Add missing permissions for operator role

RafalKorepta commented 1 week ago

Add HorizontalPodAutoscaler permission for operator role

The HorizontalPodAutoscaler was not added to permission set for the operator Role. The operator during GC operation log the following message:

W1106 11:08:59.308067       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list *v2.HorizontalPodAutoscaler: horizontalpodautoscalers.autoscaling is forbidden: User "system:serviceaccount:redpanda:redpanda-operator" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "redpanda"
E1106 11:08:59.308100       1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: Failed to watch *v2.HorizontalPodAutoscaler: failed to list *v2.HorizontalPodAutoscaler: horizontalpodautoscalers.autoscaling is forbidden: User "system:serviceaccount:redpanda:redpanda-operator" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "redpanda"

Add Certificate permission for operator role

The Certificate from cert-manager customer resource was not added list permission set for operator Role. The operator during GC operation log the following message:

W1106 11:46:57.392913       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list *v1.Certificate: certificates.cert-manager.io is forbidden: User "system:serviceaccount:redpanda:redpanda-operator" cannot list resource "certificates" in API group "cert-manager.io" in the namespace "redpanda"
E1106 11:46:57.392992       1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: Failed to watch *v1.Certificate: failed to list *v1.Certificate: certificates.cert-manager.io is forbidden: User "system:serviceaccount:redpanda:redpanda-operator" cannot list resource "certificates" in API group "cert-manager.io" in the namespace "redpanda"

Add Issuer permission for operator role

The Issuer from cert-manager customer resource was not added list permission set for operator Role. The operator during GC operation log the following message:

W1106 12:46:47.273317       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list *v1.Issuer: issuers.cert-manager.io is forbidden: User "system:serviceaccount:redpanda:redpanda-operator" cannot list resource "issuers" in API group "cert-manager.io" in the namespace "redpanda"
E1106 12:46:47.273598       1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: Failed to watch *v1.Issuer: failed to list *v1.Issuer: issuers.cert-manager.io is forbidden: User "system:serviceaccount:redpanda:redpanda-operator" cannot list resource "issuers" in API group "cert-manager.io" in the namespace "redpanda"

Release operator chart

Operator chart in version 0.4.33

Remove none existent empty API Group for leases

Leases are located in coordination.k8s.io API Group not in empty API Group.

Add helm and kustomize RBAC rules equivalence test

Default operator helm chart templates is compared with kustomize from redpanda-operator repository. Kustomize could deploy combination of cluster and namespace scoped operator. There are few exclusions and corss checks between helm Role and kustomize Cluster role.

Remove white space in string

K8S-400

chrisseto commented 1 week ago

Have the permissions for HPAs been added to the operator itself? Seems like we're missing service monitors as well.

Think we could add a test that asserts that the output permissions are the same as the results of running kustomize against the operator at appVersion? That way we wouldn't have to manually verify this every time.

RafalKorepta commented 1 week ago

@chrisseto Test is added, but I'm not happy about the outcome.

chrisseto commented 4 days ago

Subsumed by https://github.com/redpanda-data/helm-charts/pull/1595

redpanda-data / helm-charts