fix csi rbac in kustomize

Moving the csi RBAC to a new folder
which can be build and applied differently
and we dont need to have same namePrefix
and namespacePrefix for these files as this
is not required to be deployed in the same
namespace as the operator.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>

Makefile

@@ -4,6 +4,10 @@ REGISTRY_NAMESPACE ?= cephcsi
 IMAGE_TAG ?= latest
 IMAGE_NAME ?= ceph-csi-operator
 
+# Use different name prefix and namespace prefix for csi rbac kustomize
+CSI_RBAC_NAME_PREFIX ?= ceph-csi-operator-
+CSI_RBAC_NAMESPACE ?= $(CSI_RBAC_NAME_PREFIX)system
+
 IMG ?= $(IMAGE_REGISTRY)/$(REGISTRY_NAMESPACE)/$(IMAGE_NAME):$(IMAGE_TAG)
 
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
@@ -126,6 +130,11 @@ build-installer: manifests generate kustomize ## Generate a consolidated YAML wi
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	$(KUSTOMIZE) build config/default > dist/install.yaml
 
+.PHONY: build-csi-rbac
+build-csi-rbac:
+	cd config/csi-rbac && $(KUSTOMIZE) edit set nameprefix $(CSI_RBAC_NAME_PREFIX)
+	cd config/csi-rbac && $(KUSTOMIZE) edit set namespace $(CSI_RBAC_NAMESPACE)
+	$(KUSTOMIZE) build config/csi-rbac > dist/csi-rbac.yaml
 ##@ Deployment
 
 ifndef ignore-not-found

config/rbac/csi_cephfs_ctrlplugin_cluster_role.yaml → config/csi-rbac/cephfs_ctrlplugin_cluster_role.yaml

@@ -1,7 +1,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-cephfs-ctrlplugin-cr
+  name: cephfs-ctrlplugin-cr
 rules:
   - apiGroups: [""]
     resources: ["secrets"]

config/rbac/csi_rbd_nodeplugin_cluster_role_binding.yaml → config/csi-rbac/cephfs_ctrlplugin_cluster_role_binding.yaml

@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-nodeplugin-crb
+  name: cephfs-ctrlplugin-crb
 subjects:
   - kind: ServiceAccount
-    name: csi-rbd-nodeplugin-sa
+    name: cephfs-ctrlplugin-sa
     namespace: system
 roleRef:
   kind: ClusterRole
-  name: csi-rbd-nodeplugin-cr
+  name: cephfs-ctrlplugin-cr
   apiGroup: rbac.authorization.k8s.io

config/rbac/csi_cephfs_ctrlplugin_role.yaml → config/csi-rbac/cephfs_ctrlplugin_role.yaml

@@ -1,7 +1,7 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-cephfs-ctrlplugin-r
+  name: cephfs-ctrlplugin-r
 rules:
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]

config/rbac/csi_rbd_ctrlplugin_role_binding.yaml → config/csi-rbac/cephfs_ctrlplugin_role_binding.yaml

@@ -1,12 +1,12 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-ctrlplugin-rb
+  name: cephfs-ctrlplugin-rb
 subjects:
   - kind: ServiceAccount
-    name: csi-rbd-ctrlplugin-sa
+    name: cephfs-ctrlplugin-sa
     namespace: system
 roleRef:
   kind: Role
-  name: csi-rbd-ctrlplugin-r
+  name: cephfs-ctrlplugin-r
   apiGroup: rbac.authorization.k8s.io

config/rbac/csi_rbd_ctrlplugin_service_account.yaml → config/csi-rbac/cephfs_ctrlplugin_service_account.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: csi-rbd-ctrlplugin-sa
+  name: cephfs-ctrlplugin-sa
   namespace: system

config/rbac/csi_cephfs_nodeplugin_cluster_role.yaml → config/csi-rbac/cephfs_nodeplugin_cluster_role.yaml

@@ -2,7 +2,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-cephfs-nodeplugin-cr
+  name: cephfs-nodeplugin-cr
 rules:
 - apiGroups: [""]
   resources: ["nodes"]

config/rbac/csi_rbd_ctrlplugin_cluster_role_binding.yaml → config/csi-rbac/cephfs_nodeplugin_cluster_role_binding.yaml

