From f24b6aca5245114385695022b707fea1b9743ab9 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 16 Sep 2023 11:48:20 +0200
Subject: [PATCH] Define RBAC for running in cluster.

---
 deploy/kustomization.yaml                     |  5 ++++-
 deploy/vmrunner-role-binding.yaml             | 13 ++++++++++++
 deploy/vmrunner-role.yaml                     | 20 +++++++++++++++++++
 deploy/vmrunner-service-account.yaml          |  6 ++++++
 .../vmoperator/manager/runnerSts.ftl.yaml     |  1 +
 5 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 deploy/vmrunner-role-binding.yaml
 create mode 100644 deploy/vmrunner-role.yaml
 create mode 100644 deploy/vmrunner-service-account.yaml

diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml
index 7193e0b..a988f88 100644
--- a/deploy/kustomization.yaml
+++ b/deploy/kustomization.yaml
@@ -7,4 +7,7 @@ resources:
 - vmop-role-binding.yaml
 - vmop-image-repository-pvc.yaml
 - vmop-config-map.yaml
-- vmop-deployment.yaml
\ No newline at end of file
+- vmop-deployment.yaml
+- vmrunner-role.yaml
+- vmrunner-service-account.yaml
+- vmrunner-role-binding.yaml
diff --git a/deploy/vmrunner-role-binding.yaml b/deploy/vmrunner-role-binding.yaml
new file mode 100644
index 0000000..6e3f75b
--- /dev/null
+++ b/deploy/vmrunner-role-binding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vm-runner
+  labels:
+    app.kubernetes.io/name: vm-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vm-runner
+subjects:
+- kind: ServiceAccount
+  name: vm-runner
diff --git a/deploy/vmrunner-role.yaml b/deploy/vmrunner-role.yaml
new file mode 100644
index 0000000..54e8742
--- /dev/null
+++ b/deploy/vmrunner-role.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vm-runner
+  labels:
+    app.kubernetes.io/name: vm-operator
+rules:
+- apiGroups:
+  - vmoperator.jdrupes.org
+  resources:
+  - vms
+  verbs:
+  - list
+  - get
+- apiGroups:
+  - vmoperator.jdrupes.org
+  resources:
+  - vms/status
+  verbs:
+  - patch
diff --git a/deploy/vmrunner-service-account.yaml b/deploy/vmrunner-service-account.yaml
new file mode 100644
index 0000000..c876dad
--- /dev/null
+++ b/deploy/vmrunner-service-account.yaml
@@ -0,0 +1,6 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: vm-runner
+  labels:
+    app.kubernetes.io/name: vm-operator
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerSts.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerSts.ftl.yaml
index 60834b9..ac1178a 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerSts.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerSts.ftl.yaml
@@ -140,6 +140,7 @@ spec:
       <#if cr.spec.affinity??>
       affinity: ${ cr.spec.affinity.toString() }
       </#if>
+      serviceAccountName: vm-runner
   volumeClaimTemplates:
   - metadata:
       namespace: ${ cr.metadata.namespace.asString }