From 51105b4f0c07995cba3eb5d2fe01029a2a78ea80 Mon Sep 17 00:00:00 2001 From: Allen Li <46284272+qpdpQ@users.noreply.github.com> Date: Wed, 10 Dec 2025 17:57:09 -0500 Subject: [PATCH 1/4] Helm uninstall (#2702) * helm uninstall Signed-off-by: Allen Li * add config flexibility for helm Signed-off-by: Allen Li * remove odlm resource after opreq Signed-off-by: Allen Li * uninstall edb webhook update unisntall operandrequest Signed-off-by: Allen Li * skip waiting if not retain ns Signed-off-by: Allen Li * remove entitlement key Signed-off-by: Allen Li * uninstall common-web-ui secret Signed-off-by: Allen Li --------- Signed-off-by: Allen Li --- cp3pt0-deployment/uninstall_tenant.sh | 169 ++++++++++++++++++++------ 1 file changed, 134 insertions(+), 35 deletions(-) diff --git a/cp3pt0-deployment/uninstall_tenant.sh b/cp3pt0-deployment/uninstall_tenant.sh index 6375a9b3f..e967575a6 100755 --- a/cp3pt0-deployment/uninstall_tenant.sh +++ b/cp3pt0-deployment/uninstall_tenant.sh @@ -14,12 +14,14 @@ set -o nounset OC=oc YQ=yq +HELM=helm TENANT_NAMESPACES="" OPERATOR_NS_LIST="" CONTROL_NS="" FORCE_DELETE=0 DEBUG=0 RETAIN="false" +NO_OLM="false" # ---------- Command variables ---------- @@ -39,12 +41,22 @@ function main() { trap cleanup_log EXIT pre_req set_tenant_namespaces - if [ $FORCE_DELETE -eq 0 ]; then + # only waiting for OperandRequests to be deleted when not retaining namespaces + if [[ $RETAIN == "true" ]]; then + uninstall_odlm_resource + uninstall_nss_resource + fi + + delete_rbac_resource + + if [[ "$NO_OLM" == "true" ]]; then + uninstall_helm_resources + else uninstall_odlm uninstall_cs_operator uninstall_nss fi - delete_rbac_resource + delete_webhook delete_unavailable_apiservice if [[ $RETAIN == "false" ]]; then @@ -52,6 +64,8 @@ function main() { else cleanup_extra_resources fi + + success "Tenant uninstall process completed." } function parse_arguments() { @@ -70,6 +84,10 @@ function parse_arguments() { shift YQ=$1 ;; + --helm) + shift + HELM=$1 + ;; --operator-namespace) shift OPERATOR_NS=$1 @@ -77,6 +95,9 @@ function parse_arguments() { --retain-ns) RETAIN="true" ;; + --no-olm) + NO_OLM="true" + ;; -f) FORCE_DELETE=1 ;; @@ -107,7 +128,9 @@ function print_usage() { echo "Options:" echo " --oc string Optional. File path to oc CLI. Default uses oc in your PATH" echo " --yq string Optional. File path to yq CLI. Default uses yq in your PATH" + echo " --helm string Optional. File path to helm CLI. Default uses helm in your PATH" echo " --operator-namespace string Required. Namespace to uninstall Foundational services operators and the whole tenant." + echo " --no-olm Optional. Uninstall Foundational services operators and resources installed via Helm." echo " -f Optional. Enable force delete. It will take much more time if you add this label, we suggest run this script without -f label first" echo " --retain-ns Optional. Prevents script from deleting tenant namespaces during uninstall." echo " -v, --debug integer Optional. Verbosity of logs. Default is 0. Set to 1 for debug logs" @@ -123,6 +146,9 @@ function pre_req() { check_command "${OC}" check_command "${YQ}" + if [[ "$NO_OLM" == "true" ]]; then + check_command "${HELM}" + fi check_yq_version # Checking oc command logged in @@ -142,61 +168,68 @@ function pre_req() { fi } + function set_tenant_namespaces() { - # check if user want to cleanup operatorNamespace for ns in ${OPERATOR_NS//,/ }; do - # if this namespace is operatorNamespace - temp_namespace=$(${OC} get -n "$ns" configmap namespace-scope -o jsonpath='{.data.namespaces}' --ignore-not-found) - if [ "$temp_namespace" != "" ]; then - if [ "$TENANT_NAMESPACES" == "" ]; then - TENANT_NAMESPACES=$temp_namespace - OPERATOR_NS_LIST=$ns - else - TENANT_NAMESPACES="${TENANT_NAMESPACES},${temp_namespace}" - OPERATOR_NS_LIST="${OPERATOR_NS_LIST},${ns}" - fi - continue - fi - - # if this namespace is servicesNamespace + # Get operatorNamespace and servicesNamespace from CommonService CR operator_ns=$(${OC} get -n "$ns" commonservice common-service -o jsonpath='{.spec.operatorNamespace}' --ignore-not-found) services_ns=$(${OC} get -n "$ns" commonservice common-service -o jsonpath='{.spec.servicesNamespace}' --ignore-not-found) - if [ "$services_ns" == "$ns" ]; then - temp_namespace=$(${OC} get -n "$operator_ns" configmap namespace-scope -o jsonpath='{.data.namespaces}' --ignore-not-found) - if [ "$TENANT_NAMESPACES" == "" ]; then + + # Get tenant namespaces from namespace-scope ConfigMap + temp_namespace=$(${OC} get -n "$operator_ns" configmap namespace-scope -o jsonpath='{.data.namespaces}' --ignore-not-found) + # Append temp_namespace if not empty + if [[ -n "$temp_namespace" ]]; then + if [[ -z "$TENANT_NAMESPACES" ]]; then TENANT_NAMESPACES=$temp_namespace OPERATOR_NS_LIST=$operator_ns else TENANT_NAMESPACES="${TENANT_NAMESPACES},${temp_namespace}" OPERATOR_NS_LIST="${OPERATOR_NS_LIST},${operator_ns}" fi - continue fi - # if this namespace neither operatorNamespace nor serviceNamsespace - if [ "$TENANT_NAMESPACES" == "" ]; then + # In NO_OLM mode, and no namespace-scope configmap, get WATCH_NAMESPACE from cs-operator deployment + if [[ -z "$temp_namespace" && "$NO_OLM" == "true" ]]; then + watch_ns=$(${OC} get deployment ibm-common-service-operator -n "$operator_ns" \ + -o jsonpath='{.spec.template.spec.containers[?(@.name=="ibm-common-service-operator")].env[?(@.name=="WATCH_NAMESPACE")].value}' --ignore-not-found) + if [[ -n "$watch_ns" ]]; then + if [[ -z "$TENANT_NAMESPACES" ]]; then + TENANT_NAMESPACES=$watch_ns + OPERATOR_NS_LIST=$operator_ns + else + TENANT_NAMESPACES="${TENANT_NAMESPACES},${watch_ns}" + OPERATOR_NS_LIST="${OPERATOR_NS_LIST},${operator_ns}" + fi + fi + fi + + # If still empty, fallback to ns + if [[ -z "$TENANT_NAMESPACES" ]]; then TENANT_NAMESPACES=$ns else TENANT_NAMESPACES="${TENANT_NAMESPACES},${ns}" fi done - # delete duplicate namespace in TENANT_NAMESPACES and OPERATOR_NS_LIST - TENANT_NAMESPACES=$(echo "$TENANT_NAMESPACES" | sed -e 's/,/\n/g' | sort -u | tr "\r\n" "," | sed '$ s/,$//') - OPERATOR_NS_LIST=$(echo "$OPERATOR_NS_LIST" | sed -e 's/,/\n/g' | sort -u | tr "\r\n" "," | sed '$ s/,$//') + # Remove empty entries and duplicates + TENANT_NAMESPACES=$(echo "$TENANT_NAMESPACES" | sed 's/^,*//;s/,*$//' | sed 's/,,*/,/g' | sed -e 's/,/\n/g' | sort -u | tr "\r\n" "," | sed '$ s/,$//') + OPERATOR_NS_LIST=$(echo "$OPERATOR_NS_LIST" | sed 's/^,*//;s/,*$//' | sed 's/,,*/,/g' | sed -e 's/,/\n/g' | sort -u | tr "\r\n" "," | sed '$ s/,$//') + info "Tenant namespaces are: $TENANT_NAMESPACES" } -function uninstall_odlm() { - title "Uninstalling OperandRequests and ODLM" + +function uninstall_odlm_resource() { + title "Uninstalling odlm resoource" local grep_args="" + info "Cleaning up OperandRequests in tenant namespaces" for ns in ${TENANT_NAMESPACES//,/ }; do local opreq=$(${OC} get -n "$ns" operandrequests --no-headers | cut -d ' ' -f1) if [ "$opreq" != "" ]; then + echo "Deleting