Merge pull request #441 from vshn/rbac/ocp_managed

Add support for custom RBAC rules

class/defaults.yml

@@ -55,7 +55,7 @@ parameters:
       appcat:
         registry: ghcr.io
         repository: vshn/appcat
-        tag: v4.89.0
+        tag: v4.90.0
       functionAppcat:
         registry: ${appcat:images:appcat:registry}
         repository: ${appcat:images:appcat:repository}

tests/golden/apiserver/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.89.0-func
+  package: ghcr.io/vshn/appcat:v4.90.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/apiserver/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/cloudscale-metrics-collector-cloud/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.89.0-func
+  package: ghcr.io/vshn/appcat:v4.90.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/cloudscale-metrics-collector-cloud/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/cloudscale-metrics-collector-cloud/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.89.0
+        image: ghcr.io/vshn/appcat:v4.90.0
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/cloudscale-metrics-collector-managed/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.89.0-func
+  package: ghcr.io/vshn/appcat:v4.90.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/cloudscale-metrics-collector-managed/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/cloudscale-metrics-collector-managed/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.89.0
+        image: ghcr.io/vshn/appcat:v4.90.0
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/cloudscale/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.89.0-func
+  package: ghcr.io/vshn/appcat:v4.90.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/cloudscale/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/controllers/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.89.0-func
+  package: ghcr.io/vshn/appcat:v4.90.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/controllers/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/controllers/appcat/appcat/controllers/appcat/30_deployment.yaml

@@ -23,7 +23,7 @@ spec:
           env:
             - name: PLANS_NAMESPACE
               value: syn-appcat
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             httpGet:
               path: /healthz

tests/golden/defaults/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.89.0-func
+  package: ghcr.io/vshn/appcat:v4.90.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/defaults/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/defaults/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.89.0
+        image: ghcr.io/vshn/appcat:v4.90.0
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/exoscale-metrics-collector-cloud/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.89.0-func
+  package: ghcr.io/vshn/appcat:v4.90.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/exoscale-metrics-collector-cloud/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/exoscale-metrics-collector-cloud/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.89.0
+        image: ghcr.io/vshn/appcat:v4.90.0
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/exoscale-metrics-collector-managed/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.89.0-func
+  package: ghcr.io/vshn/appcat:v4.90.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/exoscale-metrics-collector-managed/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/exoscale-metrics-collector-managed/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.89.0
+        image: ghcr.io/vshn/appcat:v4.90.0
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/exoscale/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.89.0-func
+  package: ghcr.io/vshn/appcat:v4.90.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/exoscale/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/minio/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.89.0-func
+  package: ghcr.io/vshn/appcat:v4.90.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/minio/appcat/appcat/20_xrd_vshn_minio.yaml

@@ -5570,12 +5570,24 @@ spec:
                             accessible from all namespaces, this supersedes the AllowedNamespaces
                             field
                           type: boolean
+                        allowedGroups:
+                          description: AllowedGroups defines a list of Groups that
+                            have limited access to the instance namespace
+                          items:
+                            type: string
+                          type: array
                         allowedNamespaces:
                           description: AllowedNamespaces defines a list of namespaces
                             from where the service can be reached in the claim namespace
                           items:
                             type: string
                           type: array
+                        allowedUsers:
+                          description: AllowedUsers defines a list of Users that have
+                            limited access to instance namespace.
+                          items:
+                            type: string
+                          type: array
                         deletionProtection:
                           default: true
                           description: DeletionProtection blocks the deletion of the

tests/golden/minio/appcat/appcat/21_composition_vshn_minio.yaml

@@ -38,7 +38,7 @@ spec:
           emailAlertingSmtpFromAddress: [email protected]
           emailAlertingSmtpHost: smtp.eu.mailgun.org:465
           emailAlertingSmtpUsername: [email protected]
-          imageTag: v4.89.0
+          imageTag: v4.90.0
           isOpenshift: 'false'
           maintenanceSA: helm-based-service-maintenance
           minioChartRepository: https://charts.min.io

tests/golden/minio/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/minio/appcat/appcat/controllers/appcat/30_deployment.yaml

@@ -23,7 +23,7 @@ spec:
           env:
             - name: PLANS_NAMESPACE
               value: syn-appcat
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             httpGet:
               path: /healthz

tests/golden/minio/appcat/appcat/sla_reporter/01_cronjob.yaml

@@ -30,7 +30,7 @@ spec:
               envFrom:
                 - secretRef:
                     name: appcat-sla-reports-creds
-              image: ghcr.io/vshn/appcat:v4.89.0
+              image: ghcr.io/vshn/appcat:v4.90.0
               name: sla-reporter
               resources:
                 limits:

tests/golden/minio/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.89.0
+        image: ghcr.io/vshn/appcat:v4.90.0
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/openshift/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.89.0-func
+  package: ghcr.io/vshn/appcat:v4.90.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/openshift/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.89.0
+          image: ghcr.io/vshn/appcat:v4.90.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/openshift/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.89.0
+        image: ghcr.io/vshn/appcat:v4.90.0
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/vshn/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.89.0-func
+  package: ghcr.io/vshn/appcat:v4.90.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/vshn/appcat/appcat/20_xrd_vshn_keycloak.yaml

@@ -5585,12 +5585,24 @@ spec:
                             accessible from all namespaces, this supersedes the AllowedNamespaces
                             field
                           type: boolean
+                        allowedGroups:
+                          description: AllowedGroups defines a list of Groups that
+                            have limited access to the instance namespace
+                          items:
+                            type: string
+                          type: array
                         allowedNamespaces:
                           description: AllowedNamespaces defines a list of namespaces
                             from where the service can be reached in the claim namespace
                           items:
                             type: string
                           type: array
+                        allowedUsers:
+                          description: AllowedUsers defines a list of Users that have
+                            limited access to instance namespace.
+                          items:
+                            type: string
+                          type: array
                         deletionProtection:
                           default: true
                           description: DeletionProtection blocks the deletion of the
@@ -11681,13 +11693,25 @@ spec:
                                     to be accessible from all namespaces, this supersedes
                                     the AllowedNamespaces field
                                   type: boolean
+                                allowedGroups:
+                                  description: AllowedGroups defines a list of Groups
+                                    that have limited access to the instance namespace
+                                  items:
+                                    type: string
+                                  type: array
                                 allowedNamespaces:
                                   description: AllowedNamespaces defines a list of
                                     namespaces from where the service can be reached
                                     in the claim namespace
                                   items:
                                     type: string
                                   type: array
+                                allowedUsers:
+                                  description: AllowedUsers defines a list of Users
+                                    that have limited access to instance namespace.
+                                  items:
+                                    type: string
+                                  type: array
                                 deletionProtection:
                                   default: true
                                   description: DeletionProtection blocks the deletion