1
// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
2
// Licensed under the GNU Affero General Public License (AGPL).
3
// See License.AGPL.txt in the project root for license information.
4

5
package image_builder_mk3
6

7
import (
8
	"fmt"
9

10
	"github.com/gitpod-io/gitpod/installer/pkg/common"
11

12
	rbacv1 "k8s.io/api/rbac/v1"
13
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
14
	"k8s.io/apimachinery/pkg/runtime"
15
)
16

17
func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
18
	labels := common.DefaultLabels(Component)
19

20
	return []runtime.Object{
21
		&rbacv1.RoleBinding{
22
			TypeMeta: common.TypeMetaRoleBinding,
23
			ObjectMeta: metav1.ObjectMeta{
24
				Name:      Component,
25
				Namespace: ctx.Namespace,
26
				Labels:    labels,
27
			},
28
			RoleRef: rbacv1.RoleRef{
29
				Kind:     "ClusterRole",
30
				Name:     fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component),
31
				APIGroup: "rbac.authorization.k8s.io",
32
			},
33
			Subjects: []rbacv1.Subject{{
34
				Kind: "ServiceAccount",
35
				Name: Component,
36
			}},
37
		},
38
		&rbacv1.ClusterRoleBinding{
39
			TypeMeta: common.TypeMetaClusterRoleBinding,
40
			ObjectMeta: metav1.ObjectMeta{
41
				Name:   fmt.Sprintf("%s-%s-proxy-kube-rbac-proxy", ctx.Namespace, Component),
42
				Labels: labels,
43
			},
44
			RoleRef: rbacv1.RoleRef{
45
				Kind:     "ClusterRole",
46
				Name:     fmt.Sprintf("%s-kube-rbac-proxy", ctx.Namespace),
47
				APIGroup: "rbac.authorization.k8s.io",
48
			},
49
			Subjects: []rbacv1.Subject{{
50
				Kind:      "ServiceAccount",
51
				Name:      Component,
52
				Namespace: ctx.Namespace,
53
			}},
54
		},
55
	}, nil
56
}
57

58