OperandRequests ${opreq//$'\n'/ } in namespace: $ns" ${OC} delete -n "$ns" operandrequests ${opreq//$'\n'/ } --timeout=60s fi - grep_args="${grep_args}-e $ns " done if [ "$grep_args" == "" ]; then @@ -204,8 +237,8 @@ function uninstall_odlm() { fi for ns in ${TENANT_NAMESPACES//,/ }; do - local condition="${OC} get operandrequests -n ${ns} --no-headers | cut -d ' ' -f1 | grep -w ${grep_args} || echo Success" - local retries=20 + local condition="${OC} get operandrequests -n ${ns} --no-headers 2>/dev/null | wc -l | grep '0'" + local retries=30 local sleep_time=10 local total_time_mins=$(( sleep_time * retries / 60)) local wait_message="Waiting for all OperandRequests in tenant namespaces:${ns} to be deleted" @@ -216,7 +249,42 @@ function uninstall_odlm() { wait_for_condition "${condition}" ${retries} ${sleep_time} "${wait_message}" "${success_message}" "${error_message}" done - for ns in ${TENANT_NAMESPACES//,/ }; do + info "Cleaning up remaining ODLM resources in tenant namespaces" + + for ns in ${TENANT_NAMESPACES//,/ }; do + local opreq=$(${OC} get -n "$ns" operandregistry --no-headers | cut -d ' ' -f1) + if [ "$opreq" != "" ]; then + ${OC} delete -n "$ns" operandregistry ${opreq//$'\n'/ } --timeout=60s + fi + done + + for ns in ${TENANT_NAMESPACES//,/ }; do + local opreq=$(${OC} get -n "$ns" operandconfig --no-headers | cut -d ' ' -f1) + if [ "$opreq" != "" ]; then + ${OC} delete -n "$ns" operandconfig ${opreq//$'\n'/ } --timeout=60s + fi + done + + for ns in ${TENANT_NAMESPACES//,/ }; do + local opreq=$(${OC} get -n "$ns" operandbindinfo --no-headers | cut -d ' ' -f1) + if [ "$opreq" != "" ]; then + ${OC} delete -n "$ns" operandbindinfo ${opreq//$'\n'/ } --timeout=60s + fi + done + + for ns in ${TENANT_NAMESPACES//,/ }; do + local opreq=$(${OC} get -n "$ns" operatorconfig --no-headers | cut -d ' ' -f1) + if [ "$opreq" != "" ]; then + ${OC} delete -n "$ns" operatorconfig ${opreq//$'\n'/ } --timeout=60s + fi + done +} + +function uninstall_odlm() { + title "Uninstalling ODLM" + + local grep_args="" + for ns in ${TENANT_NAMESPACES//,/ }; do local sub=$(fetch_sub_from_package ibm-odlm $ns) if [ "$sub" != "" ]; then ${OC} delete --ignore-not-found -n "$ns" sub "$sub" @@ -245,18 +313,26 @@ function uninstall_cs_operator() { done } -function uninstall_nss() { +function uninstall_nss_resource() { title "Uninstall ibm-namespace-scope-operator" for ns in ${TENANT_NAMESPACES//,/ }; do - ${OC} delete --ignore-not-found nss -n "$ns" common-service --timeout=30s + ${OC} delete --ignore-not-found namespacescope -n "$ns" common-service --timeout=30s + ${OC} delete --ignore-not-found configmap -n "$ns" namespace-scope --timeout=30s for op_ns in ${OPERATOR_NS_LIST//,/ }; do ${OC} delete --ignore-not-found rolebinding -n "$ns" "nss-managed-role-from-$op_ns" ${OC} delete --ignore-not-found role -n "$ns" "nss-managed-role-from-$op_ns" ${OC} delete --ignore-not-found rolebinding -n "$ns" "nss-runtime-managed-role-from-$op_ns" ${OC} delete --ignore-not-found role -n "$ns" "nss-runtime-managed-role-from-$op_ns" done + done +} + +function uninstall_nss() { + title "Uninstall ibm-namespace-scope-operator" + + for ns in ${TENANT_NAMESPACES//,/ }; do sub=$(fetch_sub_from_package ibm-namespace-scope-operator "$ns") if [ "$sub" != "" ]; then ${OC} delete --ignore-not-found -n "$ns" sub "$sub" @@ -273,6 +349,11 @@ function delete_webhook() { for ns in ${TENANT_NAMESPACES//,/ }; do ${OC} delete ValidatingWebhookConfiguration