address comments

pkg/scaffold/project.go

@@ -195,6 +195,8 @@ func (p *V2Project) Scaffold() error {
 		&scaffoldv2.Kustomize{},
 		&scaffoldv2.ManagerWebhookPatch{},
 		&scaffoldv2.ManagerRoleBinding{},
+		&scaffoldv2.StaticRole{},
+		&scaffoldv2.StaticRoleBinding{},
 		&scaffoldv2.KustomizeRBAC{},
 		&managerv2.Kustomization{},
 		&webhook.Kustomization{},

pkg/scaffold/v2/main.go

@@ -138,27 +138,17 @@ func init() {
 	%s
 }
 
-// Persmissions to do leader election.
-// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups="",resources=configmaps/status,verbs=get;update;patch
-
 func main() {
 	var metricsAddr string
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
 	flag.Parse()
 
 	ctrl.SetLogger(zap.Logger(true))
 
-	leaderElectionNamespace := "default"
-	if len(os.Getenv("POD_NAMESPACE")) != 0 {
-		leaderElectionNamespace = os.Getenv("POD_NAMESPACE")
-	}
-
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                  scheme,
 		MetricsBindAddress:      metricsAddr,
 		LeaderElection:          true,
-		LeaderElectionNamespace: leaderElectionNamespace,
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")

pkg/scaffold/v2/manager/config.go

@@ -86,11 +86,6 @@ spec:
       containers:
       - command:
         - /manager
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
         image: {{ .Image }}
         imagePullPolicy: Always
         name: manager

pkg/scaffold/v2/rbac.go

@@ -42,11 +42,12 @@ func (c *KustomizeRBAC) GetInput() (input.Input, error) {
 var kustomizeRBACTemplate = `resources:
 - role.yaml
 - role_binding.yaml
+- static_role.yaml
+- static_role_binding.yaml
 # Comment the following 3 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.
 - auth_proxy_service.yaml
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 `
-

pkg/scaffold/v2/staticrole.go

@@ -0,0 +1,67 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+import (
+	"path/filepath"
+
+	"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
+)
+
+var _ input.File = &StaticRole{}
+
+// StaticRole scaffolds the config/rbac/auth_proxy_role.yaml file
+type StaticRole struct {
+	input.Input
+}
+
+// GetInput implements input.File
+func (r *StaticRole) GetInput() (input.Input, error) {
+	if r.Path == "" {
+		r.Path = filepath.Join("config", "rbac", "static_role.yaml")
+	}
+	r.TemplateBody = staticRoleTemplate
+	return r.Input, nil
+}
+
+var staticRoleTemplate = `# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: static-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/status
+  verbs:
+  - get
+  - update
+  - patch
+`

pkg/scaffold/v2/staticrolebinding.go

@@ -0,0 +1,53 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+import (
+	"path/filepath"
+
+	"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
+)
+
+var _ input.File = &StaticRoleBinding{}
+
+// StaticRoleBinding scaffolds the config/rbac/auth_proxy_role.yaml file
+type StaticRoleBinding struct {
+	input.Input
+}
+
+// GetInput implements input.File
+func (r *StaticRoleBinding) GetInput() (input.Input, error) {
+	if r.Path == "" {
+		r.Path = filepath.Join("config", "rbac", "static_role_binding.yaml")
+	}
+	r.TemplateBody = staticRoleBindingTemplate
+	return r.Input, nil
+}
+
+var staticRoleBindingTemplate = `apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: static-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: static-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: system
+`

testdata/project-v2/config/manager/manager.yaml

@@ -44,11 +44,6 @@ spec:
       containers:
       - command:
         - /manager
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
         image: controller:latest
         imagePullPolicy: Always
         name: manager

testdata/project-v2/config/rbac/kustomization.yaml

@@ -1,6 +1,8 @@
 resources:
 - role.yaml
 - role_binding.yaml
+- static_role.yaml
+- static_role_binding.yaml
 # Comment the following 3 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.

testdata/project-v2/config/rbac/role.yaml

@@ -66,23 +66,3 @@ rules:
   - get
   - update
   - patch
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - configmaps/status
-  verbs:
-  - get
-  - update
-  - patch

testdata/project-v2/config/rbac/static_role.yaml

@@ -0,0 +1,26 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: static-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/status
+  verbs:
+  - get
+  - update
+  - patch

testdata/project-v2/config/rbac/static_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: static-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: static-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: system

testdata/project-v2/main.go

@@ -42,27 +42,17 @@ func init() {
 	// +kubebuilder:scaffold:scheme
 }
 
-// Persmissions to do leader election.
-// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups="",resources=configmaps/status,verbs=get;update;patch
-
 func main() {
 	var metricsAddr string
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
 	flag.Parse()
 
 	ctrl.SetLogger(zap.Logger(true))
 
-	leaderElectionNamespace := "default"
-	if len(os.Getenv("POD_NAMESPACE")) != 0 {
-		leaderElectionNamespace = os.Getenv("POD_NAMESPACE")
-	}
-
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme:                  scheme,
-		MetricsBindAddress:      metricsAddr,
-		LeaderElection:          true,
-		LeaderElectionNamespace: leaderElectionNamespace,
+		Scheme:             scheme,
+		MetricsBindAddress: metricsAddr,
+		LeaderElection:     true,
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")