@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-ctrlplugin-crb
+  name: cephfs-nodeplugin-crb
 subjects:
   - kind: ServiceAccount
-    name: csi-rbd-ctrlplugin-sa
+    name: cephfs-nodeplugin-sa
     namespace: system
 roleRef:
   kind: ClusterRole
-  name: csi-rbd-ctrlplugin-cr
+  name: cephfs-nodeplugin-cr
   apiGroup: rbac.authorization.k8s.io

config/rbac/csi_rbd_nodeplugin_service_account.yaml → config/csi-rbac/cephfs_nodeplugin_service_account.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: csi-rbd-nodeplugin-sa
+  name: cephfs-nodeplugin-sa
   namespace: system

config/csi-rbac/kustomization.yaml

@@ -0,0 +1,21 @@
+resources:
+# CSI operands have their own set of RBAC that need to be installed
+# on the cluster.
+- cephfs_ctrlplugin_service_account.yaml
+- cephfs_ctrlplugin_cluster_role.yaml
+- cephfs_ctrlplugin_cluster_role_binding.yaml
+- cephfs_ctrlplugin_role.yaml
+- cephfs_ctrlplugin_role_binding.yaml
+- cephfs_nodeplugin_service_account.yaml
+- cephfs_nodeplugin_cluster_role.yaml
+- cephfs_nodeplugin_cluster_role_binding.yaml
+- rbd_ctrlplugin_service_account.yaml
+- rbd_ctrlplugin_cluster_role.yaml
+- rbd_ctrlplugin_cluster_role_binding.yaml
+- rbd_ctrlplugin_role.yaml
+- rbd_ctrlplugin_role_binding.yaml
+- rbd_nodeplugin_service_account.yaml
+- rbd_nodeplugin_cluster_role.yaml
+- rbd_nodeplugin_cluster_role_binding.yaml
+- rbd_nodeplugin_role.yaml
+- rbd_nodeplugin_role_binding.yaml

config/rbac/csi_nfs_ctrlplugin_cluster_role.yaml → config/csi-rbac/nfs_ctrlplugin_cluster_role.yaml

@@ -2,7 +2,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-nfs-ctrlplugin-cr 
+  name: nfs-ctrlplugin-cr
 rules:
   - apiGroups: [""]
     resources: ["persistentvolumes"]

config/rbac/csi_cephfs_nodeplugin_cluster_role_binding.yaml → config/csi-rbac/nfs_ctrlplugin_cluster_role_binding.yaml

@@ -1,12 +1,13 @@
+
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-cephfs-nodeplugin-crb
+  name: nfs-ctrlplugin-crb
 subjects:
   - kind: ServiceAccount
-    name: csi-cephfs-nodeplugin-sa
+    name: nfs-ctrlplugin-sa
     namespace: system
 roleRef:
   kind: ClusterRole
-  name: csi-cephfs-nodeplugin-cr
+  name: nfs-ctrlplugin-cr
   apiGroup: rbac.authorization.k8s.io

config/rbac/csi_nfs_ctrlplugin_service_account.yaml → config/csi-rbac/nfs_ctrlplugin_service_account.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: csi-nfs-ctrlplugin-sa
+  name: nfs-ctrlplugin-sa
   namespace: system

config/rbac/csi_nfs_nodeplugin_cluster_role.yaml → config/csi-rbac/nfs_nodeplugin_cluster_role.yaml

@@ -4,7 +4,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-nfs-nodeplugin-cr
+  name: nfs-nodeplugin-cr
 rules:
   - apiGroups: [""]
     resources: ["nodes"]

config/rbac/csi_nfs_nodeplugin_cluster_role_binding.yaml → config/csi-rbac/nfs_nodeplugin_cluster_role_binding.yaml

@@ -1,12 +1,11 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-nfs-nodeplugin-crb
+  name: nfs-nodeplugin-crb
 subjects:
   - kind: ServiceAccount
-    name: csi-nfs-nodeplugin-sa
+    name: nfs-nodeplugin-sa
     namespace: system
 roleRef:
   kind: ClusterRole
-  name: csi-nfs-nodeplugin-cr
-
+  name: nfs-nodeplugin-cr

config/rbac/csi_nfs_nodeplugin_service_account.yaml → config/csi-rbac/nfs_nodeplugin_service_account.yaml

@@ -2,5 +2,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: csi-nfs-nodeplugin-sa
+  name: nfs-nodeplugin-sa
   namespace: system

config/rbac/csi_rbd_ctrlplugin_cluster_role.yaml → config/csi-rbac/rbd_ctrlplugin_cluster_role.yaml

@@ -1,7 +1,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-ctrlplugin-cr
+  name: rbd-ctrlplugin-cr
 rules:
   - apiGroups: [""]
     resources: ["secrets"]

config/rbac/csi_cephfs_ctrlplugin_cluster_role_binding.yaml → config/csi-rbac/rbd_ctrlplugin_cluster_role_binding.yaml

