Merge pull request #909 from jpodivin/serviceaccounts/rbac/patch

Adding patch rbac perm for serviceaccounts

config/rbac/role.yaml

@@ -123,6 +123,7 @@ rules:
   resources:
   - openstackbaremetalsets/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - baremetal.openstack.org
@@ -257,6 +258,7 @@ rules:
   resources:
   - openstackcontrolplanes/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - core.openstack.org
@@ -283,6 +285,7 @@ rules:
   resources:
   - openstackversions/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - core.openstack.org
@@ -307,6 +310,7 @@ rules:
   resources:
   - openstackdataplanedeployments/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - dataplane.openstack.org
@@ -333,6 +337,7 @@ rules:
   resources:
   - openstackdataplanenodesets/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - dataplane.openstack.org
@@ -358,6 +363,7 @@ rules:
   resources:
   - openstackdataplaneservices/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - designate.openstack.org
@@ -550,6 +556,7 @@ rules:
   resources:
   - dnsdata/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - network.openstack.org
@@ -592,6 +599,7 @@ rules:
   resources:
   - ipsets/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - network.openstack.org
@@ -728,6 +736,7 @@ rules:
   - create
   - get
   - list
+  - patch
   - update
   - watch
 - apiGroups:

controllers/client/openstackclient_controller.go

@@ -78,11 +78,11 @@ func (r *OpenStackClientReconciler) GetLogger(ctx context.Context) logr.Logger {
 //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;
 // service account, role, rolebinding
 // +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update
+// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch
+// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch
 // service account permissions that are needed to grant permission to the above
 // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use
-// +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch
+// +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch;patch
 
 // Reconcile -
 func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {

controllers/core/openstackcontrolplane_controller.go

@@ -80,7 +80,7 @@ func (r *OpenStackControlPlaneReconciler) GetLogger(ctx context.Context) logr.Lo
 
 //+kubebuilder:rbac:groups=core.openstack.org,resources=openstackcontrolplanes,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=core.openstack.org,resources=openstackcontrolplanes/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=core.openstack.org,resources=openstackcontrolplanes/finalizers,verbs=update
+//+kubebuilder:rbac:groups=core.openstack.org,resources=openstackcontrolplanes/finalizers,verbs=update;patch
 //+kubebuilder:rbac:groups=core.openstack.org,resources=openstackversions,verbs=get;list;create
 //+kubebuilder:rbac:groups=ironic.openstack.org,resources=ironics,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=client.openstack.org,resources=openstackclients,verbs=get;list;watch;create;update;patch;delete

controllers/core/openstackversion_controller.go

@@ -39,8 +39,10 @@ import (
 	"github.com/openstack-k8s-operators/openstack-operator/pkg/openstack"
 )
 
-var envContainerImages (map[string]*string)
-var envAvailableVersion string
+var (
+	envContainerImages  (map[string]*string)
+	envAvailableVersion string
+)
 
 // SetupVersionDefaults -
 func SetupVersionDefaults() {
@@ -72,7 +74,7 @@ func (r *OpenStackVersionReconciler) GetLogger(ctx context.Context) logr.Logger
 
 // +kubebuilder:rbac:groups=core.openstack.org,resources=openstackversions,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core.openstack.org,resources=openstackversions/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=core.openstack.org,resources=openstackversions/finalizers,verbs=update
+// +kubebuilder:rbac:groups=core.openstack.org,resources=openstackversions/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=core.openstack.org,resources=openstackcontrolplanes,verbs=get;list;watch
 // +kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanenodesets,verbs=get;list;watch
 
@@ -82,7 +84,6 @@ func (r *OpenStackVersionReconciler) GetLogger(ctx context.Context) logr.Logger
 // For more details, check Reconcile and its Result here:
 // - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
 func (r *OpenStackVersionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {
-
 	Log := r.GetLogger(ctx)
 	Log.Info("Reconciling OpenStackVersion")
 	// Fetch the instance
@@ -293,7 +294,6 @@ func (r *OpenStackVersionReconciler) Reconcile(ctx context.Context, req ctrl.Req
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *OpenStackVersionReconciler) SetupWithManager(mgr ctrl.Manager) error {
-
 	versionFunc := handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, o client.Object) []reconcile.Request {
 		Log := r.GetLogger(ctx)
 		versionList := &corev1beta1.OpenStackVersionList{}

controllers/dataplane/openstackdataplanedeployment_controller.go

@@ -55,7 +55,7 @@ func (r *OpenStackDataPlaneDeploymentReconciler) GetLogger(ctx context.Context)
 
 //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanedeployments,verbs=get;list;watch;create;delete
 //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanedeployments/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanedeployments/finalizers,verbs=update
+//+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanedeployments/finalizers,verbs=update;patch
 //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanenodesets,verbs=get;list;watch
 //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplaneservices,verbs=get;list;watch
 //+kubebuilder:rbac:groups=ansibleee.openstack.org,resources=openstackansibleees,verbs=get;list;watch;create;update;patch;delete
@@ -66,7 +66,6 @@ func (r *OpenStackDataPlaneDeploymentReconciler) GetLogger(ctx context.Context)
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
 func (r *OpenStackDataPlaneDeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {
-
 	Log := r.GetLogger(ctx)
 	Log.Info("Reconciling Deployment")
 
