<username>-che as default namespace

Dockerfile

@@ -13,7 +13,7 @@
 # NOTE: using registry.redhat.io/rhel8/go-toolset requires login, which complicates automation
 # NOTE: since updateBaseImages.sh does not support other registries than RHCC, update to RHEL8
 # https://access.redhat.com/containers/?tab=tags#/registry.access.redhat.com/devtools/go-toolset-rhel7
-FROM registry.access.redhat.com/devtools/go-toolset-rhel7:1.12.12-3  as builder
+FROM registry.access.redhat.com/devtools/go-toolset-rhel7:1.12.12-3 as builder
 ENV PATH=/opt/rh/go-toolset-1.12/root/usr/bin:$PATH \
     GOPATH=/go/
 

README.md

@@ -131,6 +131,7 @@ Or you can build in a container:
 docker run -ti -v /tmp:/tmp -v ${OPERATOR_REPO}:/opt/app-root/src/go/src/github.com/eclipse/che-operator registry.redhat.io/devtools/go-toolset-rhel7:1.11.5-3 sh -c "OOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o /tmp/run-tests /opt/app-root/src/go/src/github.com/eclipse/che-operator/e2e/*.go"
 cp /tmp/run-tests ${OPERATOR_REPO}/run-tests
 ```
+> Notice: if you don't have redhat subscription, use public image registry.access.redhat.com/devtools/go-toolset-rhel7:latest
 
 ### How to run tests
 

deploy.sh

@@ -16,6 +16,15 @@ BASE_DIR=$(cd "$(dirname "$0")"; pwd)
 oc apply -f ${BASE_DIR}/deploy/service_account.yaml
 oc apply -f ${BASE_DIR}/deploy/role.yaml
 oc apply -f ${BASE_DIR}/deploy/role_binding.yaml
+
+oc apply -f ${BASE_DIR}/deploy/cluster_role.yaml
+oc apply -f ${BASE_DIR}/deploy/cluster_role_che.yaml
+oc apply -f ${BASE_DIR}/deploy/cluster_role_createns.yaml
+
+oc apply -f ${BASE_DIR}/deploy/cluster_role_binding.yaml
+oc apply -f ${BASE_DIR}/deploy/cluster_role_binding_che.yaml
+oc apply -f ${BASE_DIR}/deploy/cluster_role_binding_createns.yaml
+
 oc apply -f ${BASE_DIR}/deploy/crds/org_v1_che_crd.yaml
 # sometimes the operator cannot get CRD right away
 sleep 2
@@ -25,4 +34,4 @@ sleep 2
 #oc apply -f ${BASE_DIR}/deploy/cluster_role.yaml -n=$1
 
 oc apply -f ${BASE_DIR}/deploy/operator.yaml
-oc apply -f ${BASE_DIR}/deploy/crds/org_v1_che_cr.yaml
+oc apply -f ${BASE_DIR}/deploy/crds/org_v1_che_cr.yaml

deploy/cluster_role.yaml

@@ -48,3 +48,42 @@ rules:
       - update
       - patch
       - delete
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterrolebindings
+    verbs:
+      - list
+      - watch
+      - create
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+    verbs:
+      - create
+      - list
+      - watch
+  - apiGroups:
+      - authorization.openshift.io
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+    verbs:
+      - get
+      - create
+  - apiGroups:
+      - authorization.openshift.io
+      - rbac.authorization.k8s.io
+    resources:
+      - rolebindings
+    verbs:
+      - get
+      - update
+      - create
+  - apiGroups:
+    - org.eclipse.che
+    resources:
+    - checlusters/finalizers
+    verbs:
+    - '*'

deploy/cluster_role_binding.yaml

@@ -19,4 +19,4 @@ subjects:
 roleRef:
   kind: ClusterRole
   name: che-operator
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

deploy/cluster_role_binding_che.yaml

@@ -0,0 +1,22 @@
+#
+#  Copyright (c) 2012-2019 Red Hat, Inc.
+#    This program and the accompanying materials are made
+#    available under the terms of the Eclipse Public License 2.0
+#    which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+#  SPDX-License-Identifier: EPL-2.0
+#
+#  Contributors:
+#    Red Hat, Inc. - initial API and implementation
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: che-operator-che
+subjects:
+  - kind: ServiceAccount
+    name: che-operator
+    namespace: che
+roleRef:
+  kind: ClusterRole
+  name: che-manage-namespaces
+  apiGroup: rbac.authorization.k8s.io

deploy/cluster_role_binding_createns.yaml

@@ -0,0 +1,22 @@
+#
+#  Copyright (c) 2012-2019 Red Hat, Inc.
+#    This program and the accompanying materials are made
+#    available under the terms of the Eclipse Public License 2.0
+#    which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+#  SPDX-License-Identifier: EPL-2.0
+#
+#  Contributors:
+#    Red Hat, Inc. - initial API and implementation
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: che-operator-create-namespaces
+subjects:
+  - kind: ServiceAccount
+    name: che-operator
+    namespace: che
+roleRef:
+  kind: ClusterRole
+  name: che-create-namespaces
+  apiGroup: rbac.authorization.k8s.io

deploy/cluster_role_che.yaml

@@ -0,0 +1,159 @@
+#
+#  Copyright (c) 2012-2019 Red Hat, Inc.
+#    This program and the accompanying materials are made
+#    available under the terms of the Eclipse Public License 2.0
+#    which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+#  SPDX-License-Identifier: EPL-2.0
+#
+#  Contributors:
+#    Red Hat, Inc. - initial API and implementation
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: che-manage-namespaces
