lerentis/bitwarden-crd-operator
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 18 Wiki Activity

getting started with kubebuilder

Browse Source
This commit is contained in:
Tobias Trabelsi
2025-03-19 22:21:54 +01:00
parent 3b98f9aced
commit fbfe7b9986
69 changed files with 4066 additions and 217 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
config/crd/bases/lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu_bitwardensecrets.yaml Normal file
View File

@ -0,0 +1,54 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.2
name: bitwardensecrets.lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
spec:
group: lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
names:
kind: BitwardenSecret
listKind: BitwardenSecretList
plural: bitwardensecrets
singular: bitwardensecret
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: BitwardenSecret is the Schema for the bitwardensecrets API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: BitwardenSecretSpec defines the desired state of BitwardenSecret.
properties:
foo:
description: Foo is an example field of BitwardenSecret. Edit bitwardensecret_types.go
to remove/update
type: string
type: object
status:
description: BitwardenSecretStatus defines the observed state of BitwardenSecret.
type: object
type: object
served: true
storage: true
subresources:
status: {}

54
config/crd/bases/lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu_bitwardentemplates.yaml Normal file
View File

@ -0,0 +1,54 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.2
name: bitwardentemplates.lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
spec:
group: lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
names:
kind: BitwardenTemplate
listKind: BitwardenTemplateList
plural: bitwardentemplates
singular: bitwardentemplate
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: BitwardenTemplate is the Schema for the bitwardentemplates API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: BitwardenTemplateSpec defines the desired state of BitwardenTemplate.
properties:
foo:
description: Foo is an example field of BitwardenTemplate. Edit bitwardentemplate_types.go
to remove/update
type: string
type: object
status:
description: BitwardenTemplateStatus defines the observed state of BitwardenTemplate.
type: object
type: object
served: true
storage: true
subresources:
status: {}

55
config/crd/bases/lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu_registrycredentials.yaml Normal file
View File

@ -0,0 +1,55 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.2
name: registrycredentials.lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
spec:
group: lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
names:
kind: RegistryCredential
listKind: RegistryCredentialList
plural: registrycredentials
singular: registrycredential
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: RegistryCredential is the Schema for the registrycredentials
API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: RegistryCredentialSpec defines the desired state of RegistryCredential.
properties:
foo:
description: Foo is an example field of RegistryCredential. Edit registrycredential_types.go
to remove/update
type: string
type: object
status:
description: RegistryCredentialStatus defines the observed state of RegistryCredential.
type: object
type: object
served: true
storage: true
subresources:
status: {}

18
config/crd/kustomization.yaml Normal file
View File

@ -0,0 +1,18 @@
# This kustomization.yaml is not intended to be run by itself,
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/default
resources:
- bases/lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu_bitwardensecrets.yaml
- bases/lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu_bitwardentemplates.yaml
- bases/lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu_registrycredentials.yaml
# +kubebuilder:scaffold:crdkustomizeresource
patches:
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
# patches here are for enabling the conversion webhook for each CRD
# +kubebuilder:scaffold:crdkustomizewebhookpatch
# [WEBHOOK] To enable webhook, uncomment the following section
# the following config is for teaching kustomize how to do kustomization for CRDs.
#configurations:
#- kustomizeconfig.yaml

19
config/crd/kustomizeconfig.yaml Normal file
View File

@ -0,0 +1,19 @@
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: CustomResourceDefinition
version: v1
group: apiextensions.k8s.io
path: spec/conversion/webhook/clientConfig/service/name
namespace:
- kind: CustomResourceDefinition
version: v1
group: apiextensions.k8s.io
path: spec/conversion/webhook/clientConfig/service/namespace
create: false
varReference:
- path: metadata/annotations

30
config/default/cert_metrics_manager_patch.yaml Normal file
View File

@ -0,0 +1,30 @@
# This patch adds the args, volumes, and ports to allow the manager to use the metrics-server certs.
# Add the volumeMount for the metrics-server certs
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
value:
mountPath: /tmp/k8s-metrics-server/metrics-certs
name: metrics-certs
readOnly: true
# Add the --metrics-cert-path argument for the metrics server
- op: add
path: /spec/template/spec/containers/0/args/-
value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs
# Add the metrics-server certs volume configuration
- op: add
path: /spec/template/spec/volumes/-
value:
name: metrics-certs
secret:
secretName: metrics-server-cert
optional: false
items:
- key: ca.crt
path: ca.crt
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key