ibm-common-service-validating-webhook-${ns} --ignore-not-found ${OC} delete MutatingWebhookConfiguration ibm-common-service-webhook-configuration ibm-operandrequest-webhook-configuration namespace-admission-config ibm-operandrequest-webhook-configuration-${ns} --ignore-not-found + if [[ "$NO_OLM" == "true" ]]; then + ${OC} delete mutatingwebhookconfiguration postgresql-operator-mutating-webhook-configuration-${ns} --ignore-not-found + ${OC} delete validatingwebhookconfiguration postgresql-operator-validating-webhook-configuration-${ns} --ignore-not-found + ${OC} delete service postgresql-operator-webhook-service -n $ns --ignore-not-found + fi done } @@ -410,11 +491,12 @@ function cleanup_extra_resources() { ${OC} delete issuer cs-ss-issuer cs-ca-issuer -n $ns --ignore-not-found ${OC} delete certificate cs-ca-certificate -n $ns --ignore-not-found ${OC} delete configmap cloud-native-postgresql-image-list ibm-cpp-config -n $ns --ignore-not-found - ${OC} delete secret common-service-db-im-tls-secret postgresql-operator-controller-manager-config cs-ca-certificate-secret common-service-db-tls-secret common-service-db-replica-tls-secret common-service-db-zen-tls-secret -n $ns --ignore-not-found + ${OC} delete secret common-service-db-im-tls-secret postgresql-operator-controller-manager-config cs-ca-certificate-secret common-service-db-tls-secret common-service-db-replica-tls-secret common-service-db-zen-tls-secret common-web-ui-cert -n $ns --ignore-not-found ${OC} delete commonservice common-service im-common-service -n $ns --ignore-not-found ${OC} delete operandconfig common-service -n $ns --ignore-not-found ${OC} delete operandregistry common-service -n $ns --ignore-not-found ${OC} delete catalogsource opencloud-operators ibm-cs-install-catalog ibm-cs-iam-catalog -n $ns --ignore-not-found + ${OC} delete secret ibm-entitlement-key -n $ns --ignore-not-found info "Remaining resources (minus package manifests and events) in namespace $ns:" ${OC} get "$(${OC} api-resources --namespaced=true --verbs=list -o name | awk '{printf "%s%s",sep,$0;sep=","}')" --ignore-not-found -n $ns -o=custom-columns=KIND:.kind,NAME:.metadata.name --sort-by='kind' | grep -v PackageManifest | grep -v Event done @@ -422,4 +504,21 @@ function cleanup_extra_resources() { } +function uninstall_helm_resources() { + title "Uninstalling Helm releases in tenant namespaces" + for ns in ${TENANT_NAMESPACES//,/ }; do + local releases=$(${HELM} list -n "$ns" --short) + if [[ "$releases" != "" ]]; then + for release in $releases; do + msg "Uninstalling Helm release: $release from namespace: $ns" + ${HELM} uninstall "$release" -n "$ns" + done + else + info "No Helm releases found in namespace: $ns" + fi + done +} + + + main $* \ No newline at end of file From 648669239fe41688b03a55b52eeb6ce3d9535423 Mon Sep 17 00:00:00 2001 From: Ben Luzarraga <31223504+bluzarraga@users.noreply.github.com> Date: Thu, 18 Dec 2025 14:17:13 -0600 Subject: [PATCH 2/4] swap zen core and zen core api checks (#2703) * swap zen core and zen core api checks Signed-off-by: Ben Luzarraga * zen restore bug debugged with customer --------- Signed-off-by: Ben Luzarraga --- velero/schedule/zen5-br-scripts-cm.