diff options
Diffstat (limited to 'certServiceK8sExternalProvider/deploy/roles.yaml')
| -rw-r--r-- | certServiceK8sExternalProvider/deploy/roles.yaml | 310 |
1 files changed, 310 insertions, 0 deletions
diff --git a/certServiceK8sExternalProvider/deploy/roles.yaml b/certServiceK8sExternalProvider/deploy/roles.yaml new file mode 100644 index 00000000..5025e11e --- /dev/null +++ b/certServiceK8sExternalProvider/deploy/roles.yaml @@ -0,0 +1,310 @@ +# ============LICENSE_START======================================================= +# oom-certservice-k8s-external-provider +# ================================================================================ +# Copyright (c) 2019 Smallstep Labs, Inc. +# Modifications copyright (C) 2020 Nokia. All rights reserved. +# ================================================================================ +# This source code was copied from the following git repository: +# https://github.com/smallstep/step-issuer +# The source code was modified for usage in the ONAP project. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +# + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: certserviceissuers.certmanager.onap.org +spec: + group: certmanager.onap.org + names: + kind: CertServiceIssuer + listKind: CertServiceIssuerList + plural: certserviceissuers + singular: certserviceissuer + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: CertServiceIssuer is the Schema for the certserviceissuers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertServiceIssuerSpec defines the desired state of CertServiceIssuer + properties: + caBundle: + description: CABundle is a base64 encoded TLS certificate used to verify + connections to the certservice certificates server. If not set the system + root certificates are used to validate the TLS connection. + format: byte + type: string + provisioner: + description: Provisioner contains the certservice certificates provisioner + configuration. + properties: + kid: + description: KeyID is the kid property of the JWK provisioner. + type: string + name: + description: Names is the name of the JWK provisioner. + type: string + passwordRef: + description: PasswordRef is a reference to a Secret containing the + provisioner password used to decrypt the provisioner private key. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: The name of the secret in the pod's namespace to + select from. + type: string + required: + - name + type: object + required: + - kid + - name + - passwordRef + type: object + url: + description: URL is the base URL for the certservice certificates instance. + type: string + required: + - provisioner + - url + type: object + status: + description: CertServiceIssuerStatus defines the observed state of CertServiceIssuer + properties: + conditions: + items: + description: CertServiceIssuerCondition contains condition information for + the certservice issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + allOf: + - enum: + - "True" + - "False" + - Unknown + - enum: + - "True" + - "False" + - Unknown + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + type: + description: Type of the condition, currently ('Ready'). + enum: + - Ready + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: certservice-issuer-leader-election-role + namespace: onap +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch + - apiGroups: + - "" + resources: + - events + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: certservice-issuer-manager-role +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - cert-manager.io + resources: + - certificaterequests + verbs: + - get + - list + - update + - watch + - apiGroups: + - cert-manager.io + resources: + - certificaterequests/status + verbs: + - get + - patch + - update + - apiGroups: + - certmanager.onap.org + resources: + - certserviceissuers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - certmanager.onap.org + resources: + - certserviceissuers/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: certservice-issuer-proxy-role +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: certservice-issuer-leader-election-rolebinding + namespace: onap +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: certservice-issuer-leader-election-role +subjects: + - kind: ServiceAccount + name: default + namespace: onap +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: certservice-issuer-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: certservice-issuer-manager-role +subjects: + - kind: ServiceAccount + name: default + namespace: onap +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: certservice-issuer-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: certservice-issuer-proxy-role +subjects: + - kind: ServiceAccount + name: default + namespace: onap |