diff --git a/cluster-scope/base/core/namespaces/group-sync-operator/kustomization.yaml b/cluster-scope/base/core/namespaces/group-sync-operator/kustomization.yaml new file mode 100644 index 00000000..c313b540 --- /dev/null +++ b/cluster-scope/base/core/namespaces/group-sync-operator/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- namespace.yaml diff --git a/cluster-scope/base/core/namespaces/group-sync-operator/namespace.yaml b/cluster-scope/base/core/namespaces/group-sync-operator/namespace.yaml new file mode 100644 index 00000000..35daae20 --- /dev/null +++ b/cluster-scope/base/core/namespaces/group-sync-operator/namespace.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: group-sync-operator +spec: {} diff --git a/cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/kustomization.yaml b/cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/kustomization.yaml new file mode 100644 index 00000000..786372e0 --- /dev/null +++ b/cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: group-sync-operator +resources: +- operatorgroup.yaml diff --git a/cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/operatorgroup.yaml b/cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/operatorgroup.yaml new file mode 100644 index 00000000..84f8c682 --- /dev/null +++ b/cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/operatorgroup.yaml @@ -0,0 +1,7 @@ +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: group-sync-operator +spec: + targetNamespaces: + - group-sync-operator diff --git a/cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/kustomization.yaml b/cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/kustomization.yaml new file mode 100644 index 00000000..4c043e54 --- /dev/null +++ b/cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: group-sync-operator +resources: +- subscription.yaml diff --git a/cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/subscription.yaml b/cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/subscription.yaml new file mode 100644 index 00000000..2b4385f7 --- /dev/null +++ b/cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/subscription.yaml @@ -0,0 +1,10 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: group-sync-operator +spec: + channel: alpha + installPlanApproval: Automatic + name: group-sync-operator + source: community-operators + sourceNamespace: openshift-marketplace diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/clusterrolebinding.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/clusterrolebinding.yaml new file mode 100644 index 00000000..ccb4e4fb --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-admins-nerc-portforward +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: allow-portforward-all +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: cluster-admins diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/kustomization.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/kustomization.yaml new file mode 100644 index 00000000..464a5f99 --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - clusterrolebinding.yaml diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/clusterrole.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/clusterrole.yaml new file mode 100644 index 00000000..17b14dd4 --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/clusterrole.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: allow-portforward-all +rules: + - apiGroups: + - "" + resources: + - "pods/portforward" + verbs: + - "*" diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/kustomization.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/kustomization.yaml new file mode 100644 index 00000000..69b27f0b --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - clusterrole.yaml diff --git a/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml b/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml index c5a71773..e1916ceb 100644 --- a/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml +++ b/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml @@ -4,3 +4,5 @@ resources: - ../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer - ../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader - ../../base/user.openshift.io/groups/cluster-admins +- ../../base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all +- ../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward diff --git a/cluster-scope/bundles/group-sync-operator/kustomization.yaml b/cluster-scope/bundles/group-sync-operator/kustomization.yaml new file mode 100644 index 00000000..a1c99a5e --- /dev/null +++ b/cluster-scope/bundles/group-sync-operator/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base/core/namespaces/group-sync-operator +- ../../base/operators.coreos.com/operatorgroups/group-sync-operator +- ../../base/operators.coreos.com/subscriptions/group-sync-operator diff --git a/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-cluster-reader.yaml b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-cluster-reader.yaml new file mode 100644 index 00000000..73dc0ffa --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-cluster-reader.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nerc-ops-cluster-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-reader +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: nerc-ops diff --git a/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-portforward.yaml b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-portforward.yaml new file mode 100644 index 00000000..66943b35 --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-portforward.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nerc-ops-portforward +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: allow-portforward-all +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: nerc-ops diff --git a/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-sudoers.yaml b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-sudoers.yaml new file mode 100644 index 00000000..fdf41ea2 --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-sudoers.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nerc-ops-sudoers +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: sudoer +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: nerc-ops diff --git a/cluster-scope/overlays/nerc-ocp-infra/groupsyncs/github-ocp-on-nerc.yaml b/cluster-scope/overlays/nerc-ocp-infra/groupsyncs/github-ocp-on-nerc.yaml new file mode 100644 index 00000000..c8ef702b --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-infra/groupsyncs/github-ocp-on-nerc.yaml @@ -0,0 +1,14 @@ +apiVersion: redhatcop.redhat.io/v1alpha1 +kind: GroupSync +metadata: + name: github-ocp-on-nerc + namespace: group-sync-operator +spec: + providers: + - name: github + github: + organization: ocp-on-nerc + prune: true + credentialsSecret: + name: github-ocp-on-nerc + namespace: group-sync-operator diff --git a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml index 4368e80f..38d788de 100644 --- a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml +++ b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml @@ -13,6 +13,10 @@ resources: - machineconfigs/configure-bond0 - nodenetworkconfigurationpolicies/vlan-2177-nese.yaml +- groupsyncs/github-ocp-on-nerc.yaml +- clusterrolebindings/nerc-ops-cluster-reader.yaml +- clusterrolebindings/nerc-ops-sudoers.yaml +- clusterrolebindings/nerc-ops-portforward.yaml + patches: - - path: oauths/cluster_patch.yaml - - path: groups/cluster-admins_patch.yaml +- path: oauths/cluster_patch.yaml