Change scope of ArangoLocalStorage to Cluster

Author: ewoutp

manifests/crd.yaml

@@ -30,5 +30,5 @@ spec:
     shortNames:
     - arangostorage
     singular: arangolocalstorage
-  scope: Namespaced
+  scope: Cluster
   version: v1alpha

manifests/templates/deployment/deployment.yaml

@@ -2,14 +2,14 @@
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
-  name: {{ .Deployment.OperatorName }}
-  namespace: {{ .Deployment.Namespace }}
+  name: {{ .Deployment.OperatorDeploymentName }}
+  namespace: {{ .Deployment.Operator.Namespace }}
 spec:
   replicas: 1
   template:
     metadata:
       labels:
-        name: {{ .Deployment.OperatorName }}
+        name: {{ .Deployment.OperatorDeploymentName }}
     spec:
       containers:
       - name: operator

manifests/templates/deployment/rbac.yaml

@@ -1,59 +1,73 @@
 {{- if .RBAC -}}
+## Cluster role granting access to ArangoDeployment resources.
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: {{ .Deployment.ClusterRoleName }}
+  name: {{ .Deployment.User.RoleName }}
 rules:
-- apiGroups:
-  - database.arangodb.com
-  resources:
-  - arangodeployments
-  verbs:
-  - "*"
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - services
-  - endpoints
-  - persistentvolumeclaims
-  - events
-  - secrets
-  verbs:
-  - "*"
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  verbs:
-  - "*"
-- apiGroups:
-  - storage.k8s.io
-  resources:
-  - storageclasses
-  verbs:
-  - get
-  - list
+- apiGroups: ["database.arangodb.com"]
+  resources: ["arangodeployments"]
+  verbs: ["*"]
 
 ---
 
+## Cluster role granting access to all resources needed by the ArangoDeployment operator.
 apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
+kind: ClusterRole
+metadata:
+  name: {{ .Deployment.Operator.RoleName }}
+rules:
+- apiGroups: ["database.arangodb.com"]
+  resources: ["arangodeployments"]
+  verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "secrets"]
+  verbs: ["*"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["*"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses"]
+  verbs: ["get", "list"]
+
+---
+
+## Bind the cluster role granting access to ArangoLocalStorage resources
+## to the default service account of the configured namespace.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: {{ .Deployment.User.RoleBindingName }}
+  namespace: {{ .Deployment.User.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Deployment.User.RoleName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Deployment.User.ServiceAccountName }}
+  namespace: {{ .Deployment.User.Namespace }}
+
+---
+
+## Bind the cluster role granting access to all resources needed by 
+## the ArangoDeployment operator to the default service account
+## the is being used to run the operator deployment.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
 metadata:
-  name: {{ .Deployment.ClusterRoleBindingName }}
+  name: {{ .Deployment.Operator.RoleBindingName }}
+  namespace: {{ .Deployment.Operator.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ .Deployment.ClusterRoleName }}
+  name: {{ .Deployment.Operator.RoleName }}
 subjects:
 - kind: ServiceAccount
-  name: default
-  namespace: {{ .Deployment.Namespace }}
+  name: {{ .Deployment.Operator.ServiceAccountName }}
+  namespace: {{ .Deployment.Operator.Namespace }}
 
 {{- end -}}

manifests/templates/storage/deployment.yaml

@@ -1,16 +1,25 @@
+## Service accounts
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ .Storage.Operator.Namespace }}
+  name: {{ .Storage.Operator.ServiceAccountName }}
+
+---
 
