From 65055c273f7c62ed843e2421a6354c365ca0b2cb Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Tue, 7 Feb 2023 13:59:29 +0200
Subject: [PATCH] rbac: Add view and edit aggregated cluster roles

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
 .../bases/helm-controller/kustomization.yaml  |  2 +-
 .../kustomization.yaml                        |  2 +-
 .../kustomization.yaml                        |  2 +-
 .../kustomize-controller/kustomization.yaml   |  2 +-
 .../kustomization.yaml                        |  2 +-
 .../source-controller/kustomization.yaml      |  2 +-
 manifests/rbac/edit.yaml                      | 21 +++++++++++++++++++
 manifests/rbac/kustomization.yaml             |  2 ++
 manifests/rbac/view.yaml                      | 20 ++++++++++++++++++
 9 files changed, 49 insertions(+), 6 deletions(-)
 create mode 100644 manifests/rbac/edit.yaml
 create mode 100644 manifests/rbac/view.yaml

diff --git a/manifests/bases/helm-controller/kustomization.yaml b/manifests/bases/helm-controller/kustomization.yaml
index 0bae8162..1e92cadf 100644
--- a/manifests/bases/helm-controller/kustomization.yaml
+++ b/manifests/bases/helm-controller/kustomization.yaml
@@ -6,7 +6,7 @@ resources:
 - account.yaml
 transformers:
 - labels.yaml
-patchesJson6902:
+patches:
 - target:
     group: apps
     version: v1
diff --git a/manifests/bases/image-automation-controller/kustomization.yaml b/manifests/bases/image-automation-controller/kustomization.yaml
index 85b54b7a..f8c783ec 100644
--- a/manifests/bases/image-automation-controller/kustomization.yaml
+++ b/manifests/bases/image-automation-controller/kustomization.yaml
@@ -6,7 +6,7 @@ resources:
 - account.yaml
 transformers:
 - labels.yaml
-patchesJson6902:
+patches:
 - target:
     group: apps
     version: v1
diff --git a/manifests/bases/image-reflector-controller/kustomization.yaml b/manifests/bases/image-reflector-controller/kustomization.yaml
index a854e6b5..77c8b17b 100644
--- a/manifests/bases/image-reflector-controller/kustomization.yaml
+++ b/manifests/bases/image-reflector-controller/kustomization.yaml
@@ -6,7 +6,7 @@ resources:
 - account.yaml
 transformers:
 - labels.yaml
-patchesJson6902:
+patches:
 - target:
     group: apps
     version: v1
diff --git a/manifests/bases/kustomize-controller/kustomization.yaml b/manifests/bases/kustomize-controller/kustomization.yaml
index 494234ca..e0e4157b 100644
--- a/manifests/bases/kustomize-controller/kustomization.yaml
+++ b/manifests/bases/kustomize-controller/kustomization.yaml
@@ -6,7 +6,7 @@ resources:
 - account.yaml
 transformers:
 - labels.yaml
-patchesJson6902:
+patches:
 - target:
     group: apps
     version: v1
diff --git a/manifests/bases/notification-controller/kustomization.yaml b/manifests/bases/notification-controller/kustomization.yaml
index 9f9eb6f7..bdee75e5 100644
--- a/manifests/bases/notification-controller/kustomization.yaml
+++ b/manifests/bases/notification-controller/kustomization.yaml
@@ -6,7 +6,7 @@ resources:
 - account.yaml
 transformers:
 - labels.yaml
-patchesJson6902:
+patches:
   - target:
       group: apps
       version: v1
diff --git a/manifests/bases/source-controller/kustomization.yaml b/manifests/bases/source-controller/kustomization.yaml
index c0b6af2c..7d5bf73b 100644
--- a/manifests/bases/source-controller/kustomization.yaml
+++ b/manifests/bases/source-controller/kustomization.yaml
@@ -6,7 +6,7 @@ resources:
 - account.yaml
 transformers:
 - labels.yaml
-patchesJson6902:
+patches:
 - target:
     group: apps
     version: v1
diff --git a/manifests/rbac/edit.yaml b/manifests/rbac/edit.yaml
new file mode 100644
index 00000000..34569105
--- /dev/null
+++ b/manifests/rbac/edit.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flux-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups:
+      - notification.toolkit.fluxcd.io
+      - source.toolkit.fluxcd.io
+      - helm.toolkit.fluxcd.io
+      - image.toolkit.fluxcd.io
+      - kustomize.toolkit.fluxcd.io
+    resources: ["*"]
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
diff --git a/manifests/rbac/kustomization.yaml b/manifests/rbac/kustomization.yaml
index 6a1d4a69..cd0afef0 100644
--- a/manifests/rbac/kustomization.yaml
+++ b/manifests/rbac/kustomization.yaml
@@ -3,3 +3,5 @@ kind: Kustomization
 resources:
   - controller.yaml
   - reconciler.yaml
+  - edit.yaml
+  - view.yaml
diff --git a/manifests/rbac/view.yaml b/manifests/rbac/view.yaml
new file mode 100644
index 00000000..f0caf5be
--- /dev/null
+++ b/manifests/rbac/view.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flux-view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+  - apiGroups:
+      - notification.toolkit.fluxcd.io
+      - source.toolkit.fluxcd.io
+      - helm.toolkit.fluxcd.io
+      - image.toolkit.fluxcd.io
+      - kustomize.toolkit.fluxcd.io
+    resources: ["*"]
+    verbs:
+      - get
+      - list
+      - watch