Patch OLM RBAC to allow deploying Hubble certgen cronjob

The Cilium Helm chart for cilium <= 1.15 uses a ClusterRole and ClusterRoleBinding for the Hubble certgen CronJob. This is changed to a Role and RoleBinding for the Cilium 1.16 Helm chart. The OLM operator doesn't have permissions to create the ClusterRole and ClusterRoleBinding out of the box, so we patch the OLM operator ClusterRole to contain the rules that need to be created for the certgen CronJob.
projectsyn · Oct 29, 2024 · 3f15cbe · 3f15cbe
1 parent 9dd92c3
commit 3f15cbe
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 5 deletions.
diff --git a/component/olm.jsonnet b/component/olm.jsonnet
@@ -222,11 +222,45 @@ local patchManifests = function(file, has_csv)
   ) then
     file {
       contents+: {
-        rules+: [ {
-          apiGroups: [ 'coordination.k8s.io' ],
-          resources: [ 'leases' ],
-          verbs: [ 'create', 'get', 'update', 'list', 'delete' ],
-        } ],
+        rules+: [
+          {
+            apiGroups: [ 'coordination.k8s.io' ],
+            resources: [ 'leases' ],
+            verbs: [ 'create', 'get', 'update', 'list', 'delete' ],
+          },
+        ] + if util.version.minor <= 15 then [
+          // cilium <= 1.15 uses a clusterrole and clusterrolebinding for the
+          // hubble certgen cronjob. This is changed to a role and rolebinding
+          // for 1.16.
+          // The OLM operator doesn't have permissions to create the
+          // clusterrole and clusterrolebinding out of the box, so we patch
+          // the OLM operator clusterrole to have the rules that need to be
+          // created for the certgen cronjob.
+          {
+            apiGroups: [ '' ],
+            resources: [ 'secrets' ],
+            verbs: [ 'create' ],
+          },
+          {
+            apiGroups: [ '' ],
+            resources: [ 'secrets' ],
+            resourceNames: [
+              'hubble-server-certs',
+              'hubble-relay-client-certs',
+              'hubble-relay-server-certs',
+            ],
+            verbs: [ 'update' ],
+          },
+          {
+            apiGroups: [ '' ],
+            resources: [ 'secrets' ],
+            resourceNames: [ 'cilium-ca' ],
+            verbs: [
+              'get',
+              'update',
+            ],
+          },
+        ] else [],
       },
     }
   else

diff --git a/...urce/cilium/cilium/olm/cluster-network-06-cilium-00008-cilium-cilium-olm-clusterrole.yaml b/...urce/cilium/cilium/olm/cluster-network-06-cilium-00008-cilium-cilium-olm-clusterrole.yaml
@@ -43,3 +43,28 @@ rules:
       - update
       - list
       - delete
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - create
+  - apiGroups:
+      - ''
+    resourceNames:
+      - hubble-server-certs
+      - hubble-relay-client-certs
+      - hubble-relay-server-certs
+    resources:
+      - secrets
+    verbs:
+      - update
+  - apiGroups:
+      - ''
+    resourceNames:
+      - cilium-ca
+    resources:
+      - secrets
+    verbs:
+      - get
+      - update