234
config/default/kustomization.yaml Normal file
View File

@ -0,0 +1,234 @@
# Adds namespace to all resources.
namespace: new-system
# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: new-
# Labels to add to all resources and selectors.
#labels:
#- includeSelectors: true
# pairs:
# someName: someValue
resources:
- ../crd
- ../rbac
- ../manager
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
#- ../webhook
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
#- ../certmanager
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus
# [METRICS] Expose the controller manager metrics service.
- metrics_service.yaml
# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy.
# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics.
# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will
# be able to communicate with the Webhook Server.
#- ../network-policy
# Uncomment the patches line if you enable Metrics
patches:
# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443.
# More info: https://book.kubebuilder.io/reference/metrics
- path: manager_metrics_patch.yaml
target:
kind: Deployment
# Uncomment the patches line if you enable Metrics and CertManager
# [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line.
# This patch will protect the metrics with certManager self-signed certs.
#- path: cert_metrics_manager_patch.yaml
# target:
# kind: Deployment
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
#- path: manager_webhook_patch.yaml
# target:
# kind: Deployment
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
# Uncomment the following replacements to add the cert-manager CA injection annotations
#replacements:
# - source: # Uncomment the following block to enable certificates for metrics
# kind: Service
# version: v1
# name: controller-manager-metrics-service
# fieldPath: metadata.name
# targets:
# - select:
# kind: Certificate
# group: cert-manager.io
# version: v1
# name: metrics-certs
# fieldPaths:
# - spec.dnsNames.0
# - spec.dnsNames.1
# options:
# delimiter: '.'
# index: 0
# create: true
# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor
# kind: ServiceMonitor
# group: monitoring.coreos.com
# version: v1
# name: controller-manager-metrics-monitor
# fieldPaths:
# - spec.endpoints.0.tlsConfig.serverName
# options:
# delimiter: '.'
# index: 0
# create: true
#
# - source:
# kind: Service
# version: v1
# name: controller-manager-metrics-service
# fieldPath: metadata.namespace
# targets:
# - select:
# kind: Certificate
# group: cert-manager.io
# version: v1
# name: metrics-certs
# fieldPaths:
# - spec.dnsNames.0
# - spec.dnsNames.1
# options:
# delimiter: '.'
# index: 1
# create: true
# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor
# kind: ServiceMonitor
# group: monitoring.coreos.com
# version: v1
# name: controller-manager-metrics-monitor
# fieldPaths:
# - spec.endpoints.0.tlsConfig.serverName
# options:
# delimiter: '.'
# index: 1
# create: true
#
# - source: # Uncomment the following block if you have any webhook
# kind: Service
# version: v1
# name: webhook-service
# fieldPath: .metadata.name # Name of the service
# targets:
# - select:
# kind: Certificate
# group: cert-manager.io
# version: v1
# name: serving-cert
# fieldPaths:
# - .spec.dnsNames.0
# - .spec.dnsNames.1
# options:
# delimiter: '.'
# index: 0
# create: true
# - source:
# kind: Service
# version: v1
# name: webhook-service
# fieldPath: .metadata.namespace # Namespace of the service
# targets:
# - select:
# kind: Certificate
# group: cert-manager.io
# version: v1
# name: serving-cert
# fieldPaths:
# - .spec.dnsNames.0
# - .spec.dnsNames.1
# options:
# delimiter: '.'
# index: 1
# create: true
#
# - source: # Uncomment the following block if you have a ValidatingWebhook (--programmatic-validation)
# kind: Certificate
# group: cert-manager.io
# version: v1
# name: serving-cert # This name should match the one in certificate.yaml
# fieldPath: .metadata.namespace # Namespace of the certificate CR
# targets:
# - select:
# kind: ValidatingWebhookConfiguration
# fieldPaths:
# - .metadata.annotations.[cert-manager.io/inject-ca-from]
# options:
# delimiter: '/'
# index: 0
# create: true
# - source:
# kind: Certificate
# group: cert-manager.io
# version: v1
# name: serving-cert
# fieldPath: .metadata.name
# targets:
# - select:
# kind: ValidatingWebhookConfiguration
# fieldPaths:
# - .metadata.annotations.[cert-manager.io/inject-ca-from]
# options:
# delimiter: '/'
# index: 1
# create: true
#
# - source: # Uncomment the following block if you have a DefaultingWebhook (--defaulting )
# kind: Certificate
# group: cert-manager.io
# version: v1
# name: serving-cert
# fieldPath: .metadata.namespace # Namespace of the certificate CR
# targets:
# - select:
# kind: MutatingWebhookConfiguration
# fieldPaths:
# - .metadata.annotations.[cert-manager.io/inject-ca-from]
# options:
# delimiter: '/'
# index: 0
# create: true
# - source:
# kind: Certificate
# group: cert-manager.io
# version: v1
# name: serving-cert
# fieldPath: .metadata.name
# targets:
# - select:
# kind: MutatingWebhookConfiguration
# fieldPaths:
# - .metadata.annotations.[cert-manager.io/inject-ca-from]
# options:
# delimiter: '/'
# index: 1
# create: true
#
# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
# kind: Certificate
# group: cert-manager.io
# version: v1
# name: serving-cert
# fieldPath: .metadata.namespace # Namespace of the certificate CR
# targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
# +kubebuilder:scaffold:crdkustomizecainjectionns
# - source:
# kind: Certificate
# group: cert-manager.io
# version: v1
# name: serving-cert
# fieldPath: .metadata.name
# targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
# +kubebuilder:scaffold:crdkustomizecainjectionname