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
-  name: {{ .Storage.OperatorName }}
-  namespace: {{ .Storage.Namespace }}
+  name: {{ .Storage.OperatorDeploymentName }}
+  namespace: {{ .Storage.Operator.Namespace }}
 spec:
   replicas: 1
   template:
     metadata:
       labels:
-        name: {{ .Storage.OperatorName }}
+        name: {{ .Storage.OperatorDeploymentName }}
     spec:
+      serviceAccountName: {{ .Storage.Operator.ServiceAccountName }}
       containers:
       - name: operator
         imagePullPolicy: {{ .ImagePullPolicy }}

manifests/templates/storage/rbac.yaml

@@ -1,56 +1,75 @@
 
 {{- if .RBAC -}}
+## Cluster role granting access to ArangoLocalStorage resources.
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: {{ .Storage.ClusterRoleName }}
+  name: {{ .Storage.User.RoleName }}
 rules:
-- apiGroups:
-  - storage.arangodb.com
-  resources:
-  - arangolocalstorages
-  verbs:
-  - "*"
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - persistentvolumes
-  - persistentvolumeclaims
-  - events
-  verbs:
-  - "*"
-- apiGroups:
-  - apps
-  resources:
-  - daemonsets
-  verbs:
-  - "*"
-- apiGroups:
-  - storage.k8s.io
-  resources:
-  - storageclasses
-  verbs:
-  - "*"
+- apiGroups: ["storage.arangodb.com"]
+  resources: ["arangolocalstorages"]
+  verbs: ["*"]
 
 ---
 
+## Cluster role granting access to all resources needed by the ArangoLocalStorage operator.
 apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
-  name: {{ .Storage.ClusterRoleBindingName }}
+  name: {{ .Storage.Operator.RoleName }}
+rules:
+- apiGroups: ["storage.arangodb.com"]
+  resources: ["arangolocalstorages"]
+  verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["persistentvolumes", "persistentvolumeclaims", "endpoints", "events", "services"]
+  verbs: ["*"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  verbs: ["*"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses"]
+  verbs: ["*"]
+
+---
+
+## Bind the cluster role granting access to ArangoLocalStorage resources
+## to the default service account of the configured namespace.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: {{ .Storage.User.RoleBindingName }}
+  namespace: {{ .Storage.User.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ .Storage.ClusterRoleName }}
+  name: {{ .Storage.User.RoleName }}
 subjects:
 - kind: ServiceAccount
-  name: default
-  namespace: {{ .Storage.Namespace }}
+  name: {{ .Storage.User.ServiceAccountName }}
+  namespace: {{ .Storage.User.Namespace }}
+
+---
 
-{{- end -}}
+## Bind the cluster role granting access to all resources needed by 
+## the ArangoLocalStorage operator to the default service account
+## the is being used to run the operator deployment.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Storage.Operator.RoleBindingName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Storage.Operator.RoleName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Storage.Operator.ServiceAccountName }}
+  namespace: {{ .Storage.Operator.Namespace }}
+{{- end -}}

pkg/apis/storage/v1alpha/local_storage.go

@@ -38,6 +38,7 @@ type ArangoLocalStorageList struct {
 }
 
 // +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // ArangoLocalStorage contains the entire Kubernetes info for an ArangoDB

pkg/generated/clientset/versioned/typed/storage/v1alpha/arangolocalstorage.go

@@ -31,7 +31,7 @@ import (
 // ArangoLocalStoragesGetter has a method to return a ArangoLocalStorageInterface.
 // A group's client should implement this interface.
 type ArangoLocalStoragesGetter interface {
-	ArangoLocalStorages(namespace string) ArangoLocalStorageInterface
+	ArangoLocalStorages() ArangoLocalStorageInterface
 }
 
 // ArangoLocalStorageInterface has methods to work with ArangoLocalStorage resources.
@@ -51,22 +51,19 @@ type ArangoLocalStorageInterface interface {
 // arangoLocalStorages implements ArangoLocalStorageInterface
 type arangoLocalStorages struct {
 	client rest.Interface
-	ns     string
 }
 
 // newArangoLocalStorages returns a ArangoLocalStorages
-func newArangoLocalStorages(c *StorageV1alphaClient, namespace string) *arangoLocalStorages {
+func newArangoLocalStorages(c *StorageV1alphaClient) *arangoLocalStorages {
 	return &arangoLocalStorages{
 		client: c.RESTClient(),
-		ns:     namespace,
 	}
 }
 
