Attempt to create clusterRole for OAuthClient

cryostatio · Nov 15, 2021 · 33fefbe · 33fefbe
1 parent 9528630
commit 33fefbe
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 0 deletions.
diff --git a/config/rbac/oauth_cluster_role_binding.yaml b/config/rbac/oauth_cluster_role_binding.yaml
@@ -0,0 +1,41 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cryostat-oauth
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - create
+- apiGroups:
+  - operator.cryostat.io
+  resources:
+  - cryostats
+  verbs:
+  - get 
+  - create
+- apiGroups:
+  - operator.cryostat.io
+  resources:
+  - flightrecorders
+  verbs:
+  - get  
+- apiGroups:
+  - operator.cryostat.io
+  resources:
+  - recordings
+  verbs:
+  - create 
+  - delete 
+  - get 
+  - patch 
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - create
diff --git a/internal/controllers/common/resource_definitions/resource_definitions.go b/internal/controllers/common/resource_definitions/resource_definitions.go
@@ -876,6 +876,26 @@ func NewClusterRoleBindingForCR(cr *operatorv1beta1.Cryostat) *rbacv1.ClusterRol
 	}
 }
 
+func NewOAuthClusterRoleBindingForCR(cr *operatorv1beta1.Cryostat) *rbacv1.ClusterRoleBinding {
+	return &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "cryostat-oauth",
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      rbacv1.ServiceAccountKind,
+				Name:      cr.Name,
+				Namespace: cr.Namespace,
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "cryostat-oauth",
+		},
+	}
+}
+
 func NewConsoleLink(cr *operatorv1beta1.Cryostat, url string) *consolev1.ConsoleLink {
 	// Cluster scoped, so use a unique name to avoid conflicts
 	return &consolev1.ConsoleLink{

diff --git a/internal/controllers/cryostat_controller.go b/internal/controllers/cryostat_controller.go
@@ -564,6 +564,13 @@ func (r *CryostatReconciler) createRBAC(ctx context.Context, cr *operatorv1beta1
 		&rbacv1.ClusterRoleBinding{}, clusterBinding); err != nil {
 		return err
 	}
+
+	// Create ClusterRoleBinding for OAuth Client
+	oauthClusterBinding := resources.NewOAuthClusterRoleBindingForCR(cr)
+	if err := r.createObjectIfNotExists(ctx, types.NamespacedName{Name: oauthClusterBinding.Name},
+		&rbacv1.ClusterRoleBinding{}, oauthClusterBinding); err != nil {
+		return err
+	}
 	// ClusterRoleBinding can't be owned by namespaced CR, clean up using finalizer
 
 	return nil