feat: Configure sandbox controller

ponimas · ponimas · commit 5362f0b3c4fd · 2025-07-01T17:41:12.000+02:00
Add necessary RBAC manifests (ServiceAccount, ClusterRole, and
ClusterRoleBinding) for the sandbox controller. This grants the
controller permissions to manage sandbox, routegroup, and ingress resources.

Wrap the sandbox CRD manifest in the same configuration
flag (sandbox_controller_enabled) as the new RBAC manifests. This
ensures that the CRD and RBAC are only deployed if the sandbox
controller is enabled in the cluster configuration.

Signed-off-by: Aleksandr Ponimaskin &lt;aleksandr.ponimaskin@zalando.de&gt;
diff --git a/cluster/manifests/sandbox-controller/01-rbac.yaml b/cluster/manifests/sandbox-controller/01-rbac.yaml
@@ -0,0 +1,68 @@
+{{ if eq .Cluster.ConfigItems.sandbox_controller_enabled "true" }}
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sandbox-controller
+  namespace: kube-system
+  labels:
+    application: sandbox-controller
+    component: sandbox-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: sandbox-controller
+  labels:
+    application: sandbox-controller
+    component: sandbox-controller
+rules:
+  - apiGroups:
+      - zalando.org
+    resources:
+      - sandboxes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - zalando.org
+    resources:
+      - routegroups
+    verbs:
+      - list
+      - watch
+      - get
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - list
+      - watch
+      - get
+      - create
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: sandbox-controller
+  labels:
+    application: sandbox-controller
+    component: sandbox-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: sandbox-controller
+subjects:
+  - kind: ServiceAccount
+    name: sandbox-controller
+    namespace: kube-system
+{{ end }}
diff --git a/cluster/manifests/sandbox-controller/sandbox_crd.yaml b/cluster/manifests/sandbox-controller/sandbox_crd.yaml
@@ -1,3 +1,4 @@
+{{ if eq .Cluster.ConfigItems.sandbox_controller_enabled "true" }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -34,3 +35,4 @@ spec:
                     type: string
                 target:
                   type: string
+{{ end }}
