Skip to content

Commit b0a9f40

Browse files
DiaphteirosDiaphteiros
committed
fix mcp-operator permissions
1 parent f584ed5 commit b0a9f40

File tree

2 files changed

+45
-3
lines changed

2 files changed

+45
-3
lines changed

charts/mcp-operator/templates/_helpers.tpl

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,13 @@ Name of the clusterrole(binding) if in-cluster config is used for the cloudorche
4444
{{- print "openmcp.cloud:co:" ( include "mcp-operator.fullname" . ) | trunc 63 | trimSuffix "-" }}
4545
{{- end }}
4646

47+
{{/*
48+
Name of the clusterrole(binding) if in-cluster config is used for the core cluster.
49+
*/}}
50+
{{- define "mcp-operator.v2bridge.clusterrole" -}}
51+
{{- print "openmcp.cloud:v2:" ( include "mcp-operator.fullname" . ) | trunc 63 | trimSuffix "-" }}
52+
{{- end }}
53+
4754
{{/*
4855
Use <image>:<tag> or <image>@<sha256>, depending on which is given.
4956
*/}}

charts/mcp-operator/templates/rbac.yaml

Lines changed: 38 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,12 @@ rules:
9494
- landscaperdeployments
9595
verbs:
9696
- "*"
97+
- apiGroups:
98+
- landscaper.services.openmcp.cloud
99+
resources:
100+
- landscapers
101+
verbs:
102+
- "*"
97103
---
98104
kind: ClusterRoleBinding
99105
apiVersion: {{ include "rbacversion" . }}
@@ -146,7 +152,7 @@ roleRef:
146152
{{- end }}
147153
{{- end }}
148154
{{- if not .Values.webhooks.disabled }}
149-
apiVersion: rbac.authorization.k8s.io/v1
155+
apiVersion: {{ include "rbacversion" . }}
150156
kind: Role
151157
metadata:
152158
name: {{ include "mcp-operator.fullname" . }}
@@ -159,7 +165,7 @@ rules:
159165
resourceNames:
160166
- {{ include "mcp-operator.fullname" . }}-webhooks-tls
161167
---
162-
apiVersion: rbac.authorization.k8s.io/v1
168+
apiVersion: {{ include "rbacversion" . }}
163169
kind: RoleBinding
164170
metadata:
165171
name: {{ include "mcp-operator.fullname" . }}
@@ -174,4 +180,33 @@ subjects:
174180
name: mcp-operator
175181
namespace: {{ .Release.Namespace }}
176182
---
177-
{{- end }}
183+
{{- end }}
184+
apiVersion: {{ include "rbacversion" . }}
185+
kind: ClusterRole
186+
metadata:
187+
name: {{ include "mcp-operator.v2bridge.clusterrole" . }}
188+
labels:
189+
{{- include "mcp-operator.labels" . | nindent 4 }}
190+
rules:
191+
- apiGroups:
192+
- clusters.openmcp.cloud
193+
resources:
194+
- "*"
195+
verbs:
196+
- "*"
197+
---
198+
kind: ClusterRoleBinding
199+
apiVersion: {{ include "rbacversion" . }}
200+
metadata:
201+
name: {{ include "mcp-operator.v2bridge.clusterrole" . }}
202+
labels:
203+
{{- include "mcp-operator.labels" . | nindent 4 }}
204+
subjects:
205+
- kind: ServiceAccount
206+
name: mcp-operator
207+
namespace: {{ .Release.Namespace }}
208+
roleRef:
209+
kind: ClusterRole
210+
name: {{ include "mcp-operator.v2bridge.clusterrole" . }}
211+
apiGroup: rbac.authorization.k8s.io
212+
---

0 commit comments

Comments
 (0)