From caf90347ff2e40ae9511d651d6fef4bb42c891af Mon Sep 17 00:00:00 2001
From: Camila Macedo <camilamacedo86@gmail.com>
Date: Thu, 29 Oct 2020 13:12:21 +0000
Subject: [PATCH] improvements and fixes for an idempotent result (#166)

---
 .generate/gen-all.sh                          |  6 +++
 helm/.generate/gen-helm-memcached.sh          | 18 +++++++++
 ...cached-operator.clusterserviceversion.yaml | 26 +++++++++++-
 helm/memcached-operator/config/rbac/role.yaml | 40 ++++++++++++++-----
 4 files changed, 79 insertions(+), 11 deletions(-)

diff --git a/.generate/gen-all.sh b/.generate/gen-all.sh
index c1a632d5..04971cdd 100755
--- a/.generate/gen-all.sh
+++ b/.generate/gen-all.sh
@@ -14,6 +14,12 @@
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
 
+# Before run this script ensure that you have helm installed locally
+# with the stable repo as well. The helm sample will use the memcached chart
+# from helm repository.
+# To install: https://helm.sh/docs/intro/install/
+# To add the repo run `helm repo add stable https://charts.helm.sh/stable`
+
 set -o errexit
 set -o pipefail
 
diff --git a/helm/.generate/gen-helm-memcached.sh b/helm/.generate/gen-helm-memcached.sh
index f59d93d2..af58797c 100755
--- a/helm/.generate/gen-helm-memcached.sh
+++ b/helm/.generate/gen-helm-memcached.sh
@@ -14,6 +14,12 @@
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
 
+# Before run this script ensure that you have helm installed locally
+# with the stable repo as well. The helm sample will use the memcached chart
+# from helm repository.
+# To install: https://helm.sh/docs/intro/install/
+# To add the repo run `helm repo add stable https://charts.helm.sh/stable`
+
 set -o errexit
 set -o pipefail
 
@@ -36,6 +42,18 @@ function header_text {
 }
 
 function gen_helm_sample {
+
+  # When operator-sdk scaffolds Helm projects, it tries to use the discovery API of a Kubernetes
+	# cluster to intelligently build the RBAC rules that the operator will require based on the
+	# content of the helm chart.
+	#
+	# Here, we intentionally set KUBECONFIG to a broken value to ensure that operator-sdk will be
+	#  unable to reach a real cluster, and thus will generate a default RBAC rule set. This is
+	# required to make Helm project generation idempotent because contributors and CI environments
+	# can all have slightly different environments that can affect the content of the generated
+	# role and cause sanity testing to fail.
+  export KUBECONFIG="broken_so_we_generate_static_default_rules"
+
   local operIMG="quay.io/example-inc/memcached-operator:v0.0.1"
   local bundleIMG="quay.io/example-inc/memcached-operator-bundle:v0.0.1"
   
diff --git a/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml b/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml
index f4e30f4d..44e08e44 100644
--- a/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml
+++ b/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml
@@ -110,15 +110,37 @@ spec:
         - apiGroups:
           - ""
           resources:
+          - pods
           - services
+          - services/finalizers
+          - endpoints
+          - persistentvolumeclaims
+          - events
+          - configmaps
+          - secrets
           verbs:
-          - '*'
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - apps
           resources:
+          - deployments
+          - daemonsets
+          - replicasets
           - statefulsets
           verbs:
-          - '*'
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - policy
           resources:
diff --git a/helm/memcached-operator/config/rbac/role.yaml b/helm/memcached-operator/config/rbac/role.yaml
index a68c3b4c..111ff0b4 100644
--- a/helm/memcached-operator/config/rbac/role.yaml
+++ b/helm/memcached-operator/config/rbac/role.yaml
@@ -44,18 +44,40 @@ rules:
   - patch
   - update
   - watch
-- verbs:
-  - "*"
-  apiGroups:
+- apiGroups:
   - ""
   resources:
-  - "services"
-- verbs:
-  - "*"
-  apiGroups:
-  - "apps"
+  - pods
+  - services
+  - services/finalizers
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
   resources:
-  - "statefulsets"
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 
 ##
 ## Rules customized for cache.example.com/v1alpha1, Kind: Memcached