dns-zone-controller: with env-manager generating dnssec key and zone records
diff --git a/core/ns-controller/config/rbac/auth_proxy_client_clusterrole.yaml b/core/ns-controller/config/rbac/auth_proxy_client_clusterrole.yaml
new file mode 100644
index 0000000..51a75db
--- /dev/null
+++ b/core/ns-controller/config/rbac/auth_proxy_client_clusterrole.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: metrics-reader
+rules:
+- nonResourceURLs:
+ - "/metrics"
+ verbs:
+ - get
diff --git a/core/ns-controller/config/rbac/auth_proxy_role.yaml b/core/ns-controller/config/rbac/auth_proxy_role.yaml
new file mode 100644
index 0000000..80e1857
--- /dev/null
+++ b/core/ns-controller/config/rbac/auth_proxy_role.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: proxy-role
+rules:
+- apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
diff --git a/core/ns-controller/config/rbac/auth_proxy_role_binding.yaml b/core/ns-controller/config/rbac/auth_proxy_role_binding.yaml
new file mode 100644
index 0000000..ec7acc0
--- /dev/null
+++ b/core/ns-controller/config/rbac/auth_proxy_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: proxy-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: proxy-role
+subjects:
+- kind: ServiceAccount
+ name: controller-manager
+ namespace: system
diff --git a/core/ns-controller/config/rbac/auth_proxy_service.yaml b/core/ns-controller/config/rbac/auth_proxy_service.yaml
new file mode 100644
index 0000000..71f1797
--- /dev/null
+++ b/core/ns-controller/config/rbac/auth_proxy_service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ control-plane: controller-manager
+ name: controller-manager-metrics-service
+ namespace: system
+spec:
+ ports:
+ - name: https
+ port: 8443
+ protocol: TCP
+ targetPort: https
+ selector:
+ control-plane: controller-manager
diff --git a/core/ns-controller/config/rbac/dnszone_editor_role.yaml b/core/ns-controller/config/rbac/dnszone_editor_role.yaml
new file mode 100644
index 0000000..be63ac1
--- /dev/null
+++ b/core/ns-controller/config/rbac/dnszone_editor_role.yaml
@@ -0,0 +1,24 @@
+# permissions for end users to edit dnszones.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: dnszone-editor-role
+rules:
+- apiGroups:
+ - dodo.cloud.dodo.cloud
+ resources:
+ - dnszones
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - dodo.cloud.dodo.cloud
+ resources:
+ - dnszones/status
+ verbs:
+ - get
diff --git a/core/ns-controller/config/rbac/dnszone_viewer_role.yaml b/core/ns-controller/config/rbac/dnszone_viewer_role.yaml
new file mode 100644
index 0000000..dfc5014
--- /dev/null
+++ b/core/ns-controller/config/rbac/dnszone_viewer_role.yaml
@@ -0,0 +1,20 @@
+# permissions for end users to view dnszones.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: dnszone-viewer-role
+rules:
+- apiGroups:
+ - dodo.cloud.dodo.cloud
+ resources:
+ - dnszones
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - dodo.cloud.dodo.cloud
+ resources:
+ - dnszones/status
+ verbs:
+ - get
diff --git a/core/ns-controller/config/rbac/kustomization.yaml b/core/ns-controller/config/rbac/kustomization.yaml
new file mode 100644
index 0000000..731832a
--- /dev/null
+++ b/core/ns-controller/config/rbac/kustomization.yaml
@@ -0,0 +1,18 @@
+resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+# Comment the following 4 lines if you want to disable
+# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+# which protects your /metrics endpoint.
+- auth_proxy_service.yaml
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml
diff --git a/core/ns-controller/config/rbac/leader_election_role.yaml b/core/ns-controller/config/rbac/leader_election_role.yaml
new file mode 100644
index 0000000..4190ec8
--- /dev/null
+++ b/core/ns-controller/config/rbac/leader_election_role.yaml
@@ -0,0 +1,37 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: leader-election-role
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
diff --git a/core/ns-controller/config/rbac/leader_election_role_binding.yaml b/core/ns-controller/config/rbac/leader_election_role_binding.yaml
new file mode 100644
index 0000000..1d1321e
--- /dev/null
+++ b/core/ns-controller/config/rbac/leader_election_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: leader-election-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: leader-election-role
+subjects:
+- kind: ServiceAccount
+ name: controller-manager
+ namespace: system
diff --git a/core/ns-controller/config/rbac/role.yaml b/core/ns-controller/config/rbac/role.yaml
new file mode 100644
index 0000000..f5694fd
--- /dev/null
+++ b/core/ns-controller/config/rbac/role.yaml
@@ -0,0 +1,45 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ creationTimestamp: null
+ name: manager-role
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - dodo.cloud.dodo.cloud
+ resources:
+ - dnszones
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - dodo.cloud.dodo.cloud
+ resources:
+ - dnszones/finalizers
+ verbs:
+ - update
+- apiGroups:
+ - dodo.cloud.dodo.cloud
+ resources:
+ - dnszones/status
+ verbs:
+ - get
+ - patch
+ - update
diff --git a/core/ns-controller/config/rbac/role_binding.yaml b/core/ns-controller/config/rbac/role_binding.yaml
new file mode 100644
index 0000000..2070ede
--- /dev/null
+++ b/core/ns-controller/config/rbac/role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: manager-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: manager-role
+subjects:
+- kind: ServiceAccount
+ name: controller-manager
+ namespace: system
diff --git a/core/ns-controller/config/rbac/service_account.yaml b/core/ns-controller/config/rbac/service_account.yaml
new file mode 100644
index 0000000..7cd6025
--- /dev/null
+++ b/core/ns-controller/config/rbac/service_account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: controller-manager
+ namespace: system