resource "kubectl_manifest" "ServiceAccount_cdi-operator" { yaml_body = <<-EOF apiVersion: v1 kind: ServiceAccount metadata: labels: ${jsonencode(local.common-labels)} name: cdi-operator namespace: ${var.namespace} ownerReferences: ${jsonencode(var.install_owner)} EOF } resource "kubectl_manifest" "ClusterRoleBinding_cdi-operator" { yaml_body = <<-EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: ${jsonencode(local.common-labels)} name: cdi-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cdi-operator-cluster subjects: - kind: ServiceAccount name: cdi-operator namespace: ${var.namespace} EOF } resource "kubectl_manifest" "RoleBinding_cdi-operator" { yaml_body = <<-EOF apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: ${jsonencode(local.common-labels)} name: cdi-operator namespace: ${var.namespace} ownerReferences: ${jsonencode(var.install_owner)} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cdi-operator subjects: - kind: ServiceAccount name: cdi-operator namespace: ${var.namespace} EOF } resource "kubectl_manifest" "ClusterRole_cdi-operator-cluster" { yaml_body = <<-EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: ${jsonencode(local.common-labels)} name: cdi-operator-cluster rules: - apiGroups: - rbac.authorization.k8s.io resources: - clusterrolebindings - clusterroles verbs: - get - list - watch - create - update - delete - apiGroups: - security.openshift.io resources: - securitycontextconstraints verbs: - get - list - watch - update - create - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions - customresourcedefinitions/status verbs: - get - list - watch - create - update - delete - apiGroups: - cdi.kubevirt.io - upload.cdi.kubevirt.io resources: - '*' verbs: - '*' - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations - mutatingwebhookconfigurations verbs: - create - list - watch - apiGroups: - admissionregistration.k8s.io resourceNames: - cdi-api-dataimportcron-validate - cdi-api-populator-validate - cdi-api-datavolume-validate - cdi-api-validate - objecttransfer-api-validate resources: - validatingwebhookconfigurations verbs: - get - update - delete - apiGroups: - admissionregistration.k8s.io resourceNames: - cdi-api-datavolume-mutate - cdi-api-pvc-mutate resources: - mutatingwebhookconfigurations verbs: - get - update - delete - apiGroups: - apiregistration.k8s.io resources: - apiservices verbs: - get - list - watch - create - update - delete - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create - apiGroups: - '' resources: - configmaps verbs: - get - list - watch - apiGroups: - '' resources: - persistentvolumeclaims verbs: - get - list - watch - apiGroups: - '' resources: - persistentvolumes verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch - apiGroups: - '' resources: - namespaces verbs: - get - apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshots verbs: - get - list - watch - apiGroups: - cdi.kubevirt.io resources: - datavolumes verbs: - list - get - apiGroups: - cdi.kubevirt.io resources: - datasources verbs: - get - apiGroups: - cdi.kubevirt.io resources: - volumeclonesources verbs: - get - list - watch - apiGroups: - cdi.kubevirt.io resources: - storageprofiles verbs: - get - list - watch - apiGroups: - cdi.kubevirt.io resources: - cdis verbs: - get - list - watch - apiGroups: - cdi.kubevirt.io resources: - cdiconfigs verbs: - get - list - watch - apiGroups: - cdi.kubevirt.io resources: - cdis/finalizers verbs: - update - apiGroups: - '' resources: - events verbs: - create - patch - apiGroups: - '' resources: - persistentvolumeclaims verbs: - get - list - watch - create - update - delete - deletecollection - patch - apiGroups: - '' resources: - persistentvolumes verbs: - get - list - watch - update - apiGroups: - '' resources: - persistentvolumeclaims/finalizers - pods/finalizers verbs: - update - apiGroups: - '' resources: - pods - services verbs: - get - list - watch - create - delete - apiGroups: - '' resources: - configmaps verbs: - get - create - apiGroups: - storage.k8s.io resources: - storageclasses - csidrivers verbs: - get - list - watch - apiGroups: - config.openshift.io resources: - proxies verbs: - get - list - watch - apiGroups: - config.openshift.io resources: - clusterversions verbs: - get - apiGroups: - cdi.kubevirt.io resources: - '*' verbs: - '*' - apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshots - volumesnapshotclasses - volumesnapshotcontents verbs: - get - list - watch - create - delete - apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshots verbs: - update - deletecollection - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - scheduling.k8s.io resources: - priorityclasses verbs: - get - list - watch - apiGroups: - image.openshift.io resources: - imagestreams verbs: - get - list - watch - apiGroups: - '' resources: - secrets verbs: - create - apiGroups: - kubevirt.io resources: - virtualmachines/finalizers verbs: - update - apiGroups: - '' resources: - persistentvolumeclaims verbs: - get - apiGroups: - cdi.kubevirt.io resources: - dataimportcrons verbs: - get - list - update EOF } resource "kubectl_manifest" "Role_cdi-operator" { yaml_body = <<-EOF apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: ${jsonencode(local.common-labels)} name: cdi-operator namespace: ${var.namespace} ownerReferences: ${jsonencode(var.install_owner)} rules: - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - roles verbs: - get - list - watch - create - update - delete - apiGroups: - '' resources: - serviceaccounts - configmaps - events - secrets - services verbs: - get - list - watch - create - update - patch - delete - apiGroups: - apps resources: - deployments - deployments/finalizers verbs: - get - list - watch - create - update - delete - apiGroups: - route.openshift.io resources: - routes - routes/custom-host verbs: - get - list - watch - create - update - apiGroups: - config.openshift.io resources: - proxies verbs: - get - list - watch - apiGroups: - monitoring.coreos.com resources: - servicemonitors - prometheusrules verbs: - get - list - watch - create - delete - update - patch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - create - update - apiGroups: - '' resources: - secrets - configmaps verbs: - get - list - watch - create - apiGroups: - '' resources: - configmaps verbs: - get - list - watch - create - update - delete - apiGroups: - '' resources: - secrets verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs verbs: - get - list - watch - create - update - deletecollection - apiGroups: - batch resources: - jobs verbs: - create - deletecollection - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - create - update - apiGroups: - networking.k8s.io resources: - ingresses verbs: - get - list - watch - apiGroups: - route.openshift.io resources: - routes verbs: - get - list - watch - apiGroups: - '' resources: - configmaps verbs: - get - apiGroups: - '' resources: - services - endpoints - pods verbs: - get - list - watch EOF }