diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e6bad59c3314df6e9a722f51f9892fabf6e73f07..4c6abcb482c6ad540afa7fe20469ecfe2d6db979 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,44 +1,6 @@ include: - project: 'paas-tools/infrastructure-ci' file: 'docker-images-ci-templates/DockerImages.gitlab-ci.yml' - - project: 'paas-tools/infrastructure-ci' - file: '/operator-ci-templates/operatorci.gitlab-ci.yml' variables: - DOCKERFILE_PATH: build/Dockerfile - OPERATOR_NAME: landb-operator - WATCH_NAMESPACE: default - -stages: - - build - - provision-cluster - - test - - deprovision-cluster - -Provision OKD4 cluster: - rules: - - when: manual - -Test: - stage: test - image: gitlab-registry.cern.ch/paas-tools/operators/operator-sdk-client:v0.19.3 - before_script: - # Packages specific to this operator needed for it to run - - pip-3.6 install --no-cache-dir -r requirements.txt - # Exporting variables necessary for the operator to run - - export KUBECONFIG=kubeconfig - - export LANDB_RESPONSIBLE=okd-landb-resources-manager - # Scaling down in cluster landb operator so it doens't interfere, - # TODO: to be seen if this is the best approach since instead of running it - # with sdk we could try to use the one already in the cluster - - oc scale deploy/argocd-application-controller -n openshift-cern-argocd --replicas=0 - - oc scale deploy/landb-operator -n openshift-cern-landb --replicas=0 - script: - - if [ -n "${CI_INTERACTIVE_DEBUG}" ]; then sleep "${CI_INTERACTIVE_DEBUG}"; fi - # TODO remove just checking is env var is correctly set here - - echo ${CLUSTER_NAME} - - operator-sdk run --local --kubeconfig $KUBECONFIG --watch-namespace ${WATCH_NAMESPACE} > out.txt 2>&1 & - - TERM=xterm bats -tpr tests/ - after_script: - # Scaling ArgoCD back up to allow for cleanup of LanDB resources when deprovisioning cluster - - oc scale deploy/argocd-application-controller -n openshift-cern-argocd --replicas=1 + DOCKERFILE_PATH: build/Dockerfile \ No newline at end of file diff --git a/chart/templates/deletegateddomainalias_view_role.yaml b/chart/templates/deletegateddomainalias_view_role.yaml new file mode 100644 index 0000000000000000000000000000000000000000..10f6e95a96e7b0dcd2a0a1195796dbc8f51db17a --- /dev/null +++ b/chart/templates/deletegateddomainalias_view_role.yaml @@ -0,0 +1,29 @@ +# On the PaaS cluster use case we have to allow users to +# read what DelegatedDomainAlias their projects have, to support the +# custom domains use case. +# We will use these aggregated-clusterroles +# to allow admins of a namespace to read these resources +# This might change in the future, for more info refer to https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/86 +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: delegateddomainalias-view-role + # Labels that grant the privileges listed in rules to the default roles on the labels + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: + - landb.operator.cern.ch + resources: + - delegateddomainalias + verbs: + - get + - list + - watch +- apiGroups: + - landb.operator.cern.ch + resources: + - delegateddomainalias/status + verbs: + - get