Fix the RBAC generation via kubebuilder and sync with helm chart template (#205)

Author: amuraru

Makefile

@@ -204,11 +204,15 @@ deploy: install-kustomize install ## Deploy controller into the configured Kuber
 manifests: bin/controller-gen ## Generate (Kubebuilder) manifests e.g. CRD, RBAC etc.
 	cd api && $(CONTROLLER_GEN) $(CRD_OPTIONS) webhook paths="./..." output:crd:artifacts:config=../config/base/crds output:webhook:artifacts:config=../config/base/webhook
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role paths="./controllers/..." output:rbac:artifacts:config=./config/base/rbac
-	## Regenerate CRDs for the helm chart
+	## Regenerate CRDs and RBAC for the helm chart
 	cp config/base/crds/kafka.banzaicloud.io_cruisecontroloperations.yaml $(HELM_CRD_PATH)/cruisecontroloperations.yaml
 	cp config/base/crds/kafka.banzaicloud.io_kafkaclusters.yaml $(HELM_CRD_PATH)/kafkaclusters.yaml
 	cp config/base/crds/kafka.banzaicloud.io_kafkatopics.yaml $(HELM_CRD_PATH)/kafkatopics.yaml
 	cp config/base/crds/kafka.banzaicloud.io_kafkausers.yaml $(HELM_CRD_PATH)/kafkausers.yaml
+	@sed -n '1,/# RBAC_RULES_START - Do not edit between markers, managed by make manifests/p' charts/kafka-operator/templates/operator-rbac.yaml > charts/kafka-operator/templates/operator-rbac.yaml.tmp
+	@awk '/^rules:$$/,0' config/base/rbac/role.yaml | tail -n +2 >> charts/kafka-operator/templates/operator-rbac.yaml.tmp
+	@sed -n '/# RBAC_RULES_END/,$$p' charts/kafka-operator/templates/operator-rbac.yaml >> charts/kafka-operator/templates/operator-rbac.yaml.tmp
+	@mv charts/kafka-operator/templates/operator-rbac.yaml.tmp charts/kafka-operator/templates/operator-rbac.yaml
 
 fmt: ## Run go fmt against code.
 	go fmt ./...