 // Get takes name of the arangoLocalStorage, and returns the corresponding arangoLocalStorage object, and an error if there is any.
 func (c *arangoLocalStorages) Get(name string, options v1.GetOptions) (result *v1alpha.ArangoLocalStorage, err error) {
 	result = &v1alpha.ArangoLocalStorage{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("arangolocalstorages").
 		Name(name).
 		VersionedParams(&options, scheme.ParameterCodec).
@@ -79,7 +76,6 @@ func (c *arangoLocalStorages) Get(name string, options v1.GetOptions) (result *v
 func (c *arangoLocalStorages) List(opts v1.ListOptions) (result *v1alpha.ArangoLocalStorageList, err error) {
 	result = &v1alpha.ArangoLocalStorageList{}
 	err = c.client.Get().
-		Namespace(c.ns).
 		Resource("arangolocalstorages").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Do().
@@ -91,7 +87,6 @@ func (c *arangoLocalStorages) List(opts v1.ListOptions) (result *v1alpha.ArangoL
 func (c *arangoLocalStorages) Watch(opts v1.ListOptions) (watch.Interface, error) {
 	opts.Watch = true
 	return c.client.Get().
-		Namespace(c.ns).
 		Resource("arangolocalstorages").
 		VersionedParams(&opts, scheme.ParameterCodec).
 		Watch()
@@ -101,7 +96,6 @@ func (c *arangoLocalStorages) Watch(opts v1.ListOptions) (watch.Interface, error
 func (c *arangoLocalStorages) Create(arangoLocalStorage *v1alpha.ArangoLocalStorage) (result *v1alpha.ArangoLocalStorage, err error) {
 	result = &v1alpha.ArangoLocalStorage{}
 	err = c.client.Post().
-		Namespace(c.ns).
 		Resource("arangolocalstorages").
 		Body(arangoLocalStorage).
 		Do().
@@ -113,7 +107,6 @@ func (c *arangoLocalStorages) Create(arangoLocalStorage *v1alpha.ArangoLocalStor
 func (c *arangoLocalStorages) Update(arangoLocalStorage *v1alpha.ArangoLocalStorage) (result *v1alpha.ArangoLocalStorage, err error) {
 	result = &v1alpha.ArangoLocalStorage{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("arangolocalstorages").
 		Name(arangoLocalStorage.Name).
 		Body(arangoLocalStorage).
@@ -128,7 +121,6 @@ func (c *arangoLocalStorages) Update(arangoLocalStorage *v1alpha.ArangoLocalStor
 func (c *arangoLocalStorages) UpdateStatus(arangoLocalStorage *v1alpha.ArangoLocalStorage) (result *v1alpha.ArangoLocalStorage, err error) {
 	result = &v1alpha.ArangoLocalStorage{}
 	err = c.client.Put().
-		Namespace(c.ns).
 		Resource("arangolocalstorages").
 		Name(arangoLocalStorage.Name).
 		SubResource("status").
@@ -141,7 +133,6 @@ func (c *arangoLocalStorages) UpdateStatus(arangoLocalStorage *v1alpha.ArangoLoc
 // Delete takes name of the arangoLocalStorage and deletes it. Returns an error if one occurs.
 func (c *arangoLocalStorages) Delete(name string, options *v1.DeleteOptions) error {
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("arangolocalstorages").
 		Name(name).
 		Body(options).
@@ -152,7 +143,6 @@ func (c *arangoLocalStorages) Delete(name string, options *v1.DeleteOptions) err
 // DeleteCollection deletes a collection of objects.
 func (c *arangoLocalStorages) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
 	return c.client.Delete().
-		Namespace(c.ns).
 		Resource("arangolocalstorages").
 		VersionedParams(&listOptions, scheme.ParameterCodec).
 		Body(options).
@@ -164,7 +154,6 @@ func (c *arangoLocalStorages) DeleteCollection(options *v1.DeleteOptions, listOp
 func (c *arangoLocalStorages) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha.ArangoLocalStorage, err error) {
 	result = &v1alpha.ArangoLocalStorage{}
 	err = c.client.Patch(pt).
-		Namespace(c.ns).
 		Resource("arangolocalstorages").
 		SubResource(subresources...).
 		Name(name).