4
config/default/manager_metrics_patch.yaml Normal file
View File

@ -0,0 +1,4 @@
# This patch adds the args to allow exposing the metrics endpoint using HTTPS
- op: add
path: /spec/template/spec/containers/0/args/0
value: --metrics-bind-address=:8443

18
config/default/metrics_service.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: controller-manager-metrics-service
namespace: system
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: 8443
selector:
control-plane: controller-manager
app.kubernetes.io/name: new

2
config/manager/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
resources:
- manager.yaml

98
config/manager/manager.yaml Normal file
View File

@ -0,0 +1,98 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
labels:
control-plane: controller-manager
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
spec:
selector:
matchLabels:
control-plane: controller-manager
app.kubernetes.io/name: new
replicas: 1
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
labels:
control-plane: controller-manager
app.kubernetes.io/name: new
spec:
# TODO(user): Uncomment the following code to configure the nodeAffinity expression
# according to the platforms which are supported by your solution.
# It is considered best practice to support multiple architectures. You can
# build your manager image using the makefile target docker-buildx.
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: kubernetes.io/arch
# operator: In
# values:
# - amd64
# - arm64
# - ppc64le
# - s390x
# - key: kubernetes.io/os
# operator: In
# values:
# - linux
securityContext:
# Projects are configured by default to adhere to the "restricted" Pod Security Standards.
# This ensures that deployments meet the highest security requirements for Kubernetes.
# For more details, see: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- command:
- /manager
args:
- --leader-elect
- --health-probe-bind-address=:8081
image: controller:latest
name: manager
ports: []
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
# TODO(user): Configure the resources accordingly based on the project requirements.
# More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
volumeMounts: []
volumes: []
serviceAccountName: controller-manager
terminationGracePeriodSeconds: 10

27
config/network-policy/allow-metrics-traffic.yaml Normal file
View File

@ -0,0 +1,27 @@
# This NetworkPolicy allows ingress traffic
# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those
# namespaces are able to gather data from the metrics endpoint.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: allow-metrics-traffic
namespace: system
spec:
podSelector:
matchLabels:
control-plane: controller-manager
app.kubernetes.io/name: new
policyTypes:
- Ingress
ingress:
# This allows ingress traffic from any namespace with the label metrics: enabled
- from:
- namespaceSelector:
matchLabels:
metrics: enabled # Only from namespaces with this label
ports:
- port: 8443
protocol: TCP

2
config/network-policy/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
resources:
- allow-metrics-traffic.yaml

11
config/prometheus/kustomization.yaml Normal file
View File

@ -0,0 +1,11 @@
resources:
- monitor.yaml
# [PROMETHEUS-WITH-CERTS] The following patch configures the ServiceMonitor in ../prometheus
# to securely reference certificates created and managed by cert-manager.
# Additionally, ensure that you uncomment the [METRICS WITH CERTMANAGER] patch under config/default/kustomization.yaml
# to mount the "metrics-server-cert" secret in the Manager Deployment.
#patches:
# - path: monitor_tls_patch.yaml
# target:
# kind: ServiceMonitor

