added missing permissions to list configmaps

Author: muraee

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -335,13 +335,12 @@ spec:
                             If unset, system trust is used instead.
                           properties:
                             name:
-                              description: |-
-                                Name of the referent.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                TODO: Add other useful fields. apiVersion, kind, uid?
+                              description: Name is the metadata.name of the referenced
+                                object.
                               type: string
+                          required:
+                          - name
                           type: object
-                          x-kubernetes-map-type: atomic
                         issuerURL:
                           description: |-
                             URL is the serving URL of the token issuer.
@@ -376,15 +375,12 @@ spec:
                               contains the client secret in the `clientSecret` key of the `.data` field
                             properties:
                               name:
-                                description: name is unique within a namespace to
-                                  reference a secret resource.
-                                type: string
-                              namespace:
-                                description: namespace defines the space within which
-                                  the secret name must be unique.
+                                description: Name is the metadata.name of the referenced
+                                  object.
                                 type: string
+                            required:
+                            - name
                             type: object
-                            x-kubernetes-map-type: atomic
                           componentName:
                             description: |-
                               ComponentName is the name of the component that is supposed to consume this

config/rbac/role.yaml

@@ -4,6 +4,18 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:

controlplane/rosa/api/v1beta2/external_auth_types.go

@@ -1,7 +1,5 @@
 package v1beta2
 
-import corev1 "k8s.io/api/core/v1"
-
 // ExternalAuthProvider is an external OIDC identity provider that can issue tokens for this cluster
 type ExternalAuthProvider struct {
 	// Name of the OIDC provider
@@ -68,7 +66,7 @@ type TokenIssuer struct {
 	// configuration namespace. The .data of the configMap must contain
 	// the "ca-bundle.crt" key.
 	// If unset, system trust is used instead.
-	CertificateAuthority *corev1.LocalObjectReference `json:"issuerCertificateAuthority,omitempty"`
+	CertificateAuthority *LocalObjectReference `json:"issuerCertificateAuthority,omitempty"`
 }
 
 // OIDCClientConfig contains configuration for the platform's client that
@@ -101,7 +99,7 @@ type OIDCClientConfig struct {
 
 	// ClientSecret refers to a secret that
 	// contains the client secret in the `clientSecret` key of the `.data` field
-	ClientSecret corev1.SecretReference `json:"clientSecret"` //TODO: required or optional?
+	ClientSecret LocalObjectReference `json:"clientSecret"`
 
 	// ExtraScopes is an optional set of scopes to request tokens with.
 	//
@@ -240,3 +238,12 @@ type TokenRequiredClaim struct {
 	// +required
 	RequiredValue string `json:"requiredValue"`
 }
+
+// LocalObjectReference references an object in the same namespace.
+type LocalObjectReference struct {
+	// Name is the metadata.name of the referenced object.
+	//
+	// +kubebuilder:validation:Required
+	// +required
+	Name string `json:"name"`
+}

controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go

@@ -121,6 +121,7 @@ func (r *ROSAControlPlaneReconciler) SetupWithManager(ctx context.Context, mgr c
 
 // +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;patch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete;patch
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;delete;patch
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status,verbs=get;list;watch
 // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments,verbs=get;list;watch

controlplane/rosa/controllers/rosacontrolplane_controller.go

@@ -8635,6 +8635,35 @@ ID token into a cluster identity</p>
 </tr>
 </tbody>
 </table>
+<h3 id="controlplane.cluster.x-k8s.io/v1beta2.LocalObjectReference">LocalObjectReference
+</h3>
+<p>
+(<em>Appears on:</em><a href="#controlplane.cluster.x-k8s.io/v1beta2.OIDCClientConfig">OIDCClientConfig</a>, <a href="#controlplane.cluster.x-k8s.io/v1beta2.TokenIssuer">TokenIssuer</a>)
+</p>
+<p>
+<p>LocalObjectReference references an object in the same namespace.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>name</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Name is the metadata.name of the referenced object.</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="controlplane.cluster.x-k8s.io/v1beta2.NetworkSpec">NetworkSpec
 </h3>
 <p>
@@ -8769,8 +8798,8 @@ string
 <td>
 <code>clientSecret</code><br/>
 <em>
-<a href="https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#secretreference-v1-core">
-Kubernetes core/v1.SecretReference
+<a href="#controlplane.cluster.x-k8s.io/v1beta2.LocalObjectReference">
+LocalObjectReference
 </a>
 </em>
 </td>
@@ -9702,8 +9731,7 @@ private node communication with the control plane.</p>
 (<em>Appears on:</em><a href="#controlplane.cluster.x-k8s.io/v1beta2.TokenIssuer">TokenIssuer</a>)
 </p>
 <p>
-<pre><code>TokenAudience is the audience that the token was issued for.
-</code></pre>
+<p>TokenAudience is the audience that the token was issued for.</p>
 </p>
 <h3 id="controlplane.cluster.x-k8s.io/v1beta2.TokenClaimMappings">TokenClaimMappings
 </h3>
@@ -9848,8 +9876,8 @@ Must be set to exactly one value.</p>
 <td>
 <code>issuerCertificateAuthority</code><br/>
 <em>
-<a href="https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#localobjectreference-v1-core">
-Kubernetes core/v1.LocalObjectReference
+<a href="#controlplane.cluster.x-k8s.io/v1beta2.LocalObjectReference">
+LocalObjectReference
 </a>
 </em>
 </td>
@@ -10001,6 +10029,25 @@ string
 <p>
 <p>UsernamePrefixPolicy specifies how a prefix should apply.</p>
 </p>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;&#34;</p></td>
+<td><p>NoOpinion let&rsquo;s the cluster assign prefixes.  If the username claim is email, there is no prefix
+If the username claim is anything else, it is prefixed by the issuerURL</p>
+</td>
+</tr><tr><td><p>&#34;NoPrefix&#34;</p></td>
+<td><p>NoPrefix means the username claim value will not have any  prefix</p>
+</td>
+</tr><tr><td><p>&#34;Prefix&#34;</p></td>
+<td><p>Prefix means the prefix value must be specified.  It cannot be empty</p>
+</td>
+</tr></tbody>
+</table>
 <hr/>
 <h2 id="infrastructure.cluster.x-k8s.io/v1beta1">infrastructure.cluster.x-k8s.io/v1beta1</h2>
 <p>