chore: RBAC cleanup (#2207)

* remove kb marker

* clean-up rbac

* remove remaining kubebuilder marker for rbac creation

* rename

* delete unused patch

* rename

* revert change in main

* cleanup

* rename

* fix list

* bump watcher

* set role to istio-system. remove crd from manager role since its in cluster role

* format

* rename certmanager role and binding

* remove commited watcher local manifest

* fix kustomize

* adapt e2e

* adapt e2e

* adapt e2e

* adapt e2e

* bump docker version to rid of warning

* remove moduletemplate create & delete verbs

* adapt e2e

* apply renamings

* adapt policy rules for cm, watcher and kyma

* adapt e2e

.run/Launch KLM locally.run.xml

@@ -2,7 +2,7 @@
   <configuration default="false" name="Launch KLM locally" type="GoApplicationRunConfiguration" factoryName="Go Application">
     <module name="lifecycle-manager" />
     <working_directory value="$PROJECT_DIR$" />
-    <parameters value="--in-kcp-mode --enable-kcp-watcher --skr-watcher-image-tag=1.1.7" />
+    <parameters value="--in-kcp-mode --enable-kcp-watcher --skr-watcher-image-tag=1.1.10" />
     <envs>
       <env name="KUBECONFIG" value="$USER_HOME$/.k3d/kcp-local.yaml" />
     </envs>

PROJECT

@@ -10,19 +10,6 @@ plugins:
 projectName: operator
 repo: github.com/kyma-project/lifecycle-manager
 resources:
-- api:
-    crdVersion: v1
-    namespaced: true
-  domain: kyma-project.io
-  group: operator
-  kind: Manifest
-  path: github.com/kyma-project/module-manager/api/v1beta1
-  version: v1beta1
-  webhooks:
-    conversion: true
-    defaulting: true
-    validation: true
-    webhookVersion: v1
 - api:
     crdVersion: v1
     namespaced: true
@@ -110,10 +97,12 @@ resources:
 - api:
     crdVersion: v1
     namespaced: true
-  controller: true
   domain: kyma-project.io
   group: operator
-  kind: SyncResource
-  path: github.com/kyma-project/lifecycle-manager/api/v1alpha1
-  version: v1alpha1
+  kind: ModuleReleaseMeta
+  path: github.com/kyma-project/lifecycle-manager/api/v1beta2
+  version: v1beta2
+  webhooks:
+    conversion: true
+    webhookVersion: v1
 version: "3"

config/certmanager/kustomization.yaml

@@ -1,5 +1,4 @@
 resources:
-- certificate.yaml
-
+  - certificate.yaml
 configurations:
-- kustomizeconfig.yaml
+  - kustomizeconfig.yaml

