certServiceK8sExternalProvider/deploy/roles.yaml

   1 # ============LICENSE_START=======================================================
   2 # oom-certservice-k8s-external-provider
   3 # ================================================================================
   4 # Copyright (c) 2019 Smallstep Labs, Inc.
   5 # Modifications copyright (C) 2020 Nokia. All rights reserved.
   6 # ================================================================================
   7 # This source code was copied from the following git repository:
   8 # https://github.com/smallstep/step-issuer
   9 # The source code was modified for usage in the ONAP project.
  10 # ================================================================================
  11 # Licensed under the Apache License, Version 2.0 (the "License");
  12 # you may not use this file except in compliance with the License.
  13 # You may obtain a copy of the License at
  14 #
  15 #      http://www.apache.org/licenses/LICENSE-2.0
  16 #
  17 # Unless required by applicable law or agreed to in writing, software
  18 # distributed under the License is distributed on an "AS IS" BASIS,
  19 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  20 # See the License for the specific language governing permissions and
  21 # limitations under the License.
  22 # ============LICENSE_END=========================================================
  23 #
  24
  25 apiVersion: apiextensions.k8s.io/v1beta1
  26 kind: CustomResourceDefinition
  27 metadata:
  28   annotations:
  29     controller-gen.kubebuilder.io/version: v0.2.5
  30   creationTimestamp: null
  31   name: certserviceissuers.certmanager.onap.org
  32 spec:
  33   group: certmanager.onap.org
  34   names:
  35     kind: CertServiceIssuer
  36     listKind: CertServiceIssuerList
  37     plural: certserviceissuers
  38     singular: certserviceissuer
  39   scope: Namespaced
  40   subresources:
  41     status: {}
  42   validation:
  43     openAPIV3Schema:
  44       description: CertServiceIssuer is the Schema for the certserviceissuers API
  45       properties:
  46         apiVersion:
  47           description: 'APIVersion defines the versioned schema of this representation
  48             of an object. Servers should convert recognized schemas to the latest
  49             internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  50           type: string
  51         kind:
  52           description: 'Kind is a string value representing the REST resource this
  53             object represents. Servers may infer this from the endpoint the client
  54             submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  55           type: string
  56         metadata:
  57           type: object
  58         spec:
  59           description: CertServiceIssuerSpec defines the desired state of CertServiceIssuer
  60           properties:
  61             caBundle:
  62               description: CABundle is a base64 encoded TLS certificate used to verify
  63                 connections to the certservice certificates server. If not set the system
  64                 root certificates are used to validate the TLS connection.
  65               format: byte
  66               type: string
  67             provisioner:
  68               description: Provisioner contains the certservice certificates provisioner
  69                 configuration.
  70               properties:
  71                 kid:
  72                   description: KeyID is the kid property of the JWK provisioner.
  73                   type: string
  74                 name:
  75                   description: Names is the name of the JWK provisioner.
  76                   type: string
  77                 passwordRef:
  78                   description: PasswordRef is a reference to a Secret containing the
  79                     provisioner password used to decrypt the provisioner private key.
  80                   properties:
  81                     key:
  82                       description: The key of the secret to select from. Must be a
  83                         valid secret key.
  84                       type: string
  85                     name:
  86                       description: The name of the secret in the pod's namespace to
  87                         select from.
  88                       type: string
  89                   required:
  90                     - name
  91                   type: object
  92               required:
  93                 - kid
  94                 - name
  95                 - passwordRef
  96               type: object
  97             url:
  98               description: URL is the base URL for the certservice certificates instance.
  99               type: string
 100           required:
 101             - provisioner
 102             - url
 103           type: object
 104         status:
 105           description: CertServiceIssuerStatus defines the observed state of CertServiceIssuer
 106           properties:
 107             conditions:
 108               items:
 109                 description: CertServiceIssuerCondition contains condition information for
 110                   the certservice issuer.
 111                 properties:
 112                   lastTransitionTime:
 113                     description: LastTransitionTime is the timestamp corresponding
 114                       to the last status change of this condition.
 115                     format: date-time
 116                     type: string
 117                   message:
 118                     description: Message is a human readable description of the details
 119                       of the last transition, complementing reason.
 120                     type: string
 121                   reason:
 122                     description: Reason is a brief machine readable explanation for
 123                       the condition's last transition.
 124                     type: string
 125                   status:
 126                     allOf:
 127                       - enum:
 128                           - "True"
 129                           - "False"
 130                           - Unknown
 131                       - enum:
 132                           - "True"
 133                           - "False"
 134                           - Unknown
 135                     description: Status of the condition, one of ('True', 'False',
 136                       'Unknown').
