Merge pull request #54 from projectsyn/fix/finalizers

Fix finalizer permission issues for rbac-manager

component/main.jsonnet

@@ -74,8 +74,35 @@ local providers = [
   for provider in std.objectFields(params.providers)
 ];
 
+local rbacFinalizerRole = kube.ClusterRole('crossplane-rbac-manager:finalizer') {
+  rules+: [
+    {
+      apiGroups: [
+        'pkg.crossplane.io',
+      ],
+      resources: [
+        '*/finalizers',
+      ],
+      verbs: [ '*' ],
+    },
+  ],
+
+};
+local rbacFinalizerRoleBinding = kube.ClusterRoleBinding('crossplane-rbac-manager:finalizer') {
+  roleRef_: rbacFinalizerRole,
+  subjects: [
+    {
+      kind: 'ServiceAccount',
+      name: 'rbac-manager',
+      namespace: params.namespace,
+    },
+  ],
+};
+
 {
   '00_namespace': kube.Namespace(params.namespace),
+  '01_rbac_finalizer_clusterrole': rbacFinalizerRole,
+  '01_rbac_finalizer_clusterrolebinding': rbacFinalizerRoleBinding,
   [if std.length(providers) > 0 then '10_providers']: providers,
   [if params.monitoring.enabled then '20_monitoring']: import 'monitoring.libsonnet',
   [if std.length(controller_configs) > 0 then '30_controller_configs']: controller_configs,

tests/golden/defaults-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+rules:
+  - apiGroups:
+      - pkg.crossplane.io
+    resources:
+      - '*/finalizers'
+    verbs:
+      - '*'

tests/golden/defaults-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: crossplane-rbac-manager:finalizer
+subjects:
+  - kind: ServiceAccount
+    name: rbac-manager
+    namespace: syn-crossplane

tests/golden/defaults/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+rules:
+  - apiGroups:
+      - pkg.crossplane.io
+    resources:
+      - '*/finalizers'
+    verbs:
+      - '*'

tests/golden/defaults/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: crossplane-rbac-manager:finalizer
+subjects:
+  - kind: ServiceAccount
+    name: rbac-manager
+    namespace: syn-crossplane

tests/golden/openshift4-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+rules:
+  - apiGroups:
+      - pkg.crossplane.io
+    resources:
+      - '*/finalizers'
+    verbs:
+      - '*'

tests/golden/openshift4-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: crossplane-rbac-manager:finalizer
+subjects:
+  - kind: ServiceAccount
+    name: rbac-manager
+    namespace: syn-crossplane

tests/golden/openshift4/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+rules:
+  - apiGroups:
+      - pkg.crossplane.io
+    resources:
+      - '*/finalizers'
+    verbs:
+      - '*'

tests/golden/openshift4/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: crossplane-rbac-manager:finalizer
+subjects:
+  - kind: ServiceAccount
+    name: rbac-manager
+    namespace: syn-crossplane