From c3e94d9dca9478682b14a0224929e53d65a08cbe Mon Sep 17 00:00:00 2001
From: Fabian Fischer <glrf@users.noreply.github.com>
Date: Mon, 23 Jan 2023 11:45:25 +0100
Subject: [PATCH] Fix permission issue for rbac-manager

Gives the rbac-manager permission to edit finalizers. This is needed on
OpenShift and potenially on some other k8s distributions with the same
enabled feature.
---
 component/main.jsonnet                        | 27 +++++++++++++++++++
 .../crossplane/apps/crossplane.yaml           |  0
 .../crossplane/crossplane/00_namespace.yaml   |  0
 .../crossplane/templates/clusterrole.yaml     |  0
 .../templates/clusterrolebinding.yaml         |  0
 .../crossplane/templates/deployment.yaml      |  0
 ...-manager-allowed-provider-permissions.yaml |  0
 .../templates/rbac-manager-clusterrole.yaml   |  0
 .../rbac-manager-clusterrolebinding.yaml      |  0
 .../templates/rbac-manager-deployment.yaml    |  0
 .../rbac-manager-managed-clusterroles.yaml    |  0
 .../rbac-manager-serviceaccount.yaml          |  0
 .../crossplane/templates/secret.yaml          |  0
 .../crossplane/templates/service.yaml         |  0
 .../crossplane/templates/serviceaccount.yaml  |  0
 .../01_rbac_finalizer_clusterrole.yaml        | 14 ++++++++++
 .../01_rbac_finalizer_clusterrolebinding.yaml | 15 +++++++++++
 .../crossplane/02_upgrade/00_upgrade.yaml     |  0
 .../crossplane/crossplane/10_providers.yaml   |  0
 .../crossplane/crossplane/20_monitoring.yaml  |  0
 .../defaults/crossplane/apps/crossplane.yaml  |  0
 .../crossplane/crossplane/00_namespace.yaml   |  0
 .../crossplane/templates/clusterrole.yaml     |  0
 .../templates/clusterrolebinding.yaml         |  0
 .../crossplane/templates/deployment.yaml      |  0
 ...-manager-allowed-provider-permissions.yaml |  0
 .../templates/rbac-manager-clusterrole.yaml   |  0
 .../rbac-manager-clusterrolebinding.yaml      |  0
 .../templates/rbac-manager-deployment.yaml    |  0
 .../rbac-manager-managed-clusterroles.yaml    |  0
 .../rbac-manager-serviceaccount.yaml          |  0
 .../crossplane/templates/secret.yaml          |  0
 .../crossplane/templates/service.yaml         |  0
 .../crossplane/templates/serviceaccount.yaml  |  0
 .../01_rbac_finalizer_clusterrole.yaml        | 14 ++++++++++
 .../01_rbac_finalizer_clusterrolebinding.yaml | 15 +++++++++++
 .../crossplane/02_upgrade/00_upgrade.yaml     |  0
 .../crossplane/crossplane/20_monitoring.yaml  |  0
 .../crossplane/apps/crossplane.yaml           |  0
 .../crossplane/crossplane/00_namespace.yaml   |  0
 .../crossplane/templates/clusterrole.yaml     |  0
 .../templates/clusterrolebinding.yaml         |  0
 .../crossplane/templates/deployment.yaml      |  0
 ...-manager-allowed-provider-permissions.yaml |  0
 .../templates/rbac-manager-clusterrole.yaml   |  0
 .../rbac-manager-clusterrolebinding.yaml      |  0
 .../templates/rbac-manager-deployment.yaml    |  0
 .../rbac-manager-managed-clusterroles.yaml    |  0
 .../rbac-manager-serviceaccount.yaml          |  0
 .../crossplane/templates/secret.yaml          |  0
 .../crossplane/templates/service.yaml         |  0
 .../crossplane/templates/serviceaccount.yaml  |  0
 .../01_rbac_finalizer_clusterrole.yaml        | 14 ++++++++++
 .../01_rbac_finalizer_clusterrolebinding.yaml | 15 +++++++++++
 .../crossplane/02_upgrade/00_upgrade.yaml     |  0
 .../crossplane/crossplane/10_providers.yaml   |  0
 .../crossplane/crossplane/20_monitoring.yaml  |  0
 .../crossplane/30_controller_configs.yaml     |  0
 .../crossplane/apps/crossplane.yaml           |  0
 .../crossplane/crossplane/00_namespace.yaml   |  0
 .../crossplane/templates/clusterrole.yaml     |  0
 .../templates/clusterrolebinding.yaml         |  0
 .../crossplane/templates/deployment.yaml      |  0
 ...-manager-allowed-provider-permissions.yaml |  0
 .../templates/rbac-manager-clusterrole.yaml   |  0
 .../rbac-manager-clusterrolebinding.yaml      |  0
 .../templates/rbac-manager-deployment.yaml    |  0
 .../rbac-manager-managed-clusterroles.yaml    |  0
 .../rbac-manager-serviceaccount.yaml          |  0
 .../crossplane/templates/secret.yaml          |  0
 .../crossplane/templates/service.yaml         |  0
 .../crossplane/templates/serviceaccount.yaml  |  0
 .../01_rbac_finalizer_clusterrole.yaml        | 14 ++++++++++
 .../01_rbac_finalizer_clusterrolebinding.yaml | 15 +++++++++++
 .../crossplane/02_upgrade/00_upgrade.yaml     |  0
 .../crossplane/crossplane/20_monitoring.yaml  |  0
 76 files changed, 143 insertions(+)
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/apps/crossplane.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/00_namespace.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrole.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrolebinding.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/deployment.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrole.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/secret.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/service.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/serviceaccount.yaml
 create mode 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml
 create mode 100644 tests/golden/defaults-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/02_upgrade/00_upgrade.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/10_providers.yaml
 mode change 100755 => 100644 tests/golden/defaults-with-provider/crossplane/crossplane/20_monitoring.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/apps/crossplane.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/00_namespace.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrole.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrolebinding.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/deployment.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrole.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/secret.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/service.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/serviceaccount.yaml
 create mode 100644 tests/golden/defaults/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml
 create mode 100644 tests/golden/defaults/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/02_upgrade/00_upgrade.yaml