 137                     type: string
 138                   type:
 139                     description: Type of the condition, currently ('Ready').
 140                     enum:
 141                       - Ready
 142                     type: string
 143                 required:
 144                   - status
 145                   - type
 146                 type: object
 147               type: array
 148           type: object
 149       type: object
 150   version: v1beta1
 151   versions:
 152     - name: v1beta1
 153       served: true
 154       storage: true
 155 status:
 156   acceptedNames:
 157     kind: ""
 158     plural: ""
 159   conditions: []
 160   storedVersions: []
 161 ---
 162 apiVersion: rbac.authorization.k8s.io/v1
 163 kind: Role
 164 metadata:
 165   name: certservice-issuer-leader-election-role
 166   namespace: onap
 167 rules:
 168   - apiGroups:
 169       - ""
 170     resources:
 171       - configmaps
 172     verbs:
 173       - get
 174       - list
 175       - watch
 176       - create
 177       - update
 178       - patch
 179       - delete
 180   - apiGroups:
 181       - ""
 182     resources:
 183       - configmaps/status
 184     verbs:
 185       - get
 186       - update
 187       - patch
 188   - apiGroups:
 189       - ""
 190     resources:
 191       - events
 192     verbs:
 193       - create
 194 ---
 195 apiVersion: rbac.authorization.k8s.io/v1
 196 kind: ClusterRole
 197 metadata:
 198   creationTimestamp: null
 199   name: certservice-issuer-manager-role
 200 rules:
 201   - apiGroups:
 202       - ""
 203     resources:
 204       - events
 205     verbs:
 206       - create
 207       - patch
 208   - apiGroups:
 209       - ""
 210     resources:
 211       - secrets
 212     verbs:
 213       - get
 214       - list
 215       - watch
 216   - apiGroups:
 217       - cert-manager.io
 218     resources:
 219       - certificaterequests
 220     verbs:
 221       - get
 222       - list
 223       - update
 224       - watch
 225   - apiGroups:
 226       - cert-manager.io
 227     resources:
 228       - certificaterequests/status
 229     verbs:
 230       - get
 231       - patch
 232       - update
 233   - apiGroups:
 234       - certmanager.onap.org
 235     resources:
 236       - certserviceissuers
 237     verbs:
 238       - create
 239       - delete
 240       - get
 241       - list
 242       - patch
 243       - update
 244       - watch
 245   - apiGroups:
 246       - certmanager.onap.org
 247     resources:
 248       - certserviceissuers/status
 249     verbs:
 250       - get
 251       - patch
 252       - update
 253 ---
 254 apiVersion: rbac.authorization.k8s.io/v1
 255 kind: ClusterRole
 256 metadata:
 257   name: certservice-issuer-proxy-role
 258 rules:
 259   - apiGroups:
 260       - authentication.k8s.io
 261     resources:
 262       - tokenreviews
 263     verbs:
 264       - create
 265   - apiGroups:
 266       - authorization.k8s.io
 267     resources:
 268       - subjectaccessreviews
 269     verbs:
 270       - create
 271 ---
 272 apiVersion: rbac.authorization.k8s.io/v1
 273 kind: RoleBinding
 274 metadata:
 275   name: certservice-issuer-leader-election-rolebinding
 276   namespace: onap
 277 roleRef:
 278   apiGroup: rbac.authorization.k8s.io
 279   kind: Role
 280   name: certservice-issuer-leader-election-role
 281 subjects:
 282   - kind: ServiceAccount
 283     name: default
 284     namespace: onap
 285 ---
 286 apiVersion: rbac.authorization.k8s.io/v1
 287 kind: ClusterRoleBinding
 288 metadata:
 289   name: certservice-issuer-manager-rolebinding
 290 roleRef:
 291   apiGroup: rbac.authorization.k8s.io
 292   kind: ClusterRole
 293   name: certservice-issuer-manager-role
 294 subjects:
 295   - kind: ServiceAccount
 296     name: default
 297     namespace: onap
 298 ---
 299 apiVersion: rbac.authorization.k8s.io/v1
 300 kind: ClusterRoleBinding
 301 metadata:
 302   name: certservice-issuer-proxy-rolebinding
 303 roleRef:
 304   apiGroup: rbac.authorization.k8s.io
 305   kind: ClusterRole
 306   name: certservice-issuer-proxy-role
 307 subjects:
 308   - kind: ServiceAccount
 309     name: default
 310     namespace: onap