charts/kafka-operator/templates/operator-rbac.yaml

@@ -26,10 +26,14 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: operator
 rules:
+# RBAC_RULES_START - Do not edit between markers, managed by make manifests
 - apiGroups:
-  - servicemesh.cisco.com
+  - ""
   resources:
-  - istiomeshgateways
+  - configmaps
+  - persistentvolumeclaims
+  - secrets
+  - services
   verbs:
   - create
   - delete
@@ -38,124 +42,98 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - networking.istio.io
-  resources:
-  - '*'
-  verbs:
-  - '*'
-- apiGroups:
-  - projectcontour.io
-  resources:
-  - '*'
-  verbs:
-  - '*'
 - apiGroups:
   - ""
   resources:
   - events
   verbs:
   - create
+  - patch
 - apiGroups:
   - ""
   resources:
   - namespaces
+  - nodes
   verbs:
   - get
   - list
   - watch
 - apiGroups:
-  - apps
+  - ""
   resources:
-  - deployments
+  - pods
   verbs:
-  - get
-  - list
-  - watch
   - create
-  - update
-  - patch
   - delete
-- apiGroups:
-  - apps
-  resources:
-  - deployments/status
-  verbs:
   - get
+  - list
   - update
-  - patch
+  - watch
 - apiGroups:
-  - ""
+  - apps
   resources:
-  - configmaps
+  - deployments
   verbs:
-  - get
-  - list
-  - watch
   - create
-  - update
-  - patch
   - delete
-- apiGroups:
-  - kafka.banzaicloud.io
-  resources:
-  - kafkaclusters
-  - kafkatopics
-  - kafkausers
-  verbs:
   - get
   - list
-  - watch
-  - create
-  - update
   - patch
-  - delete
-  - deletecollection
+  - update
+  - watch
 - apiGroups:
-  - kafka.banzaicloud.io
+  - apps
   resources:
-  - kafkaclusters/status
-  - kafkatopics/status
-  - kafkausers/status
+  - deployments/status
   verbs:
   - get
-  - update
   - patch
+  - update
 - apiGroups:
-  - kafka.banzaicloud.io
+  - cert-manager.io
   resources:
-  - kafkaclusters/finalizers
+  - certificates
+  - clusterissuers
+  - issuers
   verbs:
   - create
   - delete
+  - get
+  - list
   - patch
   - update
+  - watch
 - apiGroups:
-  - kafka.banzaicloud.io
+  - certificates.k8s.io
   resources:
-  - kafkausers/finalizers
+  - certificatesigningrequests
   verbs:
   - create
   - delete
+  - get
+  - list
   - patch
   - update
+  - watch
 - apiGroups:
-  - kafka.banzaicloud.io
+  - certificates.k8s.io
   resources:
-  - kafkatopics/finalizers
+  - certificatesigningrequests/approval
   verbs:
-  - create
-  - delete
-  - patch
   - update
 - apiGroups:
-  - kafka.banzaicloud.io
+  - certificates.k8s.io
   resources:
-  - cruisecontroloperations
+  - signers
+  verbs:
+  - approve
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
   verbs:
   - create
   - delete
-  - deletecollection
   - get
   - list
   - patch
@@ -164,107 +142,63 @@ rules:
 - apiGroups:
   - kafka.banzaicloud.io
   resources:
-  - cruisecontroloperations/status
+  - cruisecontroloperations
+  - kafkatopics
+  - kafkausers
   verbs:
+  - create
+  - delete
+  - deletecollection
   - get
+  - list
   - patch
   - update
+  - watch
 - apiGroups:
   - kafka.banzaicloud.io
   resources:
   - cruisecontroloperations/finalizers
+  - kafkaclusters/finalizers
+  - kafkatopics/finalizers
+  - kafkausers/finalizers
   verbs:
   - create
   - delete
   - patch
   - update
 - apiGroups:
-  - ""
+  - kafka.banzaicloud.io
   resources:
-  - persistentvolumeclaims
+  - cruisecontroloperations/status
+  - kafkaclusters/status
+  - kafkatopics/status
+  - kafkausers/status
   verbs:
   - get
+  - patch
   - update
-  - create
-  - watch
-  - list
-  - delete
 - apiGroups:
-  - ""
+  - kafka.banzaicloud.io
   resources:
-  - pods
+  - kafkaclusters
   verbs:
-  - get
-  - update
   - create
-  - watch
-  - list
   - delete
-- apiGroups:
-  - ""
-  resources:
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
-{{- if .Values.webhook.enabled }}
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
   - get
   - list
-  - watch
-  - create
-  - update
   - patch
-  - delete
-{{- end }}
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
-  - create
   - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - get
-  - list
   - watch
-  - create
-  - update
-  - patch
-  - delete
 - apiGroups:
-  - cert-manager.io
+  - networking.istio.io
   resources:
-  - issuers
-  - clusterissuers
-  - certificates
+  - '*'
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+  - '*'
 - apiGroups:
-  - certificates.k8s.io
+  - policy
   resources:
-  - certificatesigningrequests
+  - poddisruptionbudgets
   verbs:
   - create
   - delete
@@ -274,21 +208,9 @@ rules:
   - update
   - watch
 - apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests/approval
-  verbs:
-  - update
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - signers
-  verbs:
-  - approve
-- apiGroups:
-  - coordination.k8s.io
+  - projectcontour.io
   resources:
-  - leases
+  - httpproxies
   verbs:
   - create
   - delete
@@ -298,9 +220,9 @@ rules:
   - update
   - watch
 - apiGroups:
-  - policy
+  - servicemesh.cisco.com
   resources:
-  - poddisruptionbudgets
+  - istiomeshgateways
   verbs:
   - create
   - delete
@@ -309,6 +231,7 @@ rules:
   - patch
   - update
   - watch
+# RBAC_RULES_END
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding