Skip to content

Commit c7a386a

Browse files
philipgoughphilipgough
authored
mage:operator add labels to cluster roles (#762)
1 parent 1308082 commit c7a386a

File tree

2 files changed

+96
-72
lines changed

2 files changed

+96
-72
lines changed

magefiles/operator.go

+84-72
Original file line numberDiff line numberDiff line change
@@ -217,12 +217,13 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
217217
ObjectMeta: metav1.ObjectMeta{
218218
Name: "thanos-operator-manager-role",
219219
Labels: map[string]string{
220-
"app.kubernetes.io/component": "rbac",
221-
"app.kubernetes.io/created-by": "thanos-operator",
222-
"app.kubernetes.io/instance": "manager-role",
223-
"app.kubernetes.io/managed-by": "rhobs",
224-
"app.kubernetes.io/name": "clusterrole",
225-
"app.kubernetes.io/part-of": "thanos-operator",
220+
"app.kubernetes.io/component": "rbac",
221+
"app.kubernetes.io/created-by": "thanos-operator",
222+
"app.kubernetes.io/instance": "manager-role",
223+
"app.kubernetes.io/managed-by": "rhobs",
224+
"app.kubernetes.io/name": "clusterrole",
225+
"app.kubernetes.io/part-of": "thanos-operator",
226+
"rbac.authorization.k8s.io/aggregate-to-admin": "true",
226227
},
227228
},
228229
Rules: []rbacv1.PolicyRule{
@@ -295,12 +296,13 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
295296
ObjectMeta: metav1.ObjectMeta{
296297
Name: "thanos-operator-metrics-reader",
297298
Labels: map[string]string{
298-
"app.kubernetes.io/component": "kube-rbac-proxy",
299-
"app.kubernetes.io/created-by": "thanos-operator",
300-
"app.kubernetes.io/instance": "metrics-reader",
301-
"app.kubernetes.io/managed-by": "rhobs",
302-
"app.kubernetes.io/name": "clusterrole",
303-
"app.kubernetes.io/part-of": "thanos-operator",
299+
"app.kubernetes.io/component": "kube-rbac-proxy",
300+
"app.kubernetes.io/created-by": "thanos-operator",
301+
"app.kubernetes.io/instance": "metrics-reader",
302+
"app.kubernetes.io/managed-by": "rhobs",
303+
"app.kubernetes.io/name": "clusterrole",
304+
"app.kubernetes.io/part-of": "thanos-operator",
305+
"rbac.authorization.k8s.io/aggregate-to-view": "true",
304306
},
305307
},
306308
Rules: []rbacv1.PolicyRule{
@@ -351,12 +353,13 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
351353
ObjectMeta: metav1.ObjectMeta{
352354
Name: "thanos-operator-thanosquery-editor-role",
353355
Labels: map[string]string{
354-
"app.kubernetes.io/component": "rbac",
355-
"app.kubernetes.io/created-by": "thanos-operator",
356-
"app.kubernetes.io/instance": "thanosquery-editor-role",
357-
"app.kubernetes.io/managed-by": "rhobs",
358-
"app.kubernetes.io/name": "clusterrole",
359-
"app.kubernetes.io/part-of": "thanos-operator",
356+
"app.kubernetes.io/component": "rbac",
357+
"app.kubernetes.io/created-by": "thanos-operator",
358+
"app.kubernetes.io/instance": "thanosquery-editor-role",
359+
"app.kubernetes.io/managed-by": "rhobs",
360+
"app.kubernetes.io/name": "clusterrole",
361+
"app.kubernetes.io/part-of": "thanos-operator",
362+
"rbac.authorization.k8s.io/aggregate-to-edit": "true",
360363
},
361364
},
362365
Rules: []rbacv1.PolicyRule{
@@ -382,12 +385,13 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
382385
ObjectMeta: metav1.ObjectMeta{
383386
Name: "thanos-operator-thanosquery-viewer-role",
384387
Labels: map[string]string{
385-
"app.kubernetes.io/component": "rbac",
386-
"app.kubernetes.io/created-by": "thanos-operator",
387-
"app.kubernetes.io/instance": "thanosquery-viewer-role",
388-
"app.kubernetes.io/managed-by": "rhobs",
389-
"app.kubernetes.io/name": "clusterrole",
390-
"app.kubernetes.io/part-of": "thanos-operator",
388+
"app.kubernetes.io/component": "rbac",
389+
"app.kubernetes.io/created-by": "thanos-operator",
390+
"app.kubernetes.io/instance": "thanosquery-viewer-role",
391+
"app.kubernetes.io/managed-by": "rhobs",
392+
