move everything to src

config/rbac/action_editor_role.yaml

@@ -0,0 +1,31 @@
+# permissions for end users to edit actions.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: action-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: action-editor-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - actions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - actions/status
+  verbs:
+  - get

config/rbac/action_viewer_role.yaml

@@ -0,0 +1,27 @@
+# permissions for end users to view actions.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: action-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: action-viewer-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - actions
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - actions/status
+  verbs:
+  - get

config/rbac/apiapp_editor_role.yaml

@@ -0,0 +1,31 @@
+# permissions for end users to edit apiapps.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: apiapp-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: apiapp-editor-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - apiapps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - apiapps/status
+  verbs:
+  - get

config/rbac/apiapp_viewer_role.yaml

@@ -0,0 +1,27 @@
+# permissions for end users to view apiapps.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: apiapp-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: apiapp-viewer-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - apiapps
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - apiapps/status
+  verbs:
+  - get

config/rbac/auth_proxy_client_clusterrole.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: metrics-reader
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: metrics-reader
+rules:
+- nonResourceURLs:
+  - "/metrics"
+  verbs:
+  - get

config/rbac/auth_proxy_role.yaml

@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: proxy-role
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: proxy-role
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create

config/rbac/auth_proxy_role_binding.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/instance: proxy-rolebinding
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: proxy-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system

config/rbac/auth_proxy_service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: service
+    app.kubernetes.io/instance: controller-manager-metrics-service
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: controller-manager-metrics-service
+  namespace: system
+spec:
+  ports:
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https
+  selector:
+    control-plane: controller-manager

config/rbac/cluster_editor_role.yaml

@@ -0,0 +1,31 @@
+# permissions for end users to edit zitadelclusters.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: zitadelcluster-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: zitadelcluster-editor-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - clusters
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - clusters/status
+  verbs:
+  - get

config/rbac/connection_editor_role.yaml

@@ -0,0 +1,27 @@
+# permissions for end users to edit connections.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: src
+    app.kubernetes.io/managed-by: kustomize
+  name: connection-editor-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - connections
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - connections/status
+  verbs:
+  - get

config/rbac/connection_viewer_role.yaml

@@ -0,0 +1,23 @@
+# permissions for end users to view connections.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: src
+    app.kubernetes.io/managed-by: kustomize
+  name: connection-viewer-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - connections
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - connections/status
+  verbs:
+  - get

config/rbac/flow_editor_role.yaml

@@ -0,0 +1,31 @@
+# permissions for end users to edit flows.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: flow-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: flow-editor-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - flows
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - flows/status
+  verbs:
+  - get

config/rbac/flow_viewer_role.yaml

@@ -0,0 +1,27 @@
+# permissions for end users to view flows.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: flow-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: flow-viewer-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - flows
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - flows/status
+  verbs:
+  - get

config/rbac/kustomization.yaml

@@ -0,0 +1,25 @@
+resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+# Comment the following 4 lines if you want to disable
+# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+# which protects your /metrics endpoint.
+- auth_proxy_service.yaml
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. Those roles are
+# not used by the Project itself. You can comment the following lines
+# if you do not want those helpers be installed with your Project.
+- connection_editor_role.yaml
+- connection_viewer_role.yaml
+

config/rbac/leader_election_role.yaml

@@ -0,0 +1,44 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: role
+    app.kubernetes.io/instance: leader-election-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: leader-election-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

config/rbac/leader_election_role_binding.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: rolebinding
+    app.kubernetes.io/instance: leader-election-rolebinding
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: leader-election-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system

config/rbac/machineuser_editor_role.yaml

@@ -0,0 +1,31 @@
+# permissions for end users to edit machineusers.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: machineuser-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: machineuser-editor-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - machineusers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - machineusers/status
+  verbs:
+  - get

config/rbac/machineuser_viewer_role.yaml

@@ -0,0 +1,27 @@
+# permissions for end users to view machineusers.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: machineuser-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: machineuser-viewer-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - machineusers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - machineusers/status
+  verbs:
+  - get

config/rbac/oidcapp_editor_role.yaml

@@ -0,0 +1,31 @@
+# permissions for end users to edit oidcapps.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: oidcapp-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: oidcapp-editor-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - oidcapps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - oidcapps/status
+  verbs:
+  - get

config/rbac/oidcapp_viewer_role.yaml

@@ -0,0 +1,27 @@
+# permissions for end users to view oidcapps.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: oidcapp-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: oidcapp-viewer-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - oidcapps
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - oidcapps/status
+  verbs:
+  - get

config/rbac/organization_editor_role.yaml

@@ -0,0 +1,31 @@
+# permissions for end users to edit organizations.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: organization-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: organization-editor-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - organizations
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - organizations/status
+  verbs:
+  - get

config/rbac/organization_viewer_role.yaml

@@ -0,0 +1,27 @@
+# permissions for end users to view organizations.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: organization-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: organization-viewer-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - organizations
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - organizations/status
+  verbs:
+  - get

config/rbac/project_editor_role.yaml

@@ -0,0 +1,31 @@
+# permissions for end users to edit projects.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: project-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: project-editor-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - projects
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - projects/status
+  verbs:
+  - get

config/rbac/project_viewer_role.yaml

@@ -0,0 +1,27 @@
+# permissions for end users to view projects.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: project-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: project-viewer-role
+rules:
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - projects
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - projects/status
+  verbs:
+  - get

config/rbac/role.yaml

@@ -0,0 +1,88 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - connections
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - connections/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - zitadel.github.com
+  resources:
+  - connections/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - zitadel.topmanage.com
+  resources:
+  - machineusers
+  - oidcapps
+  - organizations
+  - projects
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - zitadel.topmanage.com
+  resources:
+  - machineusers/finalizers
+  - oidcapps/finalizers
+  - organizations/finalizers
+  - projects/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - zitadel.topmanage.com
+  resources:
+  - machineusers/status
+  - oidcapps/status
+  - organizations/status
+  - projects/status
+  verbs:
+  - get
+  - patch
+  - update

config/rbac/role_binding.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/instance: manager-rolebinding
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: manager-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system

config/rbac/service_account.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/instance: controller-manager-sa
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: src
+    app.kubernetes.io/part-of: src
+    app.kubernetes.io/managed-by: kustomize
+  name: controller-manager
+  namespace: system