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/velero/schedule/zen5-br-scripts-cm.yaml b/velero/schedule/zen5-br-scripts-cm.yaml index 8506fbbbe..da8490845 100644 --- a/velero/schedule/zen5-br-scripts-cm.yaml +++ b/velero/schedule/zen5-br-scripts-cm.yaml @@ -266,7 +266,7 @@ data: oc exec $CNPG_PRIMARY_POD -n $ZEN_NAMESPACE -- mkdir -p /run/zen_backup oc cp $BACKUP_DIR/database/zen_db_backup.dump $ZEN_NAMESPACE/$CNPG_PRIMARY_POD:/run/zen_backup/zen_db_backup.dump oc -n $ZEN_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -c "\list" -c "\dn" -c "\du" - oc -n $ZEN_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- pg_restore -U postgres --dbname zen --format=c --clean --exit-on-error -v /run/zen_backup/zen_db_backup.dump + oc -n $ZEN_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- pg_restore -U postgres --dbname zen --format=c --clean --exit-on-error --if-exists -v /run/zen_backup/zen_db_backup.dump # oc -n $ZEN_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d zen -f /run/zen_backup/zen_db_backup.dump oc -n $ZEN_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -c "\list" -c "\dn" -c "\du" else @@ -305,10 +305,10 @@ data: info "usermgmt deployment not scaled up before rerunning, setting replica value to 2" USERMGMT_RC=2 fi - oc scale deploy zen-core-api --replicas=$ZEN_CORE_API_RC -n $ZEN_NAMESPACE + oc scale deploy zen-core --replicas=$ZEN_CORE_RC -n $ZEN_NAMESPACE oc scale deploy usermgmt --replicas=$USERMGMT_RC -n $ZEN_NAMESPACE sleep 15 - oc wait pod --for=condition=Ready -l app.kubernetes.io/component=zen-core-api --timeout=180s -n ${ZEN_NAMESPACE} + oc wait pod --for=condition=Ready -l app.kubernetes.io/component=zen-core --timeout=180s -n ${ZEN_NAMESPACE} oc wait pod --for=condition=Ready -l app.kubernetes.io/component=usermgmt --timeout=180s -n ${ZEN_NAMESPACE} ./zen5/customize-zen-extensions.sh $ZEN_NAMESPACE false @@ -320,7 +320,6 @@ data: info "ibm-nginx deployment not scaled up before rerunning, setting replica value to 2" IBM_NGINX_RC=2 fi - if [[ $ZEN_CORE_API_RC == "0" ]]; then info "zen-core-api deployment not scaled up before rerunning, setting replica value to 2" ZEN_CORE_API_RC=2 @@ -331,7 +330,7 @@ data: fi oc scale deploy zen-watcher --replicas=$ZEN_WATCHER_RC -n $ZEN_NAMESPACE - oc scale deploy zen-core --replicas=$ZEN_CORE_RC -n $ZEN_NAMESPACE + oc scale deploy zen-core-api --replicas=$ZEN_CORE_API_RC -n $ZEN_NAMESPACE oc scale deploy ibm-nginx --replicas=$IBM_NGINX_RC -n $ZEN_NAMESPACE if [[ $zen_watchdog_present != "fail" ]]; then oc scale deploy zen-watchdog --replicas=1 -n $ZEN_NAMESPACE # (Only for CloudPak for Data) @@ -340,7 +339,7 @@ data: #[2.2.5.2] Wait for deployments info "Wait for deployments to come ready again." oc wait pod --for=condition=Ready -l app.kubernetes.io/component=ibm-nginx --timeout=180s -n ${ZEN_NAMESPACE} - oc wait pod --for=condition=Ready -l app.kubernetes.io/component=zen-core --timeout=180s -n ${ZEN_NAMESPACE} + oc wait pod --for=condition=Ready -l app.kubernetes.io/component=zen-core-api --timeout=180s -n ${ZEN_NAMESPACE} oc wait pod --for=condition=Ready -l app.kubernetes.io/component=zen-watcher --timeout=180s -n ${ZEN_NAMESPACE} if [[ $zen_watchdog_present != "fail" ]]; then # Only for CloudPak for Data From a65cb374e6c686e977e0a8c6fadc73308615a165 Mon Sep 17 00:00:00 2001 From: Allen Li <46284272+qpdpQ@users.noreply.github.com> Date: Mon, 19 Jan 2026 12:34:29 -0500 Subject: [PATCH 3/4] add new permission for events operator (#2725) * add new permission for events for mininal-rbac Signed-off-by: Allen Li * remove get and patch permission for strimzipodsets/finalizers Signed-off-by: Allen Li * reduce permission for events operator Signed-off-by: Allen Li --------- Signed-off-by: Allen Li --- .../nss-managed-bedrock-core-role-sc2.yaml | 18 ++++++++++++++++++ .../common/nss-managed-bedrock-core-role.yaml | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/cp3pt0-deployment/common/nss-managed-bedrock-core-role-sc2.yaml b/cp3pt0-deployment/common/nss-managed-bedrock-core-role-sc2.yaml index d085d9c45..3b29bb2eb 100644 --- a/cp3pt0-deployment/common/nss-managed-bedrock-core-role-sc2.yaml +++ b/cp3pt0-deployment/common/nss-managed-bedrock-core-role-sc2.yaml @@ -709,6 +709,18 @@ rules: - kafkabridges/status - kafkamirrormaker2s/status - kafkarebalances/status + - verbs: + - update + apiGroups: + - ibmevents.ibm.com + resources: + - kafkas/finalizers + - kafkanodepools/finalizers + - kafkaconnects/finalizers + - kafkaconnectors/finalizers + - kafkabridges/finalizers + - kafkamirrormaker2s/finalizers + - kafkarebalances/finalizers - verbs: - get - list @@ -729,6 +741,12 @@ rules: - core.ibmevents.ibm.com resources: - strimzipodsets/status + - verbs: + - update + apiGroups: + - core.ibmevents.ibm.com + resources: + - strimzipodsets/finalizers - verbs: - get - list diff --git a/cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml b/cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml index a2449eb76..31c86ee10 100644 --- a/cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml +++ b/cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml @@ -702,6 +702,18 @@ rules: - kafkabridges/status - kafkamirrormaker2s/status - kafkarebalances/status + - verbs: + - update + apiGroups: + - ibmevents.ibm.com + resources: + - kafkas/finalizers + - kafkanodepools/finalizers + - kafkaconnects/finalizers + - kafkaconnectors/finalizers + - kafkabridges/finalizers + - kafkamirrormaker2s/finalizers + - kafkarebalances/finalizers - verbs: - get - list @@ -722,6 +734,12 @@ rules: - core.ibmevents.ibm.com resources: - strimzipodsets/status + - verbs: + - update + apiGroups: + - core.ibmevents.ibm.com + resources: + - strimzipodsets/finalizers - verbs: - get - list From 454bfdd02af0a1a70b1e06a5c077efdb59fc98e1 Mon Sep 17 00:00:00 2001 From: Allen Li <46284272+qpdpQ@users.noreply.github.com> Date: Fri, 23 Jan 2026 14:25:04 -0500 Subject: [PATCH 4/4] add new permission for events (#2735) * add permission for events Signed-off-by: Allen Li * remove /status permission Signed-off-by: Allen Li * add new permission to cd Signed-off-by: Allen Li --------- Signed-off-by: Allen Li --- cp3pt0-deployment/common/nss-managed-bedrock-core-role-sc2.yaml | 2 ++ cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/cp3pt0-deployment/common/nss-managed-bedrock-core-role-sc2.yaml b/cp3pt0-deployment/common/nss-managed-bedrock-core-role-sc2.yaml index 3b29bb2eb..5def5f523 100644 --- a/cp3pt0-deployment/common/nss-managed-bedrock-core-role-sc2.yaml +++ b/cp3pt0-deployment/common/nss-managed-bedrock-core-role-sc2.yaml @@ -721,6 +721,8 @@ rules: - kafkabridges/finalizers - kafkamirrormaker2s/finalizers - kafkarebalances/finalizers + - kafkatopics/finalizers + - kafkausers/finalizers - verbs: - get - list diff --git a/cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml b/cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml index 31c86ee10..7464da110 100644 --- a/cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml +++ b/cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml @@ -714,6 +714,8 @@ rules: - kafkabridges/finalizers - kafkamirrormaker2s/finalizers - kafkarebalances/finalizers + - kafkatopics/finalizers + - kafkausers/finalizers - verbs: - get - list