@@ -260,7 +259,6 @@ func (r *OpenStackDataPlaneDeploymentReconciler) Reconcile(ctx context.Context,
 				err.Error())
 			return ctrl.Result{}, err
 		}
-
 	}
 
 	version, err := dataplaneutil.GetVersion(ctx, helper, instance.Namespace)
@@ -383,7 +381,6 @@ func (r *OpenStackDataPlaneDeploymentReconciler) setHashes(
 	instance *dataplanev1.OpenStackDataPlaneDeployment,
 	nodeSets dataplanev1.OpenStackDataPlaneNodeSetList,
 ) error {
-
 	var err error
 	services := []string{}
 

controllers/dataplane/openstackdataplanenodeset_controller.go

@@ -77,31 +77,31 @@ func (r *OpenStackDataPlaneNodeSetReconciler) GetLogger(ctx context.Context) log
 
 //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanenodesets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanenodesets/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanenodesets/finalizers,verbs=update
+//+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanenodesets/finalizers,verbs=update;patch
 //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplaneservices,verbs=get;list;watch;create;update;patch
-//+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplaneservices/finalizers,verbs=update
+//+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplaneservices/finalizers,verbs=update;patch
 //+kubebuilder:rbac:groups=baremetal.openstack.org,resources=openstackbaremetalsets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=baremetal.openstack.org,resources=openstackbaremetalsets/status,verbs=get
-//+kubebuilder:rbac:groups=baremetal.openstack.org,resources=openstackbaremetalsets/finalizers,verbs=update
+//+kubebuilder:rbac:groups=baremetal.openstack.org,resources=openstackbaremetalsets/finalizers,verbs=update;patch
 //+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete;
 //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete;
 //+kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete;
 //+kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch
 //+kubebuilder:rbac:groups=network.openstack.org,resources=ipsets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=network.openstack.org,resources=ipsets/status,verbs=get
-//+kubebuilder:rbac:groups=network.openstack.org,resources=ipsets/finalizers,verbs=update
+//+kubebuilder:rbac:groups=network.openstack.org,resources=ipsets/finalizers,verbs=update;patch
 //+kubebuilder:rbac:groups=network.openstack.org,resources=netconfigs,verbs=get;list;watch
 //+kubebuilder:rbac:groups=network.openstack.org,resources=dnsmasqs,verbs=get;list;watch
 //+kubebuilder:rbac:groups=network.openstack.org,resources=dnsmasqs/status,verbs=get
 //+kubebuilder:rbac:groups=network.openstack.org,resources=dnsdata,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=network.openstack.org,resources=dnsdata/status,verbs=get
-//+kubebuilder:rbac:groups=network.openstack.org,resources=dnsdata/finalizers,verbs=update
+//+kubebuilder:rbac:groups=network.openstack.org,resources=dnsdata/finalizers,verbs=update;patch
 //+kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete;
 //+kubebuilder:rbac:groups=core.openstack.org,resources=openstackversions,verbs=get;list;watch
 
 // RBAC for the ServiceAccount for the internal image registry
-//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update
-//+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update
+//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch
+//+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch
 //+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch
 //+kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use
 //+kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch
@@ -645,7 +645,8 @@ func (r *OpenStackDataPlaneNodeSetReconciler) SetupWithManager(mgr ctrl.Manager)
 }
 
 func (r *OpenStackDataPlaneNodeSetReconciler) secretWatcherFn(
-	ctx context.Context, obj client.Object) []reconcile.Request {
+	ctx context.Context, obj client.Object,
+) []reconcile.Request {
 	Log := r.GetLogger(ctx)
 	nodeSets := &dataplanev1.OpenStackDataPlaneNodeSetList{}
 	kind := strings.ToLower(obj.GetObjectKind().GroupVersionKind().Kind)
@@ -680,7 +681,8 @@ func (r *OpenStackDataPlaneNodeSetReconciler) secretWatcherFn(
 }
 
 func (r *OpenStackDataPlaneNodeSetReconciler) genericWatcherFn(
-	ctx context.Context, obj client.Object) []reconcile.Request {
+	ctx context.Context, obj client.Object,
+) []reconcile.Request {
 	Log := r.GetLogger(ctx)
 	nodeSets := &dataplanev1.OpenStackDataPlaneNodeSetList{}
 
@@ -707,7 +709,8 @@ func (r *OpenStackDataPlaneNodeSetReconciler) genericWatcherFn(
 
 func (r *OpenStackDataPlaneNodeSetReconciler) deploymentWatcherFn(
 	ctx context.Context, //revive:disable-line
-	obj client.Object) []reconcile.Request {
+	obj client.Object,
+) []reconcile.Request {
 	namespace := obj.GetNamespace()
 	deployment := obj.(*dataplanev1.OpenStackDataPlaneDeployment)