"app.kubernetes.io/name": "clusterrole",
393+
"app.kubernetes.io/part-of": "thanos-operator",
394+
"rbac.authorization.k8s.io/aggregate-to-view": "true",
391395
},
392396
},
393397
Rules: []rbacv1.PolicyRule{
@@ -413,12 +417,13 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
413417
ObjectMeta: metav1.ObjectMeta{
414418
Name: "thanos-operator-thanoscompact-editor-role",
415419
Labels: map[string]string{
416-
"app.kubernetes.io/component": "rbac",
417-
"app.kubernetes.io/created-by": "thanos-operator",
418-
"app.kubernetes.io/instance": "thanoscompact-editor-role",
419-
"app.kubernetes.io/managed-by": "rhobs",
420-
"app.kubernetes.io/name": "clusterrole",
421-
"app.kubernetes.io/part-of": "thanos-operator",
420+
"app.kubernetes.io/component": "rbac",
421+
"app.kubernetes.io/created-by": "thanos-operator",
422+
"app.kubernetes.io/instance": "thanoscompact-editor-role",
423+
"app.kubernetes.io/managed-by": "rhobs",
424+
"app.kubernetes.io/name": "clusterrole",
425+
"app.kubernetes.io/part-of": "thanos-operator",
426+
"rbac.authorization.k8s.io/aggregate-to-edit": "true",
422427
},
423428
},
424429
Rules: []rbacv1.PolicyRule{
@@ -444,12 +449,13 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
444449
ObjectMeta: metav1.ObjectMeta{
445450
Name: "thanos-operator-thanoscompact-viewer-role",
446451
Labels: map[string]string{
447-
"app.kubernetes.io/component": "rbac",
448-
"app.kubernetes.io/created-by": "thanos-operator",
449-
"app.kubernetes.io/instance": "thanoscompact-viewer-role",
450-
"app.kubernetes.io/managed-by": "rhobs",
451-
"app.kubernetes.io/name": "clusterrole",
452-
"app.kubernetes.io/part-of": "thanos-operator",
452+
"app.kubernetes.io/component": "rbac",
453+
"app.kubernetes.io/created-by": "thanos-operator",
454+
"app.kubernetes.io/instance": "thanoscompact-viewer-role",
455+
"app.kubernetes.io/managed-by": "rhobs",
456+
"app.kubernetes.io/name": "clusterrole",
457+
"app.kubernetes.io/part-of": "thanos-operator",
458+
"rbac.authorization.k8s.io/aggregate-to-view": "true",
453459
},
454460
},
455461
Rules: []rbacv1.PolicyRule{
@@ -475,12 +481,13 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
475481
ObjectMeta: metav1.ObjectMeta{
476482
Name: "thanos-operator-thanosreceive-editor-role",
477483
Labels: map[string]string{
478-
"app.kubernetes.io/component": "rbac",
479-
"app.kubernetes.io/created-by": "thanos-operator",
480-
"app.kubernetes.io/instance": "thanosreceive-editor-role",
481-
"app.kubernetes.io/managed-by": "rhobs",
482-
"app.kubernetes.io/name": "clusterrole",
483-
"app.kubernetes.io/part-of": "thanos-operator",
484+
"app.kubernetes.io/component": "rbac",
485+
"app.kubernetes.io/created-by": "thanos-operator",
486+
"app.kubernetes.io/instance": "thanosreceive-editor-role",
487+
"app.kubernetes.io/managed-by": "rhobs",
488+
"app.kubernetes.io/name": "clusterrole",
489+
"app.kubernetes.io/part-of": "thanos-operator",
490+
"rbac.authorization.k8s.io/aggregate-to-edit": "true",
484491
},
485492
},
486493
Rules: []rbacv1.PolicyRule{
@@ -506,12 +513,13 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
506513
ObjectMeta: metav1.ObjectMeta{
507514
Name: "thanos-operator-thanosreceive-viewer-role",
508515
Labels: map[string]string{
509-
"app.kubernetes.io/component": "rbac",
510-
"app.kubernetes.io/created-by": "thanos-operator",
511-
"app.kubernetes.io/instance": "thanosreceive-viewer-role",
512-
"app.kubernetes.io/managed-by": "rhobs",
513-
"app.kubernetes.io/name": "clusterrole",
514-
"app.kubernetes.io/part-of": "thanos-operator",
516+
"app.kubernetes.io/component": "rbac",
517+
"app.kubernetes.io/created-by": "thanos-operator",
518+
"app.kubernetes.io/instance": "thanosreceive-viewer-role",
519+
"app.kubernetes.io/managed-by": "rhobs",
520+
"app.kubernetes.io/name": "clusterrole",
521+
"app.kubernetes.io/part-of": "thanos-operator",
522+
