fix RBAC markers

On-behalf-of: @SAP [email protected]

Author: xrstf

internal/client/clients.go

@@ -85,6 +85,8 @@ func newClient(
 	return ctrlruntimeclient.New(cfg, ctrlruntimeclient.Options{Scheme: scheme})
 }
 
+// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get
+
 func getTLSConfig(ctx context.Context, c ctrlruntimeclient.Client, rootShard *operatorv1alpha1.RootShard, shard *operatorv1alpha1.Shard, frontProxy *operatorv1alpha1.FrontProxy) (rest.TLSClientConfig, error) {
 	rootShard, err := getRootShard(ctx, c, rootShard, shard, frontProxy)
 	if err != nil {
@@ -109,6 +111,8 @@ func getTLSConfig(ctx context.Context, c ctrlruntimeclient.Client, rootShard *op
 	}, nil
 }
 
+// +kubebuilder:rbac:groups=operator.kcp.io,resources=rootshards,verbs=get
+
 func getRootShard(ctx context.Context, c ctrlruntimeclient.Client, rootShard *operatorv1alpha1.RootShard, shard *operatorv1alpha1.Shard, frontProxy *operatorv1alpha1.FrontProxy) (*operatorv1alpha1.RootShard, error) {
 	if rootShard != nil {
 		return rootShard, nil

internal/client/frontproxy.go

@@ -30,6 +30,8 @@ import (
 	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
 )
 
+// +kubebuilder:rbac:groups=operator.kcp.io,resources=rootshards;shards;frontproxies,verbs=get
+
 func NewInternalKubeconfigClient(ctx context.Context, c ctrlruntimeclient.Client, kubeconfig *operatorv1alpha1.Kubeconfig, cluster logicalcluster.Name, scheme *runtime.Scheme) (ctrlruntimeclient.Client, error) {
 	target := kubeconfig.Spec.Target
 

internal/controller/kubeconfig-rbac/controller.go

@@ -51,12 +51,8 @@ func (r *KubeconfigRBACReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Complete(r)
 }
 
-// +kubebuilder:rbac:groups=operator.kcp.io,resources=kubeconfigs,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups=operator.kcp.io,resources=kubeconfigs/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=operator.kcp.io,resources=kubeconfigs,verbs=get;update;patch
 // +kubebuilder:rbac:groups=operator.kcp.io,resources=kubeconfigs/finalizers,verbs=update
-// +kubebuilder:rbac:groups=operator.kcp.io,resources=rootshards,verbs=get;list;watch
-// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

internal/resources/frontproxy/reconciler.go

@@ -55,6 +55,10 @@ func NewRootShardProxy(rootShard *operatorv1alpha1.RootShard) *reconciler {
 	}
 }
 
+// +kubebuilder:rbac:groups=core,resources=configmaps;secrets;services,verbs=get;update;patch
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;update;patch
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;update;patch
+
 func (r *reconciler) Reconcile(ctx context.Context, client ctrlruntimeclient.Client, namespace string) error {
 	var errs []error