refactor: implement control plane as controller-runtime manager

2025-01-20 17:06:41 +01:00 · 2025-01-20 17:06:41 +01:00 · 3104f50c58
commit 3104f50c58
parent a5c170a478
67 changed files with 3693 additions and 261 deletions
--- a/config/rbac/control-plane-role.yaml
+++ b/config/rbac/control-plane-role.yaml
@ -4,6 +4,23 @@ kind: ClusterRole
 metadata:
  name: control-plane-role
 rules:
+  - apiGroups:
+      - supabase.k8s.icb4dc0.de
+    resources:
+      - apigateways
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - supabase.k8s.icb4dc0.de
+    resources:
+      - apigateways/status
+    verbs:
+      - get
+      - patch
+      - update
+
  - apiGroups:
      - discovery.k8s.io
    resources:
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@ -36,3 +36,10 @@ resources:
  # if you do not want those helpers be installed with your Project.
  - dashboard_editor_role.yaml
  - dashboard_viewer_role.yaml
+  # For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by
+  # default, aiding admins in cluster management. Those roles are
+  # not used by the {{ .ProjectName }} itself. You can comment the following lines
+  # if you do not want those helpers be installed with your Project.
+  - storage_admin_role.yaml
+  - storage_editor_role.yaml
+  - storage_viewer_role.yaml
--- a/config/rbac/leader_election_role_binding.yaml
+++ b/config/rbac/leader_election_role_binding.yaml
@ -13,3 +13,6 @@ subjects:
  - kind: ServiceAccount
    name: controller-manager
    namespace: supabase-system
+  - kind: ServiceAccount
+    name: control-plane
+    namespace: supabase-system
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@ -42,6 +42,7 @@ rules:
  - apigateways
  - cores
  - dashboards
+  - storages
  verbs:
  - create
  - delete
@ -56,6 +57,7 @@ rules:
  - apigateways/finalizers
  - cores/finalizers
  - dashboards/finalizers
+  - storages/finalizers
  verbs:
  - update
 - apiGroups:
@ -64,6 +66,7 @@ rules:
  - apigateways/status
  - cores/status
  - dashboards/status
+  - storages/status
  verbs:
  - get
  - patch
--- a/config/rbac/storage_admin_role.yaml
+++ b/config/rbac/storage_admin_role.yaml
@ -0,0 +1,27 @@
+# This rule is not used by the project supabase-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants full permissions ('*') over supabase.k8s.icb4dc0.de.
+# This role is intended for users authorized to modify roles and bindings within the cluster,
+# enabling them to delegate specific permissions to other users or groups as needed.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: supabase-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: storage-admin-role
+rules:
+- apiGroups:
+  - supabase.k8s.icb4dc0.de
+  resources:
+  - storages
+  verbs:
+  - '*'
+- apiGroups:
+  - supabase.k8s.icb4dc0.de
+  resources:
+  - storages/status
+  verbs:
+  - get
--- a/config/rbac/storage_editor_role.yaml
+++ b/config/rbac/storage_editor_role.yaml
@ -0,0 +1,33 @@
+# This rule is not used by the project supabase-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants permissions to create, update, and delete resources within the supabase.k8s.icb4dc0.de.
+# This role is intended for users who need to manage these resources
+# but should not control RBAC or manage permissions for others.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: supabase-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: storage-editor-role
+rules:
+- apiGroups:
+  - supabase.k8s.icb4dc0.de
+  resources:
+  - storages
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - supabase.k8s.icb4dc0.de
+  resources:
+  - storages/status
+  verbs:
+  - get
--- a/config/rbac/storage_viewer_role.yaml
+++ b/config/rbac/storage_viewer_role.yaml
@ -0,0 +1,29 @@
+# This rule is not used by the project supabase-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants read-only access to supabase.k8s.icb4dc0.de resources.
+# This role is intended for users who need visibility into these resources
+# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: supabase-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: storage-viewer-role
+rules:
+- apiGroups:
+  - supabase.k8s.icb4dc0.de
+  resources:
+  - storages
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - supabase.k8s.icb4dc0.de
+  resources:
+  - storages/status
+  verbs:
+  - get