27
config/prometheus/monitor.yaml Normal file
View File

@ -0,0 +1,27 @@
# Prometheus Monitor Service (Metrics)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
control-plane: controller-manager
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: controller-manager-metrics-monitor
namespace: system
spec:
endpoints:
- path: /metrics
port: https # Ensure this is the name of the port that exposes HTTPS metrics
scheme: https
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
tlsConfig:
# TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables
# certificate verification, exposing the system to potential man-in-the-middle attacks.
# For production environments, it is recommended to use cert-manager for automatic TLS certificate management.
# To apply this configuration, enable cert-manager and use the patch located at config/prometheus/servicemonitor_tls_patch.yaml,
# which securely references the certificate from the 'metrics-server-cert' secret.
insecureSkipVerify: true
selector:
matchLabels:
control-plane: controller-manager
app.kubernetes.io/name: new

19
config/prometheus/monitor_tls_patch.yaml Normal file
View File

@ -0,0 +1,19 @@
# Patch for Prometheus ServiceMonitor to enable secure TLS configuration
# using certificates managed by cert-manager
- op: replace
path: /spec/endpoints/0/tlsConfig
value:
# SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc
insecureSkipVerify: false
ca:
secret:
name: metrics-server-cert
key: ca.crt
cert:
secret:
name: metrics-server-cert
key: tls.crt
keySecret:
name: metrics-server-cert
key: tls.key

27
config/rbac/bitwardensecret_admin_role.yaml Normal file
View File

@ -0,0 +1,27 @@
# This rule is not used by the project new itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Grants full permissions ('*') over lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu.
# This role is intended for users authorized to modify roles and bindings within the cluster,
# enabling them to delegate specific permissions to other users or groups as needed.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: bitwardensecret-admin-role
rules:
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardensecrets
verbs:
- '*'
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardensecrets/status
verbs:
- get

33
config/rbac/bitwardensecret_editor_role.yaml Normal file
View File

@ -0,0 +1,33 @@
# This rule is not used by the project new itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Grants permissions to create, update, and delete resources within the lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu.
# This role is intended for users who need to manage these resources
# but should not control RBAC or manage permissions for others.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: bitwardensecret-editor-role
rules:
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardensecrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardensecrets/status
verbs:
- get

29
config/rbac/bitwardensecret_viewer_role.yaml Normal file
View File

@ -0,0 +1,29 @@
# This rule is not used by the project new itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Grants read-only access to lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu resources.
# This role is intended for users who need visibility into these resources
# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: bitwardensecret-viewer-role
rules:
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardensecrets
verbs:
- get
- list
- watch
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardensecrets/status
verbs:
- get

27
config/rbac/bitwardentemplate_admin_role.yaml Normal file
View File

@ -0,0 +1,27 @@
# This rule is not used by the project new itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Grants full permissions ('*') over lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu.
# This role is intended for users authorized to modify roles and bindings within the cluster,
# enabling them to delegate specific permissions to other users or groups as needed.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: bitwardentemplate-admin-role
rules:
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardentemplates
verbs:
- '*'
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardentemplates/status
verbs:
- get

33
config/rbac/bitwardentemplate_editor_role.yaml Normal file
View File

@ -0,0 +1,33 @@
# This rule is not used by the project new itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Grants permissions to create, update, and delete resources within the lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu.
# This role is intended for users who need to manage these resources
# but should not control RBAC or manage permissions for others.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: bitwardentemplate-editor-role
rules:
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardentemplates
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardentemplates/status
verbs:
- get

29
config/rbac/bitwardentemplate_viewer_role.yaml Normal file
View File

@ -0,0 +1,29 @@
# This rule is not used by the project new itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Grants read-only access to lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu resources.
# This role is intended for users who need visibility into these resources
# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: bitwardentemplate-viewer-role
rules:
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardentemplates
verbs:
- get
- list
- watch
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardentemplates/status
verbs:
- get

