Merge pull request #147 from projectsyn/fix/olm/certgen-cronjob-rbac

Patch OLM RBAC to allow deploying Hubble certgen cronjob
projectsyn · Oct 29, 2024 · 427b536 · 427b536
2 parents 9dd92c3 + 3f15cbe
commit 427b536
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 5 deletions.
diff --git a/component/olm.jsonnet b/component/olm.jsonnet
@@ -222,11 +222,45 @@ local patchManifests = function(file, has_csv)
   ) then
     file {
       contents+: {
-        rules+: [ {
-          apiGroups: [ 'coordination.k8s.io' ],
-          resources: [ 'leases' ],
-          verbs: [ 'create', 'get', 'update', 'list', 'delete' ],
-        } ],
+        rules+: [
+          {
+            apiGroups: [ 'coordination.k8s.io' ],
+            resources: [ 'leases' ],
+            verbs: [ 'create', 'get', 'update', 'list', 'delete' ],
+          },
+        ] + if util.version.minor <= 15 then [
+          // cilium <= 1.15 uses a clusterrole and clusterrolebinding for the
+          // hubble certgen cronjob. This is changed to a role and rolebinding
+          // for 1.16.
+          // The OLM operator doesn't have permissions to create the
+          // clusterrole and clusterrolebinding out of the box, so we patch
+          // the OLM operator clusterrole to have the rules that need to be
+          // created for the certgen cronjob.
+          {
+            apiGroups: [ '' ],
+            resources: [ 'secrets' ],
+            verbs: [ 'create' ],
+          },
+          {
+            apiGroups: [ '' ],
+            resources: [ 'secrets' ],
+            resourceNames: [
+              'hubble-server-certs',
+              'hubble-relay-client-certs',
+              'hubble-relay-server-certs',
+            ],
+            verbs: [ 'update' ],
+          },
+          {
+            apiGroups: [ '' ],
+            resources: [ 'secrets' ],
+            resourceNames: [ 'cilium-ca' ],
+            verbs: [
+              'get',
+              'update',
+            ],
+          },
+        ] else [],
       },
     }
   else

diff --git a/...urce/cilium/cilium/olm/cluster-network-06-cilium-00008-cilium-cilium-olm-clusterrole.yaml b/...urce/cilium/cilium/olm/cluster-network-06-cilium-00008-cilium-cilium-olm-clusterrole.yaml
@@ -43,3 +43,28 @@ rules:
       - update
       - list
       - delete
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - create
+  - apiGroups:
+      - ''
+    resourceNames:
+      - hubble-server-certs
+      - hubble-relay-client-certs
+      - hubble-relay-server-certs
+    resources:
+      - secrets
+    verbs:
+      - update
+  - apiGroups:
+      - ''
+    resourceNames:
+      - cilium-ca
+    resources:
+      - secrets
+    verbs:
+      - get
+      - update