From 63c4067fee058c3dea63f7e66c1a81da1e61088f Mon Sep 17 00:00:00 2001
From: Fabian Fischer <glrf@users.noreply.github.com>
Date: Wed, 9 Mar 2022 09:13:51 +0100
Subject: [PATCH] Give API server permission to create RoleBindings for teams

---
 apiserver/organization/rolebindings.go       |  1 +
 config/rbac/role.yaml                        | 12 ++++++++++++
 config/user-rbac/organization-admin-role.yml |  2 +-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/apiserver/organization/rolebindings.go b/apiserver/organization/rolebindings.go
index 87fa09ef..205909e6 100644
--- a/apiserver/organization/rolebindings.go
+++ b/apiserver/organization/rolebindings.go
@@ -16,6 +16,7 @@ import (
 // Needed so that we are allowed to delegate the default clusterroles
 // +kubebuilder:rbac:groups="rbac.appuio.io",resources=organizations,verbs=get;list;watch;create;delete;patch;update;edit
 // +kubebuilder:rbac:groups="organization.appuio.io",resources=organizations,verbs=get;list;watch;create;delete;patch;update;edit
+// +kubebuilder:rbac:groups="appuio.io",resources=teams,verbs=get;list;watch;create;delete;patch;update
 
 //go:generate go run github.com/golang/mock/mockgen -source=$GOFILE -destination=./mock/$GOFILE
 type roleBindingCreator interface {
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index f07fc1e8..cbb555df 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -49,6 +49,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - appuio.io
+  resources:
+  - teams
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:
diff --git a/config/user-rbac/organization-admin-role.yml b/config/user-rbac/organization-admin-role.yml
index 95e4812f..a6f30901 100644
--- a/config/user-rbac/organization-admin-role.yml
+++ b/config/user-rbac/organization-admin-role.yml
@@ -11,7 +11,7 @@ rules:
   verbs: ["get", "watch", "list", "patch", "update", "create"]
 - apiGroups: ["appuio.io"]
   resources: ["teams"]
-  verbs: ["get", "watch", "list", "patch", "update", "create"]
+  verbs: ["get", "watch", "list", "patch", "update", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["rolebindings"]
   verbs: ["get", "watch", "list", "patch", "update", "create"]