config/control-plane/kustomization.yaml

@@ -1,42 +1,31 @@
-# WARNING: This is a Kustomization that CANNOT run standalone
-# It is meant to be used in conjunction with a control-plane deployment only and has prerequisites that
-# need to be explicitly created externally in a centrally managed place (e.g. the kcp-system).
-# In fact, in order to avoid conflicts, it even explicitly patches out certain configuration elements.
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-
-namePrefix: klm- #kyma-lifecycle-manager
-
-# Labels to add to all resources and selectors.
+namePrefix: klm-
 commonLabels:
   app.kubernetes.io/instance: kcp-lifecycle-manager
   app.kubernetes.io/name: lifecycle-manager
   app.kubernetes.io/created-by: argo-cd
   app.kubernetes.io/part-of: kcp
   app.kubernetes.io/managed-by: kustomize
-
 images:
-- name: europe-docker.pkg.dev/kyma-project/prod/lifecycle-manager
-
+  - name: europe-docker.pkg.dev/kyma-project/prod/lifecycle-manager
 resources:
   - ../manager
-  # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
   - ../certmanager
-
 components:
   - ../crd
-  - ../rbac/namespace_bindings
-  # [ISTIO] To enable istio, uncomment all sections with 'ISTIO'.
+  - ../rbac
   - ../istio
-  # [WATCHER] To enable the watcher, uncomment all the sections with [WATCHER]
   - ../watcher
-  # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix
   - ../webhook
-  # [GRAFANA] To enable grafana, uncomment all sections with 'GRAFANA'.
   - ../grafana
-
 patches:
-  - patch: |-
+  - path: patches/deployment_resources.yaml
+  - path: patches/unique_deployment_webhook_patch.yaml
+  - path: patches/unique_certificate_name.yaml # Override certificate name to ensure a unique CM Cert when run with other kubebuilder operators
+  - target:
+      kind: Deployment
+    patch: |-
       - op: add
         path: /spec/template/spec/containers/0/args/-
         value: --in-kcp-mode
@@ -64,64 +53,56 @@ patches:
       - op: add
         path: /spec/template/spec/containers/0/args/-
         value: --is-kyma-managed
-    target:
-      kind: Deployment
-  - patch: |-
+  - target:
+      kind: ConfigMap
+      name: dashboard-(overview|status|watcher|mandatory-modules)
+      version: v1
+    patch: |-
       - op: add
         path: /metadata/labels
         value: {}
       - op: add
         path: /metadata/labels/grafana_dashboard
         value: "1"
-    target:
-      kind: ConfigMap
-      name: dashboard-(overview|status|watcher|mandatory-modules)
-      version: v1
-  - path: patches/unique_manager_webhook_patch.yaml
-  - path: patches/adjust_resources_in_deployment.yaml
-    # We override the certificate name to ensure that Cert-Manager uses a unique cert in conjunction with other
-    # kubebuilder operators.
-  - path: patches/unique_certificate_name.yaml
-
 # Note: Now as the 'patchesJson6902' is deprecated, the direct use of the 'PatchTransformer' is the only way to change a resource namespace to something different from the value configured by the global namespace transformer.
 transformers:
-- |-
-  apiVersion: builtin
-  kind: PrefixSuffixTransformer
-  metadata:
-    name: add-klm-prefix-to-resources
-  prefix: klm-
-  fieldSpecs:
-  - path: subjects/name
-    kind: RoleBinding
-  - path: subjects/name
-    kind: ClusterRoleBinding
-- |-
-  apiVersion: builtin
-  kind: NamespaceTransformer
-  metadata:
-    name: add-resources-to-kcp-system
-    namespace: kcp-system
-  unsetOnly: true
-  setRoleBindingSubjects: allServiceAccounts
-- |-
-  apiVersion: builtin
-  kind: AnnotationsTransformer
-  metadata:
-    name: add-ca-inject-annotation
-  annotations:
-    cert-manager.io/inject-ca-from: kcp-system/klm-controller-manager-webhook-serving
-  fieldSpecs:
-  - kind: CustomResourceDefinition
-    path: metadata/annotations
-- |-
-  apiVersion: builtin
-  kind: PatchTransformer
-  metadata:
-    name: fix-cert-dns-names
-  patch: '[{"op": "replace", "path": "/spec/dnsNames/0", "value": "klm-webhook-service.kcp-system.svc"}, {"op": "replace", "path": "/spec/dnsNames/1", "value": "klm-webhook-service.kcp-system.svc.cluster.local"}]'
-  target:
-    kind: Certificate
-    name: klm-controller-manager-webhook-serving
-    version: v1
-    group: cert-manager.io
+  - |-
+    apiVersion: builtin
+    kind: PrefixSuffixTransformer
+    metadata:
+      name: add-klm-prefix-to-resources
+    prefix: klm-
+    fieldSpecs:
+    - path: subjects/name
+      kind: RoleBinding
+    - path: subjects/name
+      kind: ClusterRoleBinding
+  - |-
+    apiVersion: builtin
+    kind: NamespaceTransformer
+    metadata:
+      name: add-resources-to-kcp-system
+      namespace: kcp-system
+    unsetOnly: true
+    setRoleBindingSubjects: allServiceAccounts
+  - |-
+    apiVersion: builtin
+    kind: AnnotationsTransformer
+    metadata:
+      name: add-ca-inject-annotation
+    annotations:
+      cert-manager.io/inject-ca-from: kcp-system/klm-controller-manager-webhook-serving
+    fieldSpecs:
+    - kind: CustomResourceDefinition
+      path: metadata/annotations
+  - |-
+    apiVersion: builtin
+    kind: PatchTransformer
+    metadata:
+      name: fix-cert-dns-names
+    patch: '[{"op": "replace", "path": "/spec/dnsNames/0", "value": "klm-webhook-service.kcp-system.svc"}, {"op": "replace", "path": "/spec/dnsNames/1", "value": "klm-webhook-service.kcp-system.svc.cluster.local"}]'
+    target:
+      kind: Certificate
+      name: klm-controller-manager-webhook-serving
+      version: v1
+      group: cert-manager.io

config/control-plane/patches/adjust_resources_in_deployment.yaml → config/control-plane/patches/deployment_resources.yaml

@@ -1,5 +1,3 @@
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -14,4 +12,4 @@ spec:
               memory: 4000Mi
             requests:
               cpu: 1000m
-              memory: 1000Mi
+              memory: 1000Mi

config/control-plane/patches/unique_certificate_name.yaml

@@ -3,4 +3,4 @@ kind: Certificate
 metadata:
   name: controller-manager-webhook-serving  # this name should match the one appeared in kustomizeconfig.yaml
 spec:
-  secretName: klm-controller-manager-webhook # this secret will not be prefixed, since it's not managed by kustomize
+  secretName: klm-controller-manager-webhook # secretName will not be prefixed, since it's not managed by kustomize

config/crd/kustomizeconfig.yaml

@@ -1,19 +1,17 @@
-# This file is for teaching kustomize how to substitute name and namespace reference in CRD
+# Configure name and namespace reference substitution in CRDs
 nameReference:
-- kind: Service
-  version: v1
-  fieldSpecs:
+  - kind: Service
+    version: v1
+    fieldSpecs:
+    - kind: CustomResourceDefinition
+      version: v1
+      group: apiextensions.k8s.io
+      path: spec/conversion/webhook/clientConfig/service/name
+namespace:
   - kind: CustomResourceDefinition
     version: v1
     group: apiextensions.k8s.io
-    path: spec/conversion/webhook/clientConfig/service/name
-
-namespace:
-- kind: CustomResourceDefinition
-  version: v1
-  group: apiextensions.k8s.io
-  path: spec/conversion/webhook/clientConfig/service/namespace
-  create: false
-
+    path: spec/conversion/webhook/clientConfig/service/namespace
+    create: false
 varReference:
-- path: metadata/annotations
+  - path: metadata/annotations