34
config/rbac/kustomization.yaml Normal file
View File

@ -0,0 +1,34 @@
resources:
# All RBAC will be applied under this service account in
# the deployment namespace. You may comment out this resource
# if your manager will use a service account that exists at
# runtime. Be sure to update RoleBinding and ClusterRoleBinding
# subjects if changing service account names.
- service_account.yaml
- role.yaml
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# The following RBAC configurations are used to protect
# the metrics endpoint with authn/authz. These configurations
# ensure that only authorized users and service accounts
# can access the metrics endpoint. Comment the following
# permissions if you want to disable this protection.
# More info: https://book.kubebuilder.io/reference/metrics.html
- metrics_auth_role.yaml
- metrics_auth_role_binding.yaml
- metrics_reader_role.yaml
# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by
# default, aiding admins in cluster management. Those roles are
# not used by the {{ .ProjectName }} itself. You can comment the following lines
# if you do not want those helpers be installed with your Project.
- registrycredential_admin_role.yaml
- registrycredential_editor_role.yaml
- registrycredential_viewer_role.yaml
- bitwardentemplate_admin_role.yaml
- bitwardentemplate_editor_role.yaml
- bitwardentemplate_viewer_role.yaml
- bitwardensecret_admin_role.yaml
- bitwardensecret_editor_role.yaml
- bitwardensecret_viewer_role.yaml

40
config/rbac/leader_election_role.yaml Normal file
View File

@ -0,0 +1,40 @@
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: leader-election-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch

15
config/rbac/leader_election_role_binding.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: leader-election-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system

17
config/rbac/metrics_auth_role.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metrics-auth-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create

12
config/rbac/metrics_auth_role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metrics-auth-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metrics-auth-role
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system

9
config/rbac/metrics_reader_role.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metrics-reader
rules:
- nonResourceURLs:
- "/metrics"
verbs:
- get

27
config/rbac/registrycredential_admin_role.yaml Normal file
View File

@ -0,0 +1,27 @@
# This rule is not used by the project new itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Grants full permissions ('*') over lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu.
# This role is intended for users authorized to modify roles and bindings within the cluster,
# enabling them to delegate specific permissions to other users or groups as needed.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: registrycredential-admin-role
rules:
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- registrycredentials
verbs:
- '*'
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- registrycredentials/status
verbs:
- get

33
config/rbac/registrycredential_editor_role.yaml Normal file
View File

@ -0,0 +1,33 @@
# This rule is not used by the project new itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Grants permissions to create, update, and delete resources within the lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu.
# This role is intended for users who need to manage these resources
# but should not control RBAC or manage permissions for others.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: registrycredential-editor-role
rules:
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- registrycredentials
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- registrycredentials/status
verbs:
- get

29
config/rbac/registrycredential_viewer_role.yaml Normal file
View File

@ -0,0 +1,29 @@
# This rule is not used by the project new itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Grants read-only access to lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu resources.
# This role is intended for users who need visibility into these resources
# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: registrycredential-viewer-role
rules:
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- registrycredentials
verbs:
- get
- list
- watch
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- registrycredentials/status
verbs:
- get

38
config/rbac/role.yaml Normal file
View File

@ -0,0 +1,38 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: manager-role
rules:
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardensecrets
- bitwardentemplates
- registrycredentials
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardensecrets/finalizers
- bitwardentemplates/finalizers
- registrycredentials/finalizers
verbs:
- update
- apiGroups:
- lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu
resources:
- bitwardensecrets/status
- bitwardentemplates/status
- registrycredentials/status
verbs:
- get
- patch
- update

15
config/rbac/role_binding.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: manager-role
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system

8
config/rbac/service_account.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: controller-manager
namespace: system

6
config/samples/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
## Append samples of your project ##
resources:
- lerentis.uploadfilter24.eu_v1_bitwardensecret.yaml
- lerentis.uploadfilter24.eu_v1_bitwardentemplate.yaml
- lerentis.uploadfilter24.eu_v1_registrycredential.yaml
# +kubebuilder:scaffold:manifestskustomizesamples

9
config/samples/lerentis.uploadfilter24.eu_v1_bitwardensecret.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu/v1
kind: BitwardenSecret
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: bitwardensecret-sample
spec:
# TODO(user): Add fields here

9
config/samples/lerentis.uploadfilter24.eu_v1_bitwardentemplate.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu/v1
kind: BitwardenTemplate
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: bitwardentemplate-sample
spec:
# TODO(user): Add fields here

9
config/samples/lerentis.uploadfilter24.eu_v1_registrycredential.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: lerentis.uploadfilter24.eu.lerentis.uploadfilter24.eu/v1
kind: RegistryCredential
metadata:
labels:
app.kubernetes.io/name: new
app.kubernetes.io/managed-by: kustomize
name: registrycredential-sample
spec:
# TODO(user): Add fields here