+  labels:
+    app: che
+    component: che
+rules:
+  - verbs:
+      - get
+      - create
+    apiGroups:
+      - authorization.openshift.io
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+  - verbs:
+      - get
+      - update
+      - create
+    apiGroups:
+      - authorization.openshift.io
+      - rbac.authorization.k8s.io
+    resources:
+      - rolebindings
+  - verbs:
+      - get
+    apiGroups:
+      - project.openshift.io
+    resources:
+      - projects
+  - verbs:
+      - get
+      - create
+      - watch
+    apiGroups:
+      - ''
+    resources:
+      - serviceaccounts
+  - verbs:
+      - create
+    apiGroups:
+      - ''
+    resources:
+      - pods/exec
+  - verbs:
+      - list
+    apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+      - configmaps
+  - verbs:
+      - list
+    apiGroups:
+      - apps
+    resources:
+      - secrets
+  - verbs:
+      - list
+      - create
+      - delete
+    apiGroups:
+      - ''
+    resources:
+      - secrets
+  - verbs:
+      - create
+      - get
+      - watch
+    apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+  - verbs:
+      - get
+      - list
+      - create
+      - watch
+      - delete
+    apiGroups:
+      - ''
+    resources:
+      - pods
+  - verbs:
+      - get
+      - list
+      - create
+      - patch
+      - watch
+      - delete
+    apiGroups:
+      - apps
+    resources:
+      - deployments
+  - verbs:
+      - list
+      - create
+      - delete
+    apiGroups:
+      - ''
+    resources:
+      - services
+  - verbs:
+      - create
+      - delete
+    apiGroups:
+      - ''
+    resources:
+      - configmaps
+  - verbs:
+      - list
+      - create
+      - delete
+    apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+  - verbs:
+      - watch
+    apiGroups:
+      - ''
+    resources:
+      - events
+  - verbs:
+      - list
+      - get
+      - patch
+      - delete
+    apiGroups:
+      - apps
+    resources:
+      - replicasets
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - list
+      - create
+      - watch
+      - get
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+    verbs:
+      - get

deploy/cluster_role_createns.yaml

@@ -0,0 +1,32 @@
+#
+#  Copyright (c) 2012-2019 Red Hat, Inc.
+#    This program and the accompanying materials are made
+#    available under the terms of the Eclipse Public License 2.0
+#    which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+#  SPDX-License-Identifier: EPL-2.0
+#
+#  Contributors:
+#    Red Hat, Inc. - initial API and implementation
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: che-create-namespaces
+  labels:
+    app: che
+    component: che
+rules:
+  - verbs:
+      - create
+      - update
+    apiGroups:
+      - project.openshift.io
+    resources:
+      - projectrequests
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - create
+      - update

deploy/role.yaml

@@ -77,6 +77,8 @@ rules:
 - apiGroups:
   - org.eclipse.che
   resources:
-  - '*'
+  - checlusters
+  - checlusters/status
+  - checlusters/finalizers
   verbs:
   - '*'

deploy_k8s.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+#
+# Copyright (c) 2012-2018 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+set -e
+set -x
+
+if [ -z "${1}" ]; then
+  echo "missing namespace parameter './deploy_k8s.sh <che-namespace>'"
+  exit 1
+fi
+NAMESPACE=${1}
+
+BASE_DIR=$(cd "$(dirname "$0")"; pwd)
+
+kubectl apply -f "${BASE_DIR}"/deploy/service_account.yaml -n="${NAMESPACE}"
+kubectl apply -f "${BASE_DIR}"/deploy/role.yaml -n="${NAMESPACE}"
+kubectl apply -f "${BASE_DIR}"/deploy/role_binding.yaml -n="${NAMESPACE}"
+
+kubectl apply -f "${BASE_DIR}"/deploy/cluster_role.yaml
+kubectl apply -f "${BASE_DIR}"/deploy/cluster_role_che.yaml
+kubectl apply -f "${BASE_DIR}"/deploy/cluster_role_createns.yaml
+
+kubectl apply -f "${BASE_DIR}"/deploy/cluster_role_binding.yaml -n="${NAMESPACE}"
+kubectl apply -f "${BASE_DIR}"/deploy/cluster_role_binding_che.yaml -n="${NAMESPACE}"
+kubectl apply -f "${BASE_DIR}"/deploy/cluster_role_binding_createns.yaml -n="${NAMESPACE}"
+
+kubectl apply -f "${BASE_DIR}"/deploy/crds/org_v1_che_crd.yaml -n="${NAMESPACE}"
+
+# sometimes the operator cannot get CRD right away
+sleep 2
+
+kubectl apply -f "${BASE_DIR}"/deploy/operator.yaml -n="${NAMESPACE}"
+kubectl apply -f "${BASE_DIR}"/deploy/crds/org_v1_che_cr.yaml -n="${NAMESPACE}"

olm/eclipse-che-preview-kubernetes/deploy/olm-catalog/csv-config.yaml

@@ -1,3 +1,7 @@
-role-paths: [ "generated/roles/role.yaml" ]
+role-paths:
+  - "generated/roles/role.yaml"
+  - "../../deploy/cluster_role.yaml"
+  - "../../deploy/cluster_role_che.yaml"
+  - "../../deploy/cluster_role_createns.yaml"
 operator-path: ../../deploy/operator.yaml
 crd-cr-paths: ["../../deploy/crds/org_v1_che_crd.yaml"]