Split rbac phase into two

Signed-off-by: Per Goncalves da Silva <pegoncal@redhat.com>

Author: Per Goncalves da Silva

internal/operator-controller/applier/phase.go

@@ -28,20 +28,22 @@ func determinePhase(gk schema.GroupKind) Phase {
 type Phase string
 
 const (
-	PhaseNamespaces Phase = "namespaces"
-	PhasePolicies   Phase = "policies"
-	PhaseRBAC       Phase = "rbac"
-	PhaseCRDs       Phase = "crds"
-	PhaseStorage    Phase = "storage"
-	PhaseDeploy     Phase = "deploy"
-	PhasePublish    Phase = "publish"
+	PhaseNamespaces   Phase = "namespaces"
+	PhasePolicies     Phase = "policies"
+	PhaseRBAC         Phase = "rbac"
+	PhaseRBACBindings Phase = "rbac-bindings"
+	PhaseCRDs         Phase = "crds"
+	PhaseStorage      Phase = "storage"
+	PhaseDeploy       Phase = "deploy"
+	PhasePublish      Phase = "publish"
 )
 
 // Well known phases ordered.
 var defaultPhaseOrder = []Phase{
 	PhaseNamespaces,
 	PhasePolicies,
 	PhaseRBAC,
+	PhaseRBACBindings,
 	PhaseCRDs,
 	PhaseStorage,
 	PhaseDeploy,
@@ -68,8 +70,11 @@ var (
 		PhaseRBAC: {
 			{Kind: "ServiceAccount"},
 			{Kind: "Role", Group: "rbac.authorization.k8s.io"},
-			{Kind: "RoleBinding", Group: "rbac.authorization.k8s.io"},
 			{Kind: "ClusterRole", Group: "rbac.authorization.k8s.io"},
+		},
+
+		PhaseRBACBindings: {
+			{Kind: "RoleBinding", Group: "rbac.authorization.k8s.io"},
 			{Kind: "ClusterRoleBinding", Group: "rbac.authorization.k8s.io"},
 		},
 

internal/operator-controller/applier/phase_test.go

@@ -87,6 +87,30 @@ func Test_PhaseSort(t *testing.T) {
 						},
 					},
 				},
+				{
+					Object: unstructured.Unstructured{
+						Object: map[string]interface{}{
+							"apiVersion": "rbac.authorization.k8s.io/v1",
+							"kind":       "ClusterRoleBinding",
+						},
+					},
+				},
+				{
+					Object: unstructured.Unstructured{
+						Object: map[string]interface{}{
+							"apiVersion": "rbac.authorization.k8s.io/v1",
+							"kind":       "RoleBinding",
+						},
+					},
+				},
+				{
+					Object: unstructured.Unstructured{
+						Object: map[string]interface{}{
+							"apiVersion": "rbac.authorization.k8s.io/v1",
+							"kind":       "Role",
+						},
+					},
+				},
 				{
 					Object: unstructured.Unstructured{
 						Object: map[string]interface{}{
@@ -150,6 +174,35 @@ func Test_PhaseSort(t *testing.T) {
 								},
 							},
 						},
+						{
+							Object: unstructured.Unstructured{
+								Object: map[string]interface{}{
+									"apiVersion": "rbac.authorization.k8s.io/v1",
+									"kind":       "Role",
+								},
+							},
+						},
+					},
+				},
+				{
+					Name: string(applier.PhaseRBACBindings),
+					Objects: []v1.ClusterExtensionRevisionObject{
+						{
+							Object: unstructured.Unstructured{
+								Object: map[string]interface{}{
+									"apiVersion": "rbac.authorization.k8s.io/v1",
+									"kind":       "ClusterRoleBinding",
+								},
+							},
+						},
+						{
+							Object: unstructured.Unstructured{
+								Object: map[string]interface{}{
+									"apiVersion": "rbac.authorization.k8s.io/v1",
+									"kind":       "RoleBinding",
+								},
+							},
+						},
 					},
 				},
 				{

test/e2e/steps/testdata/rbac-template.yaml

@@ -50,11 +50,7 @@ rules:
       - roles
       - clusterrolebindings
       - rolebindings
-    # The bind and escalate verbs allow the ServiceAccount to create role bindings
-    # for roles it doesn't have and grant permissions beyond its own. This is required
-    # because extension bundles contain their own RBAC that must be created.
-    # See docs/concepts/permission-model.md for details on these requirements.
-    verbs: [ update, create, list, watch, get, delete, patch, bind, escalate ]
+    verbs: [ update, create, list, watch, get, delete, patch ]
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: [ update, create, list, watch, get, delete, patch ]