"rbac.authorization.k8s.io/aggregate-to-view": "true",
515523
},
516524
},
517525
Rules: []rbacv1.PolicyRule{
@@ -537,12 +545,13 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
537545
ObjectMeta: metav1.ObjectMeta{
538546
Name: "thanos-operator-thanosruler-editor-role",
539547
Labels: map[string]string{
540-
"app.kubernetes.io/component": "rbac",
541-
"app.kubernetes.io/created-by": "thanos-operator",
542-
"app.kubernetes.io/instance": "thanosruler-editor-role",
543-
"app.kubernetes.io/managed-by": "rhobs",
544-
"app.kubernetes.io/name": "clusterrole",
545-
"app.kubernetes.io/part-of": "thanos-operator",
548+
"app.kubernetes.io/component": "rbac",
549+
"app.kubernetes.io/created-by": "thanos-operator",
550+
"app.kubernetes.io/instance": "thanosruler-editor-role",
551+
"app.kubernetes.io/managed-by": "rhobs",
552+
"app.kubernetes.io/name": "clusterrole",
553+
"app.kubernetes.io/part-of": "thanos-operator",
554+
"rbac.authorization.k8s.io/aggregate-to-edit": "true",
546555
},
547556
},
548557
Rules: []rbacv1.PolicyRule{
@@ -568,12 +577,13 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
568577
ObjectMeta: metav1.ObjectMeta{
569578
Name: "thanos-operator-thanosruler-viewer-role",
570579
Labels: map[string]string{
571-
"app.kubernetes.io/component": "rbac",
572-
"app.kubernetes.io/created-by": "thanos-operator",
573-
"app.kubernetes.io/instance": "thanosruler-viewer-role",
574-
"app.kubernetes.io/managed-by": "rhobs",
575-
"app.kubernetes.io/name": "clusterrole",
576-
"app.kubernetes.io/part-of": "thanos-operator",
580+
"app.kubernetes.io/component": "rbac",
581+
"app.kubernetes.io/created-by": "thanos-operator",
582+
"app.kubernetes.io/instance": "thanosruler-viewer-role",
583+
"app.kubernetes.io/managed-by": "rhobs",
584+
"app.kubernetes.io/name": "clusterrole",
585+
"app.kubernetes.io/part-of": "thanos-operator",
586+
"rbac.authorization.k8s.io/aggregate-to-view": "true",
577587
},
578588
},
579589
Rules: []rbacv1.PolicyRule{
@@ -599,12 +609,13 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
599609
ObjectMeta: metav1.ObjectMeta{
600610
Name: "thanos-operator-thanosstore-editor-role",
601611
Labels: map[string]string{
602-
"app.kubernetes.io/component": "rbac",
603-
"app.kubernetes.io/created-by": "thanos-operator",
604-
"app.kubernetes.io/instance": "thanosstore-editor-role",
605-
"app.kubernetes.io/managed-by": "rhobs",
606-
"app.kubernetes.io/name": "clusterrole",
607-
"app.kubernetes.io/part-of": "thanos-operator",
612+
"app.kubernetes.io/component": "rbac",
613+
"app.kubernetes.io/created-by": "thanos-operator",
614+
"app.kubernetes.io/instance": "thanosstore-editor-role",
615+
"app.kubernetes.io/managed-by": "rhobs",
616+
"app.kubernetes.io/name": "clusterrole",
617+
"app.kubernetes.io/part-of": "thanos-operator",
618+
"rbac.authorization.k8s.io/aggregate-to-edit": "true",
608619
},
609620
},
610621
Rules: []rbacv1.PolicyRule{
@@ -630,12 +641,13 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
630641
ObjectMeta: metav1.ObjectMeta{
631642
Name: "thanos-operator-thanosstore-viewer-role",
632643
Labels: map[string]string{
633-
"app.kubernetes.io/component": "rbac",
634-
"app.kubernetes.io/created-by": "thanos-operator",
635-
"app.kubernetes.io/instance": "thanosstore-viewer-role",
636-
"app.kubernetes.io/managed-by": "rhobs",
637-
"app.kubernetes.io/name": "clusterrole",
638-
"app.kubernetes.io/part-of": "thanos-operator",
644+
"app.kubernetes.io/component": "rbac",
645+
"app.kubernetes.io/created-by": "thanos-operator",
646+
"app.kubernetes.io/instance": "thanosstore-viewer-role",
647+
"app.kubernetes.io/managed-by": "rhobs",
648+
"app.kubernetes.io/name": "clusterrole",
649+
"app.kubernetes.io/part-of": "thanos-operator",
650+
"rbac.authorization.k8s.io/aggregate-to-view": "true",
639651
},
640652
},
641653
Rules: []rbacv1.PolicyRule{

