From b9a8100dbb95381d762b214538cecfc5554c2591 Mon Sep 17 00:00:00 2001
From: stefanprodan <stefan.prodan@gmail.com>
Date: Sun, 3 May 2020 11:33:28 +0300
Subject: [PATCH] manifests: add cluster reconciler RBAC and SA

---
 .../kustomize-controller}/cluster_role.yaml       | 15 +++++----------
 .../bases/kustomize-controller/kustomization.yaml |  7 +++++--
 manifests/bases/kustomize-controller/patch.yaml   |  8 ++++++++
 manifests/rbac/kustomization.yaml                 |  1 -
 4 files changed, 18 insertions(+), 13 deletions(-)
 rename manifests/{rbac => bases/kustomize-controller}/cluster_role.yaml (55%)
 create mode 100644 manifests/bases/kustomize-controller/patch.yaml

diff --git a/manifests/rbac/cluster_role.yaml b/manifests/bases/kustomize-controller/cluster_role.yaml
similarity index 55%
rename from manifests/rbac/cluster_role.yaml
rename to manifests/bases/kustomize-controller/cluster_role.yaml
index 9ce30d91..256b1ed5 100644
--- a/manifests/rbac/cluster_role.yaml
+++ b/manifests/bases/kustomize-controller/cluster_role.yaml
@@ -1,13 +1,8 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+apiVersion: v1
+kind: ServiceAccount
 metadata:
   name: cluster-reconciler
-rules:
-  - apiGroups: ['*']
-    resources: ['*']
-    verbs: ['*']
-  - nonResourceURLs: ['*']
-    verbs: ['*']
+  namespace: system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -16,8 +11,8 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-reconciler
+  name: cluster-admin
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: cluster-reconciler
     namespace: system
diff --git a/manifests/bases/kustomize-controller/kustomization.yaml b/manifests/bases/kustomize-controller/kustomization.yaml
index 2640d449..e05233b8 100644
--- a/manifests/bases/kustomize-controller/kustomization.yaml
+++ b/manifests/bases/kustomize-controller/kustomization.yaml
@@ -1,5 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- github.com/fluxcd/kustomize-controller/config//crd?ref=v0.0.1-alpha.5
-- github.com/fluxcd/kustomize-controller/config//manager?ref=v0.0.1-alpha.5
+- github.com/fluxcd/kustomize-controller/config//crd?ref=v0.0.1-alpha.6
+- github.com/fluxcd/kustomize-controller/config//manager?ref=v0.0.1-alpha.6
+- cluster_role.yaml
+patchesStrategicMerge:
+- patch.yaml
diff --git a/manifests/bases/kustomize-controller/patch.yaml b/manifests/bases/kustomize-controller/patch.yaml
new file mode 100644
index 00000000..44bbf5bb
--- /dev/null
+++ b/manifests/bases/kustomize-controller/patch.yaml
@@ -0,0 +1,8 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kustomize-controller
+spec:
+  template:
+    spec:
+      serviceAccountName: cluster-reconciler
diff --git a/manifests/rbac/kustomization.yaml b/manifests/rbac/kustomization.yaml
index ea165a8f..4f84bb68 100644
--- a/manifests/rbac/kustomization.yaml
+++ b/manifests/rbac/kustomization.yaml
@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - cluster_role.yaml
   - role.yaml
-- 
GitLab