@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-cephfs-ctrlplugin-crb
+  name: rbd-ctrlplugin-crb
 subjects:
   - kind: ServiceAccount
-    name: csi-cephfs-ctrlplugin-sa
+    name: rbd-ctrlplugin-sa
     namespace: system
 roleRef:
   kind: ClusterRole
-  name: csi-cephfs-ctrlplugin-cr
+  name: rbd-ctrlplugin-cr
   apiGroup: rbac.authorization.k8s.io

config/rbac/csi_rbd_ctrlplugin_role.yaml → config/csi-rbac/rbd_ctrlplugin_role.yaml

@@ -1,7 +1,7 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-ctrlplugin-r
+  name: rbd-ctrlplugin-r
 rules:
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]

config/rbac/csi_rbd_nodeplugin_role_binding.yaml → config/csi-rbac/rbd_ctrlplugin_role_binding.yaml

@@ -1,12 +1,12 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-nodeplugin-rb
+  name: rbd-ctrlplugin-rb
 subjects:
   - kind: ServiceAccount
-    name: csi-rbd-nodeplugin-sa
+    name: rbd-ctrlplugin-sa
     namespace: system
 roleRef:
   kind: Role
-  name: csi-rbd-nodeplugin-r
+  name: rbd-ctrlplugin-r
   apiGroup: rbac.authorization.k8s.io

config/csi-rbac/rbd_ctrlplugin_service_account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rbd-ctrlplugin-sa
+  namespace: system

config/rbac/csi_rbd_nodeplugin_cluster_role.yaml → config/csi-rbac/rbd_nodeplugin_cluster_role.yaml

@@ -1,7 +1,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-nodeplugin-cr
+  name: rbd-nodeplugin-cr
 rules:
   - apiGroups: [""]
     resources: ["secrets"]

config/csi-rbac/rbd_nodeplugin_cluster_role_binding.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: rbd-nodeplugin-crb
+subjects:
+  - kind: ServiceAccount
+    name: rbd-nodeplugin-sa
+    namespace: system
+roleRef:
+  kind: ClusterRole
+  name: rbd-nodeplugin-cr
+  apiGroup: rbac.authorization.k8s.io

config/rbac/csi_rbd_nodeplugin_role.yaml → config/csi-rbac/rbd_nodeplugin_role.yaml

@@ -1,7 +1,7 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-nodeplugin-r
+  name: rbd-nodeplugin-r
 rules:
   - apiGroups: ["csiaddons.openshift.io"]
     resources: ["csiaddonsnodes"]

config/rbac/csi_cephfs_ctrlplugin_role_binding.yaml → config/csi-rbac/rbd_nodeplugin_role_binding.yaml

@@ -1,12 +1,12 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-cephfs-ctrlplugin-rb
+  name: rbd-nodeplugin-rb
 subjects:
   - kind: ServiceAccount
-    name: csi-cephfs-ctrlplugin-sa
+    name: rbd-nodeplugin-sa
     namespace: system
 roleRef:
   kind: Role
-  name: csi-cephfs-ctrlplugin-r
+  name: rbd-nodeplugin-r
   apiGroup: rbac.authorization.k8s.io

config/csi-rbac/rbd_nodeplugin_service_account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rbd-nodeplugin-sa
+  namespace: system

config/default/kustomization.yaml

@@ -17,6 +17,7 @@ namePrefix: ceph-csi-operator-
 resources:
 - ../crd
 - ../rbac
+- ../csi-rbac
 - ../manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml

config/rbac/kustomization.yaml

@@ -30,23 +30,3 @@ resources:
 - operatorconfig_viewer_role.yaml
 - driver_editor_role.yaml
 - driver_viewer_role.yaml
-# CSI operands have their own set of RBAC that need to be installed
-# on the cluster.
-- csi_cephfs_ctrlplugin_service_account.yaml
-- csi_cephfs_ctrlplugin_cluster_role.yaml
-- csi_cephfs_ctrlplugin_cluster_role_binding.yaml
-- csi_cephfs_ctrlplugin_role.yaml
-- csi_cephfs_ctrlplugin_role_binding.yaml
-- csi_cephfs_nodeplugin_service_account.yaml
-- csi_cephfs_nodeplugin_cluster_role.yaml
-- csi_cephfs_nodeplugin_cluster_role_binding.yaml
-- csi_rbd_ctrlplugin_service_account.yaml
-- csi_rbd_ctrlplugin_cluster_role.yaml
-- csi_rbd_ctrlplugin_cluster_role_binding.yaml
-- csi_rbd_ctrlplugin_role.yaml
-- csi_rbd_ctrlplugin_role_binding.yaml
-- csi_rbd_nodeplugin_service_account.yaml
-- csi_rbd_nodeplugin_cluster_role.yaml
-- csi_rbd_nodeplugin_cluster_role_binding.yaml
-- csi_rbd_nodeplugin_role.yaml
-- csi_rbd_nodeplugin_role_binding.yaml