Fix the RBAC generation via kubebuilder and sync with helm chart template

Author: amuraru

Makefile

@@ -204,11 +204,15 @@ deploy: install-kustomize install ## Deploy controller into the configured Kuber
 manifests: bin/controller-gen ## Generate (Kubebuilder) manifests e.g. CRD, RBAC etc.
 	cd api && $(CONTROLLER_GEN) $(CRD_OPTIONS) webhook paths="./..." output:crd:artifacts:config=../config/base/crds output:webhook:artifacts:config=../config/base/webhook
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role paths="./controllers/..." output:rbac:artifacts:config=./config/base/rbac
-	## Regenerate CRDs for the helm chart
+	## Regenerate CRDs and RBAC for the helm chart
 	cp config/base/crds/kafka.banzaicloud.io_cruisecontroloperations.yaml $(HELM_CRD_PATH)/cruisecontroloperations.yaml
 	cp config/base/crds/kafka.banzaicloud.io_kafkaclusters.yaml $(HELM_CRD_PATH)/kafkaclusters.yaml
 	cp config/base/crds/kafka.banzaicloud.io_kafkatopics.yaml $(HELM_CRD_PATH)/kafkatopics.yaml
 	cp config/base/crds/kafka.banzaicloud.io_kafkausers.yaml $(HELM_CRD_PATH)/kafkausers.yaml
+	@sed -n '1,/# RBAC_RULES_START - Do not edit between markers, managed by make manifests/p' charts/kafka-operator/templates/operator-rbac.yaml > charts/kafka-operator/templates/operator-rbac.yaml.tmp
+	@awk '/^rules:$$/,0' config/base/rbac/role.yaml | tail -n +2 >> charts/kafka-operator/templates/operator-rbac.yaml.tmp
+	@sed -n '/# RBAC_RULES_END/,$$p' charts/kafka-operator/templates/operator-rbac.yaml >> charts/kafka-operator/templates/operator-rbac.yaml.tmp
+	@mv charts/kafka-operator/templates/operator-rbac.yaml.tmp charts/kafka-operator/templates/operator-rbac.yaml
 
 fmt: ## Run go fmt against code.
 	go fmt ./...