 mode change 100755 => 100644 tests/golden/defaults/crossplane/crossplane/20_monitoring.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/apps/crossplane.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/00_namespace.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrole.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrolebinding.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/deployment.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrole.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/secret.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/service.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/serviceaccount.yaml
 create mode 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml
 create mode 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/02_upgrade/00_upgrade.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/10_providers.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/20_monitoring.yaml
 mode change 100755 => 100644 tests/golden/openshift4-with-provider/crossplane/crossplane/30_controller_configs.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/apps/crossplane.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/00_namespace.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrole.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrolebinding.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/deployment.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrole.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/secret.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/service.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/serviceaccount.yaml
 create mode 100644 tests/golden/openshift4/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml
 create mode 100644 tests/golden/openshift4/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/02_upgrade/00_upgrade.yaml
 mode change 100755 => 100644 tests/golden/openshift4/crossplane/crossplane/20_monitoring.yaml

diff --git a/component/main.jsonnet b/component/main.jsonnet
index b822afd..91dd517 100644
--- a/component/main.jsonnet
+++ b/component/main.jsonnet
@@ -74,8 +74,35 @@ local providers = [
   for provider in std.objectFields(params.providers)
 ];
 
+local rbacFinalizerRole = kube.ClusterRole('crossplane-rbac-manager:finalizer') {
+  rules+: [
+    {
+      apiGroups: [
+        'pkg.crossplane.io',
+      ],
+      resources: [
+        '*/finalizers',
+      ],
+      verbs: [ '*' ],
+    },
+  ],
+
+};
+local rbacFinalizerRoleBinding = kube.ClusterRoleBinding('crossplane-rbac-manager:finalizer') {
+  roleRef_: rbacFinalizerRole,
+  subjects: [
+    {
+      kind: 'ServiceAccount',
+      name: 'rbac-manager',
+      namespace: params.namespace,
+    },
+  ],
+};
+
 {
   '00_namespace': kube.Namespace(params.namespace),
+  '01_rbac_finalizer_clusterrole': rbacFinalizerRole,
+  '01_rbac_finalizer_clusterrolebinding': rbacFinalizerRoleBinding,
   [if std.length(providers) > 0 then '10_providers']: providers,
   [if params.monitoring.enabled then '20_monitoring']: import 'monitoring.libsonnet',
   [if std.length(controller_configs) > 0 then '30_controller_configs']: controller_configs,
diff --git a/tests/golden/defaults-with-provider/crossplane/apps/crossplane.yaml b/tests/golden/defaults-with-provider/crossplane/apps/crossplane.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/00_namespace.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/00_namespace.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrole.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrole.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrolebinding.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrolebinding.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/deployment.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/deployment.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrole.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrole.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/secret.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/secret.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/service.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/service.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/serviceaccount.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/serviceaccount.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml
new file mode 100644
index 0000000..8bc2720
--- /dev/null
+++ b/tests/golden/defaults-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+rules:
+  - apiGroups:
+      - pkg.crossplane.io
+    resources:
+      - '*/finalizers'
+    verbs:
+      - '*'
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml
new file mode 100644
index 0000000..c9df16b
--- /dev/null
+++ b/tests/golden/defaults-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: crossplane-rbac-manager:finalizer
+subjects:
+  - kind: ServiceAccount
+    name: rbac-manager
+    namespace: syn-crossplane
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/02_upgrade/00_upgrade.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/02_upgrade/00_upgrade.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/10_providers.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/10_providers.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults-with-provider/crossplane/crossplane/20_monitoring.yaml b/tests/golden/defaults-with-provider/crossplane/crossplane/20_monitoring.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/apps/crossplane.yaml b/tests/golden/defaults/crossplane/apps/crossplane.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/00_namespace.yaml b/tests/golden/defaults/crossplane/crossplane/00_namespace.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrole.yaml b/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrole.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrolebinding.yaml b/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrolebinding.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/deployment.yaml b/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/deployment.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml b/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrole.yaml b/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrole.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml b/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml b/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml b/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml b/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/secret.yaml b/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/secret.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/service.yaml b/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/service.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/serviceaccount.yaml b/tests/golden/defaults/crossplane/crossplane/01_helmchart/crossplane/templates/serviceaccount.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml b/tests/golden/defaults/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml
