Add RBAC rule for reaper finalizers

k8ssandra · Jul 17, 2024 · 5461a95 · 5461a95
1 parent 6140c72
commit 5461a95
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 0 deletions.
diff --git a/CHANGELOG/CHANGELOG-1.18.md b/CHANGELOG/CHANGELOG-1.18.md
@@ -17,3 +17,4 @@ When cutting a new release, update the `unreleased` heading to the tag being gen
 
 * [FEATURE] [#1310](https://github.com/k8ssandra/k8ssandra-operator/issues/1310) Enhance the MedusaBackupSchedule API to allow scheduling purge tasks
 * [BUGFIX] [#1222](https://github.com/k8ssandra/k8ssandra-operator/issues/1222) Consider DC-level config when validating numToken updates in webhook
+* [BUGFIX] [#1366](https://github.com/k8ssandra/k8ssandra-operator/issues/1366) Reaper deployment can't be created on OpenShift due to missing RBAC rule
diff --git a/charts/k8ssandra-operator/templates/clusterrole.yaml b/charts/k8ssandra-operator/templates/clusterrole.yaml
@@ -385,6 +385,12 @@ rules:
     - patch
     - update
     - watch
+- apiGroups:
+    - reaper.k8ssandra.io
+  resources:
+    - reapers/finalizers
+  verbs:
+    - update
 - apiGroups:
     - reaper.k8ssandra.io
   resources:

diff --git a/charts/k8ssandra-operator/templates/role.yaml b/charts/k8ssandra-operator/templates/role.yaml
@@ -385,6 +385,12 @@ rules:
     - patch
     - update
     - watch
+- apiGroups:
+    - reaper.k8ssandra.io
+  resources:
+    - reapers/finalizers
+  verbs:
+    - update
 - apiGroups:
     - reaper.k8ssandra.io
   resources:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -385,6 +385,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - reaper.k8ssandra.io
+  resources:
+  - reapers/finalizers
+  verbs:
+  - update
 - apiGroups:
   - reaper.k8ssandra.io
   resources:

diff --git a/controllers/reaper/reaper_controller.go b/controllers/reaper/reaper_controller.go
@@ -52,6 +52,7 @@ type ReaperReconciler struct {
 
 // +kubebuilder:rbac:groups=reaper.k8ssandra.io,namespace="k8ssandra",resources=reapers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=reaper.k8ssandra.io,namespace="k8ssandra",resources=reapers/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=reaper.k8ssandra.io,namespace="k8ssandra",resources=reapers/finalizers,verbs=update
 // +kubebuilder:rbac:groups="apps",namespace="k8ssandra",resources=deployments,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="core",namespace="k8ssandra",resources=pods;secrets,verbs=get;list;watch
 // +kubebuilder:rbac:groups="core",namespace="k8ssandra",resources=services,verbs=get;list;watch;create

diff --git a/test/e2e/reaper_test.go b/test/e2e/reaper_test.go
@@ -16,6 +16,7 @@ import (
 	reaperclient "github.com/k8ssandra/reaper-client-go/reaper"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/utils/ptr"
@@ -50,6 +51,7 @@ func createSingleReaper(t *testing.T, ctx context.Context, namespace string, f *
 	require.NoError(err, "failed to patch K8ssandraCluster in namespace %s", namespace)
 	checkReaperReady(t, f, ctx, reaperKey)
 	checkReaperK8cStatusReady(t, f, ctx, kcKey, dcKey)
+	checkFinalizerRbacRule(t, f, ctx, namespace)
 	checkContainerDeleted(t, ctx, f, reaperKey, getPodTemplateSpecForDeployment, reaper.VectorContainerName)
 	checkVectorConfigMapDeleted(t, ctx, f, dcKey, reaper.VectorAgentConfigMapName)
 
@@ -85,6 +87,27 @@ func createSingleReaper(t *testing.T, ctx context.Context, namespace string, f *
 	})
 }
 
+func checkFinalizerRbacRule(t *testing.T, f *framework.E2eFramework, ctx context.Context, namespace string) {
+	require := require.New(t)
+	roleKey := types.NamespacedName{Namespace: namespace, Name: "k8ssandra-operator"}
+	role := &rbacv1.Role{}
+	require.NoError(f.Client.Get(ctx, roleKey, role), "Failed to get Role %s", roleKey)
+	found := false
+OuterLoop:
+	for ruleIdx := range role.Rules {
+		rule := &role.Rules[ruleIdx]
+		if rule.Resources[0] == "reapers/finalizers" {
+			for _, verb := range rule.Verbs {
+				if verb == "update" {
+					found = true
+					break OuterLoop
+				}
+			}
+		}
+	}
+	require.True(found, "Failed to find reaper finalizer update rule in Role %s", roleKey)
+}
+
 func createSingleReaperWithEncryption(t *testing.T, ctx context.Context, namespace string, f *framework.E2eFramework) {
 	require := require.New(t)
 	require.NoError(f.CreateCassandraEncryptionStoresSecret(namespace), "Failed to create the encryption secrets")