feat: add e2e openshift support (#1894)

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

* feat: add e2e openshift support

Signed-off-by: Hristo Hristov <me@hhristov.info>

---------

Signed-off-by: Hristo Hristov <me@hhristov.info>

hack/distro/openshift/capsule-namespace-deleter.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: capsule-namespace-deleter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: capsule-namespace-deleter
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: projectcapsule.dev

hack/distro/openshift/extend-admin-role.yaml

@@ -0,0 +1,22 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: extend-admin-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+rules:
+  - verbs:
+      - update
+    apiGroups:
+      - capsule.clastix.io
+    resources:
+      - '*/finalizers'
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - restricted-v2
+      - nonroot-v2
+    verbs:
+      - 'use'

hack/distro/overlays/openshift/kustomization.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../fluxcd
+  - https://raw.githubusercontent.com/fluxcd/flux2/v2.4.0/manifests/openshift/scc.yaml
+patches:
+  - target:
+      kind: Deployment
+      labelSelector: app.kubernetes.io/part-of=flux
+    patch: |
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: all
+      spec:
+        template:
+          spec:
+            securityContext:
+              $patch: delete
+            containers:
+              - name: manager
+                securityContext:
+                  seccompProfile:
+                    $patch: delete
+
+  - target:
+      kind: Namespace
+      labelSelector: app.kubernetes.io/part-of=flux
+    patch: |-
+      - op: remove
+        path: /metadata/labels/pod-security.kubernetes.io~1warn
+      - op: remove
+        path: /metadata/labels/pod-security.kubernetes.io~1warn-version