diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 799374c0..418da714 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -89,6 +89,7 @@ jobs: cp NOTICE "bundle/NOTICE" cp VERSION "bundle/VERSION" cp config/carvel/bundle.yaml "bundle/bundle.yaml" + cp config/carvel/bundle.yaml "bundle/openshift.yaml" cp -r samples "bundle/samples" echo "##[group]Build Service Bindings" diff --git a/config/carvel/openshift.yaml b/config/carvel/openshift.yaml new file mode 100644 index 00000000..02f55c51 --- /dev/null +++ b/config/carvel/openshift.yaml @@ -0,0 +1,83 @@ +#@ load("@ytt:data", "data") + +#@ kubernetes_distribution = "" +#@ if hasattr(data.values, 'kubernetes_distribution'): +#@ kubernetes_distribution = data.values.kubernetes_distribution +#@ end +#@ if hasattr(data.values, 'shared') and hasattr(data.values.shared, 'kubernetes_distribution'): +#@ kubernetes_distribution = data.values.shared.kubernetes_distribution +#@ end + +#@ if kubernetes_distribution == "openshift": +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: service-binding-nonroot-scc + namespace: service-bindings +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - service-binding-scc + resources: + - securitycontextconstraints + verbs: + - use + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: service-binding-nonroot-scc + namespace: service-bindings +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: service-binding-nonroot-scc +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:service-bindings +--- +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +kind: SecurityContextConstraints +metadata: + name: service-binding-scc +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- ALL +runAsUser: + type: MustRunAsNonRoot +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +seccompProfiles: +- runtime/default +users: [] +volumes: +- configMap +- csi +- downwardAPI +- emptyDir +- ephemeral +- persistentVolumeClaim +- projected +- secret +#@ end diff --git a/config/carvel/package-install.values.yaml b/config/carvel/package-install.values.yaml index 78311270..d0602c99 100644 --- a/config/carvel/package-install.values.yaml +++ b/config/carvel/package-install.values.yaml @@ -13,3 +13,5 @@ service_account_name: service-binding-kc cluster_role_name: service-binding-kc cluster_role_binding_name: service-binding-kc sync_period: 10m +shared: + kubernetes_distribution: null diff --git a/config/carvel/package-install.yaml b/config/carvel/package-install.yaml index dec9ea2d..4a8bda09 100644 --- a/config/carvel/package-install.yaml +++ b/config/carvel/package-install.yaml @@ -2,6 +2,25 @@ #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") +#@ load("@ytt:base64", "base64") +#@ load("@ytt:yaml", "yaml") + +#@ def collect_values(): +#@ values = {} +#@ if hasattr(data.values, "shared"): +#@ values["shared"] = data.values.shared +#@ end +#@ return values +#@ end + +--- +apiVersion: v1 +kind: Secret +metadata: + name: service-bindings-values + namespace: #@ data.values.namespace +stringData: + values.yaml: #@ yaml.encode(collect_values()) --- apiVersion: packaging.carvel.dev/v1alpha1 @@ -22,6 +41,10 @@ spec: #@ if data.values.package_prerelease != None: prereleases: #@ data.values.package_prerelease #@ end + values: + - secretRef: + name: service-bindings-values + --- apiVersion: kapp.k14s.io/v1alpha1 diff --git a/config/carvel/package.yaml b/config/carvel/package.yaml index 456009f5..887ea241 100644 --- a/config/carvel/package.yaml +++ b/config/carvel/package.yaml @@ -25,5 +25,6 @@ spec: paths: - "-" - bundle.yaml + - openshift.yaml deploy: - kapp: {}