Merge pull request #272 from mrogers950/drb_fix

Bug 2109153: Restore CSV ownership of ServiceAccounts

Author: openshift-merge-robot

Makefile

@@ -107,6 +107,9 @@ IMAGE_TAG_BASE=$(IMAGE_REPO)/$(APP_NAME)
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
 BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:$(TAG)
 
+# Includes additional service accounts into the bundle CSV.
+BUNDLE_SA_OPTS ?= --extra-service-accounts file-integrity-daemon
+
 # Image URL to use all building/pushing image targets
 IMG ?= $(IMAGE_TAG_BASE):$(TAG)
 
@@ -302,7 +305,7 @@ bundle: check-operator-version operator-sdk manifests update-skip-range kustomiz
 	$(SDK_BIN) generate kustomize manifests --apis-dir=./pkg/apis -q
 	@echo "kustomize using deployment image $(IMG)"
 	cd config/manager && $(KUSTOMIZE) edit set image $(APP_NAME)=$(IMG)
-	$(KUSTOMIZE) build config/manifests | $(SDK_BIN) generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+	$(KUSTOMIZE) build config/manifests | $(SDK_BIN) generate bundle -q $(BUNDLE_SA_OPTS) --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
 	$(SDK_BIN) bundle validate ./bundle
 
 .PHONY: bundle-image
@@ -427,7 +430,6 @@ prep-e2e: kustomize
 	mkdir -p $(TEST_SETUP_DIR)
 	$(KUSTOMIZE) build config/e2e > $(TEST_DEPLOY)
 	$(KUSTOMIZE) build config/crd > $(TEST_CRD)
-	cat config/rbac-daemon/daemon_rolebinding.yaml >> $(TEST_DEPLOY)
 
 ifdef IMAGE_FROM_CI
 e2e-set-image: kustomize

bundle/manifests/file-integrity-daemon_rbac.authorization.k8s.io_v1_role.yaml

@@ -1,5 +1,5 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   creationTimestamp: null
   name: file-integrity-operator-metrics

bundle/manifests/file-integrity-daemon_v1_serviceaccount.yaml

@@ -131,6 +131,37 @@ spec:
                   optional: true
                   secretName: file-integrity-operator-serving-cert
       permissions:
+      - rules:
+        - apiGroups:
+          - ""
+          resources:
+          - events
+          - configmaps
+          verbs:
+          - create
+        - apiGroups:
+          - fileintegrity.openshift.io
+          resources:
+          - fileintegrities
+          verbs:
+          - get
+          - watch
+        - apiGroups:
+          - security.openshift.io
+          resourceNames:
+          - privileged
+          resources:
+          - securitycontextconstraints
+          verbs:
+          - use
+        - apiGroups:
+          - events.k8s.io
+          resources:
+          - events
+          verbs:
+          - create
+          - update
+        serviceAccountName: file-integrity-daemon
       - rules:
         - apiGroups:
           - ""

…zation.k8s.io_v1_clusterrolebinding.yaml …authorization.k8s.io_v1_rolebinding.yamlbundle/manifests/file-integrity-operator-metrics_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml renamed to bundle/manifests/file-integrity-operator-metrics_rbac.authorization.k8s.io_v1_rolebinding.yaml bundle/manifests/file-integrity-operator-metrics_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml renamed to bundle/manifests/file-integrity-operator-metrics_rbac.authorization.k8s.io_v1_rolebinding.yaml

@@ -1,4 +1,4 @@
-# Bundle variant - no rbac-daemon inclusion
+# Bundle variant
 
 namespace: openshift-file-integrity
 

bundle/manifests/file-integrity-operator.clusterserviceversion.yaml

@@ -1,9 +1,8 @@
-# Deploy variant - includes rbac-daemon
+# Deploy variant
 
 namespace: openshift-file-integrity
 
 bases:
 - ../rbac
-- ../rbac-daemon
 - ../manager
 - ../ns