roles for manager

strangelove-ventures · Oct 18, 2023 · 80e6251 · 80e6251
1 parent 992f5ad
commit 80e6251
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 4 deletions.
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -31,6 +31,7 @@ spec:
       containers:
       - command:
         - /manager
+        imagePullPolicy: Always
         args:
         - --leader-elect
         image: controller:latest

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -11,6 +11,7 @@ rules:
   - configmaps
   - persistentvolumeclaims
   - pods
+  - serviceaccounts
   - services
   verbs:
   - create
@@ -144,6 +145,19 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - snapshot.storage.k8s.io
   resources:

diff --git a/controllers/cosmosfullnode_controller.go b/controllers/cosmosfullnode_controller.go
@@ -91,7 +91,8 @@ var (
 //+kubebuilder:rbac:groups=cosmos.strange.love,resources=cosmosfullnodes/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=cosmos.strange.love,resources=cosmosfullnodes/finalizers,verbs=update
 // Generate RBAC roles to watch and update resources. IMPORTANT!!!! All resource names must be lowercase or cluster role will not work.
-//+kubebuilder:rbac:groups="",resources=pods;persistentvolumeclaims;services;configmaps,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",resources=pods;persistentvolumeclaims;services;serviceaccounts;configmaps,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=clusterroles;clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch
 //+kubebuilder:rbac:groups="",resources=events,verbs=create;update;patch
 

diff --git a/internal/fullnode/rbac_builder.go b/internal/fullnode/rbac_builder.go
@@ -3,6 +3,7 @@ package fullnode
 import (
 	cosmosv1 "github.com/strangelove-ventures/cosmos-operator/api/v1"
 	"github.com/strangelove-ventures/cosmos-operator/internal/diff"
+	"github.com/strangelove-ventures/cosmos-operator/internal/kube"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -21,17 +22,20 @@ func clusterRoleName(crd *cosmosv1.CosmosFullNode) string {
 // Creates a single service account for the version check.
 func BuildServiceAccounts(crd *cosmosv1.CosmosFullNode) []diff.Resource[*corev1.ServiceAccount] {
 	diffSa := make([]diff.Resource[*corev1.ServiceAccount], 1)
-	svc := corev1.ServiceAccount{
+	sa := corev1.ServiceAccount{
 		TypeMeta: v1.TypeMeta{
-			Kind: "ServiceAccount",
+			Kind:       "ServiceAccount",
+			APIVersion: "v1",
 		},
 		ObjectMeta: v1.ObjectMeta{
 			Name:      serviceAccountName(crd),
 			Namespace: crd.Namespace,
 		},
 	}
 
-	diffSa[0] = diff.Adapt(&svc, 0)
+	sa.Labels = defaultLabels(crd, kube.ComponentLabel, "vc")
+
+	diffSa[0] = diff.Adapt(&sa, 0)
 
 	return diffSa
 }
@@ -42,6 +46,10 @@ func BuildServiceAccounts(crd *cosmosv1.CosmosFullNode) []diff.Resource[*corev1.
 func BuildClusterRoles(crd *cosmosv1.CosmosFullNode) []diff.Resource[*rbacv1.ClusterRole] {
 	diffCr := make([]diff.Resource[*rbacv1.ClusterRole], 1)
 	cr := rbacv1.ClusterRole{
+		TypeMeta: v1.TypeMeta{
+			Kind:       "ClusterRole",
+			APIVersion: "rbac.authorization.k8s.io/v1",
+		},
 		ObjectMeta: v1.ObjectMeta{
 			Name:      clusterRoleName(crd),
 			Namespace: crd.Namespace,
@@ -60,6 +68,8 @@ func BuildClusterRoles(crd *cosmosv1.CosmosFullNode) []diff.Resource[*rbacv1.Clu
 		},
 	}
 
+	cr.Labels = defaultLabels(crd, kube.ComponentLabel, "vc")
+
 	diffCr[0] = diff.Adapt(&cr, 0)
 
 	return diffCr
@@ -71,6 +81,10 @@ func BuildClusterRoles(crd *cosmosv1.CosmosFullNode) []diff.Resource[*rbacv1.Clu
 func BuildClusterRoleBindings(crd *cosmosv1.CosmosFullNode) []diff.Resource[*rbacv1.ClusterRoleBinding] {
 	diffCrb := make([]diff.Resource[*rbacv1.ClusterRoleBinding], 1)
 	crb := rbacv1.ClusterRoleBinding{
+		TypeMeta: v1.TypeMeta{
+			Kind:       "ClusterRoleBinding",
+			APIVersion: "rbac.authorization.k8s.io/v1",
+		},
 		ObjectMeta: v1.ObjectMeta{
 			Name:      crd.Name + "-crb",
 			Namespace: crd.Namespace,
@@ -89,6 +103,8 @@ func BuildClusterRoleBindings(crd *cosmosv1.CosmosFullNode) []diff.Resource[*rba
 		},
 	}
 
+	crb.Labels = defaultLabels(crd, kube.ComponentLabel, "vc")
+
 	diffCrb[0] = diff.Adapt(&crb, 0)
 
 	return diffCrb