Add the RBAC bits for the new copy-offload daemon

Signed-off-by: Dean Roehrich <[email protected]>
NearNodeFlash · Dec 5, 2024 · 4ec2e23 · 4ec2e23
1 parent 86bb0a1
commit 4ec2e23
Show file tree

Hide file tree

Showing 8 changed files with 115 additions and 2 deletions.
diff --git a/config/copy-offload/copy_offload_role.yaml b/config/copy-offload/copy_offload_role.yaml
@@ -0,0 +1,62 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: copy-offload-role
+rules:
+- apiGroups:
+  - lus.cray.hpe.com
+  resources:
+  - lustrefilesystems
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - dataworkflowservices.github.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - dataworkflowservices.github.io
+  resources:
+  - clientmounts
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - nnf.cray.hpe.com
+  resources:
+  - nnfdatamovementprofiles
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - nnf.cray.hpe.com
+  resources:
+  - nnfnodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - nnf.cray.hpe.com
+  resources:
+  - nnfnodestorages
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - nnf.cray.hpe.com
+  resources:
+  - nnfstorages
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/config/copy-offload/copy_offload_role_binding.yaml b/config/copy-offload/copy_offload_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: copy-offload-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: copy-offload-role
+subjects:
+- kind: ServiceAccount
+  name: copy-offload
+  namespace: default
diff --git a/config/copy-offload/copy_offload_service_account.yaml b/config/copy-offload/copy_offload_service_account.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: copy-offload
+  namespace: default
+---
+# As of Kubernetes 1.24, ServiceAccount tokens are no longer automatically
+# generated. Instead, manually create the secret and the token key in the
+# data field will be automatically set.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: copy-offload
+  namespace: default
+  annotations:
+    kubernetes.io/service-account.name: copy-offload
+    kubernetes.io/service-account.namespace: default
+type: kubernetes.io/service-account-token
diff --git a/config/copy-offload/kustomization.yaml b/config/copy-offload/kustomization.yaml
@@ -0,0 +1,14 @@
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: nnf-dm-
+
+resources:
+- copy_offload_service_account.yaml
+- copy_offload_role.yaml
+- copy_offload_role_binding.yaml
+
+configurations:
+  - kustomizeconfig.yaml
diff --git a/config/copy-offload/kustomizeconfig.yaml b/config/copy-offload/kustomizeconfig.yaml
@@ -0,0 +1,4 @@
+namePrefix:
+- path: metadata/annotations/kubernetes.io\/service-account.name
+namespace:
+- path: metadata/annotations/kubernetes.io\/service-account.namespace
diff --git a/config/dp0/kustomization.yaml b/config/dp0/kustomization.yaml
@@ -1,5 +1,5 @@
 resources:
-- ../default
+- ../top
 
 patches:
 # Arguments for the controller manager that are specific to dp0

diff --git a/config/kind/kustomization.yaml b/config/kind/kustomization.yaml
@@ -1,5 +1,5 @@
 resources:
-- ../default
+- ../top
 
 patches:
 # Arguments for the controller manager that are specific to kind

diff --git a/config/top/kustomization.yaml b/config/top/kustomization.yaml
@@ -0,0 +1,3 @@
+resources:
+- ../default
+- ../copy-offload