resources/services/bundle/staging/operator.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -224,6 +224,7 @@ objects:
224224
app.kubernetes.io/managed-by: rhobs
225225
app.kubernetes.io/name: clusterrole
226226
app.kubernetes.io/part-of: thanos-operator
227+
rbac.authorization.k8s.io/aggregate-to-admin: "true"
227228
name: thanos-operator-manager-role
228229
rules:
229230
- apiGroups:
@@ -362,6 +363,7 @@ objects:
362363
app.kubernetes.io/managed-by: rhobs
363364
app.kubernetes.io/name: clusterrole
364365
app.kubernetes.io/part-of: thanos-operator
366+
rbac.authorization.k8s.io/aggregate-to-view: "true"
365367
name: thanos-operator-metrics-reader
366368
rules:
367369
- nonResourceURLs:
@@ -425,6 +427,7 @@ objects:
425427
app.kubernetes.io/managed-by: rhobs
426428
app.kubernetes.io/name: clusterrole
427429
app.kubernetes.io/part-of: thanos-operator
430+
rbac.authorization.k8s.io/aggregate-to-edit: "true"
428431
name: thanos-operator-thanoscompact-editor-role
429432
rules:
430433
- apiGroups:
@@ -456,6 +459,7 @@ objects:
456459
app.kubernetes.io/managed-by: rhobs
457460
app.kubernetes.io/name: clusterrole
458461
app.kubernetes.io/part-of: thanos-operator
462+
rbac.authorization.k8s.io/aggregate-to-view: "true"
459463
name: thanos-operator-thanoscompact-viewer-role
460464
rules:
461465
- apiGroups:
@@ -483,6 +487,7 @@ objects:
483487
app.kubernetes.io/managed-by: rhobs
484488
app.kubernetes.io/name: clusterrole
485489
app.kubernetes.io/part-of: thanos-operator
490+
rbac.authorization.k8s.io/aggregate-to-edit: "true"
486491
name: thanos-operator-thanosquery-editor-role
487492
rules:
488493
- apiGroups:
@@ -514,6 +519,7 @@ objects:
514519
app.kubernetes.io/managed-by: rhobs
515520
app.kubernetes.io/name: clusterrole
516521
app.kubernetes.io/part-of: thanos-operator
522+
rbac.authorization.k8s.io/aggregate-to-view: "true"
517523
name: thanos-operator-thanosquery-viewer-role
518524
rules:
519525
- apiGroups:
@@ -541,6 +547,7 @@ objects:
541547
app.kubernetes.io/managed-by: rhobs
542548
app.kubernetes.io/name: clusterrole
543549
app.kubernetes.io/part-of: thanos-operator
550+
rbac.authorization.k8s.io/aggregate-to-edit: "true"
544551
name: thanos-operator-thanosreceive-editor-role
545552
rules:
546553
- apiGroups:
@@ -572,6 +579,7 @@ objects:
572579
app.kubernetes.io/managed-by: rhobs
573580
app.kubernetes.io/name: clusterrole
574581
app.kubernetes.io/part-of: thanos-operator
582+
rbac.authorization.k8s.io/aggregate-to-view: "true"
575583
name: thanos-operator-thanosreceive-viewer-role
576584
rules:
577585
- apiGroups:
@@ -599,6 +607,7 @@ objects:
599607
app.kubernetes.io/managed-by: rhobs
600608
app.kubernetes.io/name: clusterrole
601609
app.kubernetes.io/part-of: thanos-operator
610+
rbac.authorization.k8s.io/aggregate-to-edit: "true"
602611
name: thanos-operator-thanosruler-editor-role
603612
rules:
604613
- apiGroups:
@@ -630,6 +639,7 @@ objects:
630639
app.kubernetes.io/managed-by: rhobs
631640
app.kubernetes.io/name: clusterrole
632641
app.kubernetes.io/part-of: thanos-operator
642+
rbac.authorization.k8s.io/aggregate-to-view: "true"
633643
name: thanos-operator-thanosruler-viewer-role
634644
rules:
635645
- apiGroups:
@@ -657,6 +667,7 @@ objects:
657667
app.kubernetes.io/managed-by: rhobs
658668
app.kubernetes.io/name: clusterrole
659669
app.kubernetes.io/part-of: thanos-operator
670+
rbac.authorization.k8s.io/aggregate-to-edit: "true"
660671
name: thanos-operator-thanosstore-editor-role
661672
rules:
662673
- apiGroups:
@@ -688,6 +699,7 @@ objects:
688699
app.kubernetes.io/managed-by: rhobs
689700
app.kubernetes.io/name: clusterrole
690701
app.kubernetes.io/part-of: thanos-operator
702+
rbac.authorization.k8s.io/aggregate-to-view: "true"
691703
name: thanos-operator-thanosstore-viewer-role
692704
rules:
693705
- apiGroups:

0 commit comments

Comments
 (0)