Merge pull request #79 from cybozu-go/add-syncwindow-roles

zoetrope · web-flow · commit 6dbf1157e3df · 2025-07-23T15:51:02.000+09:00
Add RBAC aggregation labels for sync window roles
diff --git a/Makefile b/Makefile
@@ -44,7 +44,7 @@ help: ## Display this help.
 .PHONY: manifests
 manifests: ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	controller-gen $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
-	kustomize build config/helm/crds | yq e "." - > charts/cattage/crds/tenant.yaml
+	kustomize build config/helm/crds | yq e "." - > charts/cattage/crds/crds.yaml
 	kustomize build config/helm/templates | yq e "." - > charts/cattage/templates/generated.yaml
 
 
diff --git a/charts/cattage/Chart.yaml b/charts/cattage/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0-chart-patch-version-placeholder
+version: 0.7.0-chart-patch-version-placeholder
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/cattage/crds/crds.yaml b/charts/cattage/crds/crds.yaml
diff --git a/charts/cattage/templates/generated.yaml b/charts/cattage/templates/generated.yaml
@@ -156,6 +156,8 @@ metadata:
     app.kubernetes.io/name: '{{ include "cattage.name" . }}'
     app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
     helm.sh/chart: '{{ include "cattage.chart" . }}'
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: '{{ template "cattage.fullname" . }}-syncwindow-editor-role'
 rules:
   - apiGroups:
@@ -185,6 +187,7 @@ metadata:
     app.kubernetes.io/name: '{{ include "cattage.name" . }}'
     app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
     helm.sh/chart: '{{ include "cattage.chart" . }}'
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
   name: '{{ template "cattage.fullname" . }}-syncwindow-viewer-role'
 rules:
   - apiGroups:
diff --git a/config/rbac/syncwindow_editor_role.yaml b/config/rbac/syncwindow_editor_role.yaml
@@ -4,7 +4,8 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: cattage
-    app.kubernetes.io/managed-by: kustomize
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: syncwindow-editor-role
 rules:
 - apiGroups:
diff --git a/config/rbac/syncwindow_viewer_role.yaml b/config/rbac/syncwindow_viewer_role.yaml
@@ -4,7 +4,7 @@ kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: cattage
-    app.kubernetes.io/managed-by: kustomize
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
   name: syncwindow-viewer-role
 rules:
 - apiGroups:
diff --git a/config/rbac/tenant_editor_role.yaml b/config/rbac/tenant_editor_role.yaml
@@ -4,6 +4,7 @@ kind: ClusterRole
 metadata:
   name: tenant-editor-role
   labels:
+    app.kubernetes.io/name: cattage
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
 rules:
diff --git a/config/rbac/tenant_viewer_role.yaml b/config/rbac/tenant_viewer_role.yaml
@@ -4,6 +4,7 @@ kind: ClusterRole
 metadata:
   name: tenant-viewer-role
   labels:
+    app.kubernetes.io/name: cattage
     rbac.authorization.k8s.io/aggregate-to-view: "true"
 rules:
 - apiGroups:
