153 lines
3.1 KiB
YAML
153 lines
3.1 KiB
YAML
# Copyright (c) 2020 TriggerMesh Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
{{- if .Values.rbac.create }}
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ template "aws-event-sources.fullname" . }}-controller
|
|
labels:
|
|
{{- include "aws-event-sources.labels" . | nindent 4 }}
|
|
rules:
|
|
# Record Kubernetes events
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- patch
|
|
- update
|
|
|
|
# Manage receive-adapters
|
|
- apiGroups:
|
|
- apps
|
|
resources:
|
|
- deployments
|
|
verbs: &all
|
|
- get
|
|
- list
|
|
- watch
|
|
- create
|
|
- update
|
|
- delete
|
|
- patch
|
|
- apiGroups:
|
|
- serving.knative.dev
|
|
resources:
|
|
- services
|
|
verbs: *all
|
|
|
|
# Read Source resources and update their statuses
|
|
- apiGroups:
|
|
- sources.triggermesh.io
|
|
resources:
|
|
- awscodecommitsources
|
|
- awscognitoidentitysources
|
|
- awscognitouserpoolsources
|
|
- awsdynamodbsources
|
|
- awsiotsources
|
|
- awskinesissources
|
|
- awssnssources
|
|
- awssqssources
|
|
verbs:
|
|
- list
|
|
- watch
|
|
- get
|
|
- patch
|
|
- apiGroups:
|
|
- sources.triggermesh.io
|
|
resources:
|
|
- awscodecommitsources/status
|
|
- awscognitoidentitysources/status
|
|
- awscognitouserpoolsources/status
|
|
- awsdynamodbsources/status
|
|
- awsiotsources/status
|
|
- awskinesissources/status
|
|
- awssnssources/status
|
|
- awssqssources/status
|
|
verbs:
|
|
- update
|
|
|
|
# Read controller configurations
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- configmaps
|
|
verbs: &listwatch
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- configmaps
|
|
resourceNames:
|
|
- config-logging
|
|
- config-observability
|
|
- config-leader-election
|
|
verbs:
|
|
- get
|
|
|
|
# Resolve sink URIs
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- services
|
|
verbs: *listwatch
|
|
- apiGroups:
|
|
- serving.knative.dev
|
|
resources:
|
|
- services
|
|
verbs: *listwatch
|
|
- apiGroups:
|
|
- eventing.knative.dev
|
|
resources:
|
|
- brokers
|
|
verbs: *listwatch
|
|
- apiGroups:
|
|
- messaging.knative.dev
|
|
resources:
|
|
- channels
|
|
verbs: *listwatch
|
|
|
|
---
|
|
|
|
# The role is needed for the aggregated role source-observer in knative-eventing to provide readonly access to "Sources".
|
|
# see https://github.com/knative/eventing/blob/release-0.14/docs/spec/sources.md#source-rbac
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ template "aws-event-sources.fullname" . }}-observer
|
|
labels:
|
|
duck.knative.dev/source: 'true'
|
|
{{- include "aws-event-sources.labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups:
|
|
- sources.triggermesh.io
|
|
resources:
|
|
- awscodecommitsources
|
|
- awscognitoidentitysources
|
|
- awscognitouserpoolsources
|
|
- awsdynamodbsources
|
|
- awsiotsources
|
|
- awskinesissources
|
|
- awssnssources
|
|
- awssqssources
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
{{- end }}
|