charts/kafka-operator/templates/operator-rbac.yaml

@@ -26,227 +26,174 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: operator
 rules:
-- apiGroups:
-  - projectcontour.io
-  resources:
-  - '*'
-  verbs:
-  - '*'
+# RBAC_RULES_START - Do not edit between markers, managed by make manifests
 - apiGroups:
   - ""
   resources:
-  - events
+  - configmaps
+  - persistentvolumeclaims
+  - secrets
+  - services
   verbs:
   - create
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
+  - delete
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
-  - apps
+  - ""
   resources:
-  - deployments
+  - events
   verbs:
-  - get
-  - list
-  - watch
   - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - apps
-  resources:
-  - deployments/status
-  verbs:
-  - get
-  - update
   - patch
 - apiGroups:
   - ""
   resources:
-  - configmaps
+  - namespaces
+  - nodes
   verbs:
   - get
   - list
   - watch
-  - create
-  - update
-  - patch
-  - delete
 - apiGroups:
-  - kafka.banzaicloud.io
+  - ""
   resources:
-  - kafkaclusters
-  - kafkatopics
-  - kafkausers
+  - pods
   verbs:
-  - get
-  - list
-  - watch
   - create
-  - update
-  - patch
   - delete
-  - deletecollection
-- apiGroups:
-  - kafka.banzaicloud.io
-  resources:
-  - kafkaclusters/status
-  - kafkatopics/status
-  - kafkausers/status
-  verbs:
   - get
+  - list
   - update
-  - patch
+  - watch
 - apiGroups:
-  - kafka.banzaicloud.io
+  - apps
   resources:
-  - kafkaclusters/finalizers
+  - deployments
   verbs:
   - create
   - delete
+  - get
+  - list
   - patch
   - update
+  - watch
 - apiGroups:
-  - kafka.banzaicloud.io
+  - apps
   resources:
-  - kafkausers/finalizers
+  - deployments/status
   verbs:
-  - create
-  - delete
+  - get
   - patch
   - update
 - apiGroups:
-  - kafka.banzaicloud.io
+  - cert-manager.io
   resources:
-  - kafkatopics/finalizers
+  - certificates
+  - clusterissuers
+  - issuers
   verbs:
   - create
   - delete
+  - get
+  - list
   - patch
   - update
+  - watch
 - apiGroups:
-  - kafka.banzaicloud.io
+  - certificates.k8s.io
   resources:
-  - cruisecontroloperations
+  - certificatesigningrequests
   verbs:
   - create
   - delete
-  - deletecollection
   - get
   - list
   - patch
   - update
   - watch
 - apiGroups:
-  - kafka.banzaicloud.io
+  - certificates.k8s.io
   resources:
-  - cruisecontroloperations/status
+  - certificatesigningrequests/approval
   verbs:
-  - get
-  - patch
   - update
 - apiGroups:
-  - kafka.banzaicloud.io
+  - certificates.k8s.io
   resources:
-  - cruisecontroloperations/finalizers
+  - signers
   verbs:
-  - create
-  - delete
-  - patch
-  - update
+  - approve
 - apiGroups:
-  - ""
+  - coordination.k8s.io
   resources:
-  - persistentvolumeclaims
+  - leases
   verbs:
-  - get
-  - update
   - create
-  - watch
-  - list
   - delete
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
   - get
+  - list
+  - patch
   - update
-  - create
   - watch
-  - list
-  - delete
 - apiGroups:
-  - ""
+  - gateway.networking.k8s.io
   resources:
-  - nodes
+  - gateways
+  - tcproutes
   verbs:
+  - create
+  - delete
   - get
   - list
+  - patch
+  - update
   - watch
-{{- if .Values.webhook.enabled }}
 - apiGroups:
-  - admissionregistration.k8s.io
+  - kafka.banzaicloud.io
   resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
+  - cruisecontroloperations
+  - kafkatopics
+  - kafkausers
   verbs:
-  - get
-  - list
-  - watch
   - create
-  - update
-  - patch
   - delete
-{{- end }}
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
+  - deletecollection
   - get
   - list
-  - watch
-  - create
-  - update
   - patch
-  - delete
+  - update
+  - watch
 - apiGroups:
-  - ""
+  - kafka.banzaicloud.io
   resources:
-  - services
+  - cruisecontroloperations/finalizers
+  - kafkaclusters/finalizers
+  - kafkatopics/finalizers
+  - kafkausers/finalizers
   verbs:
-  - get
-  - list
-  - watch
   - create
-  - update
-  - patch
   - delete
+  - patch
+  - update
 - apiGroups:
-  - cert-manager.io
+  - kafka.banzaicloud.io
   resources:
-  - issuers
-  - clusterissuers
-  - certificates
+  - cruisecontroloperations/status
+  - kafkaclusters/status
+  - kafkatopics/status
+  - kafkausers/status
   verbs:
-  - create
-  - delete
   - get
-  - list
   - patch
   - update
-  - watch
 - apiGroups:
-  - certificates.k8s.io
+  - kafka.banzaicloud.io
   resources:
-  - certificatesigningrequests
+  - kafkaclusters
   verbs:
   - create
   - delete
@@ -256,21 +203,9 @@ rules:
   - update
   - watch
 - apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests/approval
-  verbs:
-  - update
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - signers
-  verbs:
-  - approve
-- apiGroups:
-  - coordination.k8s.io
+  - policy
   resources:
-  - leases
+  - poddisruptionbudgets
   verbs:
   - create
   - delete
@@ -280,9 +215,9 @@ rules:
   - update
   - watch
 - apiGroups:
-  - policy
+  - projectcontour.io
   resources:
-  - poddisruptionbudgets
+  - httpproxies
   verbs:
   - create
   - delete
@@ -291,6 +226,7 @@ rules:
   - patch
   - update
   - watch
+# RBAC_RULES_END
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

config/base/rbac/role.yaml

@@ -19,6 +19,13 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 - apiGroups:
   - ""
   resources:
@@ -114,7 +121,6 @@ rules:
   resources:
   - gateways
   - tcproutes
-  - tlsroutes
   verbs:
   - create
   - delete
@@ -185,3 +191,15 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - projectcontour.io
+  resources:
+  - httpproxies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch