git a/‎config/rbac/kustomization.yaml‎ ‎config/rbac/base/kustomization.yaml‎config/rbac/kustomization.yaml renamed to config/rbac/base/kustomization.yaml
Lines changed: 15 additions & 0 deletions b/‎config/rbac/kustomization.yaml‎ ‎config/rbac/base/kustomization.yaml‎config/rbac/kustomization.yaml renamed to config/rbac/base/kustomization.yaml
Lines changed: 15 additions & 0 deletions
diff --git a/‎config/rbac/leader_election_role.yaml‎ ‎…nfig/rbac/base/leader_election_role.yaml‎config/rbac/leader_election_role.yaml renamed to config/rbac/base/leader_election_role.yaml b/‎config/rbac/leader_election_role.yaml‎ ‎…nfig/rbac/base/leader_election_role.yaml‎config/rbac/leader_election_role.yaml renamed to config/rbac/base/leader_election_role.yaml
diff --git a/‎…g/rbac/leader_election_role_binding.yaml‎ ‎…c/base/leader_election_role_binding.yaml‎config/rbac/leader_election_role_binding.yaml renamed to config/rbac/base/leader_election_role_binding.yaml b/‎…g/rbac/leader_election_role_binding.yaml‎ ‎…c/base/leader_election_role_binding.yaml‎config/rbac/leader_election_role_binding.yaml renamed to config/rbac/base/leader_election_role_binding.yaml
diff --git a/‎config/rbac/machine_admin_role.yaml‎ ‎config/rbac/base/machine_admin_role.yaml‎config/rbac/machine_admin_role.yaml renamed to config/rbac/base/machine_admin_role.yaml b/‎config/rbac/machine_admin_role.yaml‎ ‎config/rbac/base/machine_admin_role.yaml‎config/rbac/machine_admin_role.yaml renamed to config/rbac/base/machine_admin_role.yaml
diff --git a/‎config/rbac/machine_viewer_role.yaml‎ ‎config/rbac/base/machine_viewer_role.yaml‎config/rbac/machine_viewer_role.yaml renamed to config/rbac/base/machine_viewer_role.yaml b/‎config/rbac/machine_viewer_role.yaml‎ ‎config/rbac/base/machine_viewer_role.yaml‎config/rbac/machine_viewer_role.yaml renamed to config/rbac/base/machine_viewer_role.yaml
@@ -10,7 +10,7 @@ trusted-cluster-gen
 /bin
 /config/crd
 /config/deploy
-/config/rbac/role.yaml
+/config/rbac/base/role.yaml
 /lib/src/kopium
 /target
 bundle/manifests/
 
@@ -6,6 +6,7 @@
 .PHONY: all build build-tools crds-rs generate manifests cluster-up cluster-down image push install-trustee install clean fmt-check clippy lint test test-release release-tarball
 
 NAMESPACE ?= trusted-execution-clusters
+PLATFORM ?= kind
 
 KUBECTL=kubectl
 
@@ -41,10 +42,12 @@ reg-server: crds-rs
 	cargo build -p register-server
 
 CRD_YAML_PATH = config/crd
+RBAC_YAML_PATH = config/rbac/base
 API_PATH = api/v1alpha1
 generate: $(CONTROLLER_GEN)
 	$(CONTROLLER_GEN) rbac:roleName=trusted-cluster-operator-role crd webhook paths="./..." \
-		output:crd:artifacts:config=$(CRD_YAML_PATH)
+		output:crd:artifacts:config=$(CRD_YAML_PATH) \
+		output:rbac:artifacts:config=$(RBAC_YAML_PATH)
 
 RS_LIB_PATH = lib/src
 CRD_RS_PATH = $(RS_LIB_PATH)/kopium
@@ -132,10 +135,15 @@ endif
 	scripts/clean-cluster-kind.sh $(OPERATOR_IMAGE) $(COMPUTE_PCRS_IMAGE) $(REG_SERVER_IMAGE)
 	$(YQ) '.spec.publicTrusteeAddr = "$(TRUSTEE_ADDR):8080"' \
 		-i $(DEPLOY_PATH)/trusted_execution_cluster_cr.yaml
-	$(YQ) '.namespace = "$(NAMESPACE)"' -i config/rbac/kustomization.yaml
+	$(YQ) '.namespace = "$(NAMESPACE)"' -i config/rbac/base/kustomization.yaml
+	$(YQ) '.patches[0].patch = "- op: replace\n  path: /metadata/name\n  value: $(NAMESPACE)-manager-rolebinding"' -i config/rbac/base/kustomization.yaml
+	$(YQ) '.patches[1].patch = "- op: replace\n  path: /metadata/name\n  value: $(NAMESPACE)-metrics-auth-rolebinding"' -i config/rbac/base/kustomization.yaml
+	@if [ "$(PLATFORM)" = "openshift" ]; then \
+		$(YQ) '.patches[0].patch = "- op: replace\n  path: /metadata/name\n  value: $(NAMESPACE)-trusted-cluster-scc\n- op: replace\n  path: /users/0\n  value: system:serviceaccount:$(NAMESPACE):trusted-cluster-operator"' -i config/rbac/overlays/openshift/kustomization.yaml; \
+	fi
 	$(KUBECTL) apply -f $(DEPLOY_PATH)/operator.yaml
 	$(KUBECTL) apply -f config/crd
-	$(KUBECTL) apply -k config/rbac
+	$(KUBECTL) apply -k config/rbac/overlays/$(PLATFORM)
 	$(KUBECTL) apply -f $(DEPLOY_PATH)/trusted_execution_cluster_cr.yaml
 	$(KUBECTL) apply -f $(DEPLOY_PATH)/approved_image_cr.yaml
 	$(KUBECTL) apply -f kind/register-forward.yaml
@@ -147,7 +155,7 @@ install-kubevirt:
 clean:
 	cargo clean
 	rm -rf bin manifests $(CRD_YAML_PATH) $(CRD_RS_PATH)
-	rm -f trusted-cluster-gen config/rbac/role.yaml .crates.toml .crates2.json
+	rm -f trusted-cluster-gen config/rbac/base/role.yaml .crates.toml .crates2.json
 
 fmt-check:
 	cargo fmt -- --check
 
@@ -25,16 +25,13 @@ var (
 	AddToScheme = SchemeBuilder.AddToScheme
 )
 
-// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;create;patch;update
-// +kubebuilder:rbac:groups="",resources=services,verbs=create
-// +kubebuilder:rbac:groups="",resources=secrets,verbs=create
-// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;create;update
-// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=create;delete;list;watch
-// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters,verbs=list;watch
-// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters/status,verbs=patch
-// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=machines,verbs=create;list;delete;watch;patch
-// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=approvedimages,verbs=get;list;watch;patch
-// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=approvedimages/status,verbs=patch
+// +kubebuilder:rbac:groups="",resources=configmaps;services;secrets,verbs=create;get;list;watch
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=create;delete;get;list;patch;update;watch
+// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=create;delete;get;list;patch;update;watch
+// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters;machines;approvedimages,verbs=create;delete;get;list;patch;update;watch
+// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters/finalizers,verbs=update
+// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=machines/finalizers,verbs=update
+// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters/status;machines/status;approvedimages/status,verbs=get;patch;update
 
 // TrustedExecutionClusterSpec defines the desired state of TrustedExecutionCluster
 // +kubebuilder:validation:XValidation:rule="!has(oldSelf.publicTrusteeAddr) || has(self.publicTrusteeAddr)", message="Value is required once set"
 
@@ -3,6 +3,21 @@
 # SPDX-License-Identifier: CC0-1.0
 
 namespace: trusted-execution-clusters
+patches:
+  - target:
+      kind: ClusterRoleBinding
+      name: manager-rolebinding
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: NAMESPACE-manager-rolebinding
+  - target:
+      kind: ClusterRoleBinding
+      name: metrics-auth-rolebinding
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: NAMESPACE-metrics-auth-rolebinding
 resources:
   # All RBAC will be applied under this service account in
   # the deployment namespace. You may comment out this resource