new file mode 100644
index 0000000..8bc2720
--- /dev/null
+++ b/tests/golden/defaults/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+rules:
+  - apiGroups:
+      - pkg.crossplane.io
+    resources:
+      - '*/finalizers'
+    verbs:
+      - '*'
diff --git a/tests/golden/defaults/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml b/tests/golden/defaults/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml
new file mode 100644
index 0000000..c9df16b
--- /dev/null
+++ b/tests/golden/defaults/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: crossplane-rbac-manager:finalizer
+subjects:
+  - kind: ServiceAccount
+    name: rbac-manager
+    namespace: syn-crossplane
diff --git a/tests/golden/defaults/crossplane/crossplane/02_upgrade/00_upgrade.yaml b/tests/golden/defaults/crossplane/crossplane/02_upgrade/00_upgrade.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/defaults/crossplane/crossplane/20_monitoring.yaml b/tests/golden/defaults/crossplane/crossplane/20_monitoring.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/apps/crossplane.yaml b/tests/golden/openshift4-with-provider/crossplane/apps/crossplane.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/00_namespace.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/00_namespace.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrole.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrole.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrolebinding.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrolebinding.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/deployment.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/deployment.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrole.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrole.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/secret.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/secret.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/service.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/service.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/serviceaccount.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/serviceaccount.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml
new file mode 100644
index 0000000..8bc2720
--- /dev/null
+++ b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+rules:
+  - apiGroups:
+      - pkg.crossplane.io
+    resources:
+      - '*/finalizers'
+    verbs:
+      - '*'
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml
new file mode 100644
index 0000000..c9df16b
--- /dev/null
+++ b/tests/golden/openshift4-with-provider/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: crossplane-rbac-manager:finalizer
+subjects:
+  - kind: ServiceAccount
+    name: rbac-manager
+    namespace: syn-crossplane
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/02_upgrade/00_upgrade.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/02_upgrade/00_upgrade.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/10_providers.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/10_providers.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/20_monitoring.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/20_monitoring.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4-with-provider/crossplane/crossplane/30_controller_configs.yaml b/tests/golden/openshift4-with-provider/crossplane/crossplane/30_controller_configs.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/apps/crossplane.yaml b/tests/golden/openshift4/crossplane/apps/crossplane.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/00_namespace.yaml b/tests/golden/openshift4/crossplane/crossplane/00_namespace.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrole.yaml b/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrole.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrolebinding.yaml b/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/clusterrolebinding.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/deployment.yaml b/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/deployment.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml b/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrole.yaml b/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrole.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml b/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml b/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml b/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml b/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/secret.yaml b/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/secret.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/service.yaml b/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/service.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/serviceaccount.yaml b/tests/golden/openshift4/crossplane/crossplane/01_helmchart/crossplane/templates/serviceaccount.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml b/tests/golden/openshift4/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml
new file mode 100644
index 0000000..8bc2720
--- /dev/null
+++ b/tests/golden/openshift4/crossplane/crossplane/01_rbac_finalizer_clusterrole.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+rules:
+  - apiGroups:
+      - pkg.crossplane.io
+    resources:
+      - '*/finalizers'
+    verbs:
+      - '*'
diff --git a/tests/golden/openshift4/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml b/tests/golden/openshift4/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml
new file mode 100644
index 0000000..c9df16b
--- /dev/null
+++ b/tests/golden/openshift4/crossplane/crossplane/01_rbac_finalizer_clusterrolebinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: crossplane-rbac-manager-finalizer
+  name: crossplane-rbac-manager:finalizer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: crossplane-rbac-manager:finalizer
+subjects:
+  - kind: ServiceAccount
+    name: rbac-manager
+    namespace: syn-crossplane
diff --git a/tests/golden/openshift4/crossplane/crossplane/02_upgrade/00_upgrade.yaml b/tests/golden/openshift4/crossplane/crossplane/02_upgrade/00_upgrade.yaml
old mode 100755
new mode 100644
diff --git a/tests/golden/openshift4/crossplane/crossplane/20_monitoring.yaml b/tests/golden/openshift4/crossplane/crossplane/20_monitoring.yaml
old mode 100755
new mode 100644