apiVersion: template.openshift.io/v1 kind: Template metadata: name: cluster-service-admin parameters: - name: NAMESPACE description: The namespace to create required: true value: cluster-service-admin - name: CLIENT_ID description: The Azure Client ID used for federation required: true - name: KEY_VAULT_NAME description: Key vault name where certificates are stored required: true - name: FIRST_PARTY_APP_CERTIFICATE_NAME description: Name of first party app certificate required: true - name: FPA_CLIENT_ID description: Client ID of First Party Application required: true - name: ARM_HELPER_CERTIFICATE_NAME description: Name of ARM helper certificate required: true - name: ARM_HELPER_CLIENT_ID description: Client ID of Arm Helper Identity required: true - name: ARM_HELPER_MOCK_FPA_PRINCIPAL_ID description: Principal ID of mock FPA Identity required: true - name: MSI_MOCK_CERTIFICATE_NAME description: Name of MSI mock certificate required: true - name: MSI_MOCK_CLIENT_ID description: Client ID of MSI Mock required: true - name: MSI_MOCK_PRINCIPAL_ID description: Principal ID of MSI Mock required: true objects: - apiVersion: v1 kind: Namespace metadata: name: cluster-service-admin - apiVersion: v1 kind: ServiceAccount metadata: name: cluster-service-mgmt namespace: ${NAMESPACE} - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: namespace-admin rules: - apiGroups: - "" resources: - namespaces verbs: - "*" - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-service-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - kind: ServiceAccount name: cluster-service-mgmt namespace: cluster-service-admin - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-service-namespace-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: namespace-admin subjects: - kind: ServiceAccount name: cluster-service-mgmt namespace: cluster-service-admin - apiVersion: v1 kind: Secret metadata: name: cluster-service-mgmt-token annotations: kubernetes.io/service-account.name: cluster-service-mgmt namespace: ${NAMESPACE} type: kubernetes.io/service-account-token - apiVersion: v1 kind: ConfigMap metadata: name: cluster-service-config namespace: ${NAMESPACE} data: cs-client-id: ${CLIENT_ID} key-vault-name: ${KEY_VAULT_NAME} fpa-cert-name: ${FIRST_PARTY_APP_CERTIFICATE_NAME} fpa-client-id: ${FPA_CLIENT_ID} arm-helper-cert-name: ${ARM_HELPER_CERTIFICATE_NAME} arm-helper-client-id: ${ARM_HELPER_CLIENT_ID} arm-helper-mock-fpa-principal-id: ${ARM_HELPER_MOCK_FPA_PRINCIPAL_ID} msi-mock-cert-name: ${MSI_MOCK_CERTIFICATE_NAME} msi-mock-client-id: ${MSI_MOCK_CLIENT_ID} msi-mock-principal-id: ${MSI_MOCK_PRINCIPAL_ID}