From 7c6df691b7673bef047925dc5cb5df848648040b Mon Sep 17 00:00:00 2001
From: Elliott Baron <ebaron@redhat.com>
Date: Wed, 25 Aug 2021 16:39:06 -0400
Subject: [PATCH] fix(rbac): add permissions to support tree API

---
 .../cryostat-operator.clusterserviceversion.yaml  | 12 ++++++++++++
 config/rbac/role.yaml                             | 12 ++++++++++++
 .../resource_definitions/resource_definitions.go  | 15 +++++++++++++++
 internal/controllers/cryostat_controller.go       |  2 ++
 internal/test/resources.go                        | 15 +++++++++++++++
 5 files changed, 56 insertions(+)

diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
index a770e09a..20338b95 100644
--- a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
@@ -383,6 +383,12 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - ""
+          resources:
+          - replicationcontrollers
+          verbs:
+          - get
         - apiGroups:
           - apps
           resources:
@@ -392,6 +398,12 @@ spec:
           - statefulsets
           verbs:
           - '*'
+        - apiGroups:
+          - apps.openshift.io
+          resources:
+          - deploymentconfigs
+          verbs:
+          - get
         - apiGroups:
           - cert-manager.io
           resources:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index d347f086..faf3d17d 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -87,6 +87,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - replicationcontrollers
+  verbs:
+  - get
 - apiGroups:
   - apps
   resources:
@@ -96,6 +102,12 @@ rules:
   - statefulsets
   verbs:
   - '*'
+- apiGroups:
+  - apps.openshift.io
+  resources:
+  - deploymentconfigs
+  verbs:
+  - get
 - apiGroups:
   - cert-manager.io
   resources:
diff --git a/internal/controllers/common/resource_definitions/resource_definitions.go b/internal/controllers/common/resource_definitions/resource_definitions.go
index 9b1c3526..5d8632ed 100644
--- a/internal/controllers/common/resource_definitions/resource_definitions.go
+++ b/internal/controllers/common/resource_definitions/resource_definitions.go
@@ -707,6 +707,21 @@ func NewRoleForCR(cr *operatorv1beta1.Cryostat) *rbacv1.Role {
 				APIGroups: []string{""},
 				Resources: []string{"endpoints"},
 			},
+			{
+				Verbs:     []string{"get"},
+				APIGroups: []string{""},
+				Resources: []string{"pods", "replicationcontrollers"},
+			},
+			{
+				Verbs:     []string{"get"},
+				APIGroups: []string{"apps"},
+				Resources: []string{"replicasets", "deployments", "daemonsets", "statefulsets"},
+			},
+			{
+				Verbs:     []string{"get"},
+				APIGroups: []string{"apps.openshift.io"},
+				Resources: []string{"deploymentconfigs"},
+			},
 			{
 				Verbs:     []string{"get", "list"},
 				APIGroups: []string{"route.openshift.io"},
diff --git a/internal/controllers/cryostat_controller.go b/internal/controllers/cryostat_controller.go
index e7a6cadd..e0e5b8e6 100644
--- a/internal/controllers/cryostat_controller.go
+++ b/internal/controllers/cryostat_controller.go
@@ -91,11 +91,13 @@ const datasourceImageTagEnv = "RELATED_IMAGE_DATASOURCE"
 const grafanaImageTagEnv = "RELATED_IMAGE_GRAFANA"
 
 // +kubebuilder:rbac:namespace=system,groups="",resources=pods;services;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets;serviceaccounts,verbs=*
+// +kubebuilder:rbac:namespace=system,groups="",resources=replicationcontrollers,verbs=get
 // +kubebuilder:rbac:namespace=system,groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=create;get;list;update;watch;delete
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=create;get;list;update;watch;delete
 // +kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
 // +kubebuilder:rbac:groups=authorization.k8s.io,resources=selfsubjectaccessreviews,verbs=create
 // +kubebuilder:rbac:namespace=system,groups=route.openshift.io,resources=routes;routes/custom-host,verbs=*
+// +kubebuilder:rbac:namespace=system,groups=apps.openshift.io,resources=deploymentconfigs,verbs=get
 // +kubebuilder:rbac:namespace=system,groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=*
 // +kubebuilder:rbac:namespace=system,groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create
 // +kubebuilder:rbac:namespace=system,groups=cert-manager.io,resources=issuers;certificates,verbs=create;get;list;update;watch
diff --git a/internal/test/resources.go b/internal/test/resources.go
index b69a6afa..8f2261f6 100644
--- a/internal/test/resources.go
+++ b/internal/test/resources.go
@@ -1126,6 +1126,21 @@ func NewRole() *rbacv1.Role {
 				APIGroups: []string{""},
 				Resources: []string{"endpoints"},
 			},
+			{
+				Verbs:     []string{"get"},
+				APIGroups: []string{""},
+				Resources: []string{"pods", "replicationcontrollers"},
+			},
+			{
+				Verbs:     []string{"get"},
+				APIGroups: []string{"apps"},
+				Resources: []string{"replicasets", "deployments", "daemonsets", "statefulsets"},
+			},
+			{
+				Verbs:     []string{"get"},
+				APIGroups: []string{"apps.openshift.io"},
+				Resources: []string{"deploymentconfigs"},
+			},
 			{
 				Verbs:     []string{"get", "list"},
 				APIGroups: []string{"route.openshift.io"},