From 106a581384b5a9bfcb26adbd7388d0c9989f9019 Mon Sep 17 00:00:00 2001
From: Chris <github.account@chrigel.net>
Date: Tue, 23 Feb 2021 14:18:40 +0100
Subject: [PATCH] Add missing finalizer RBAC rules

Some Kubernetes distributions or versions require this additional permission
---
 config/rbac/role.yaml              | 8 ++++++++
 controllers/archive_controller.go  | 2 +-
 controllers/backup_controller.go   | 4 ++--
 controllers/check_controller.go    | 2 +-
 controllers/job_controller.go      | 2 +-
 controllers/prune_controller.go    | 2 +-
 controllers/restore_controller.go  | 2 +-
 controllers/schedule_controller.go | 2 +-
 8 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 280c32358..1722aa441 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -33,6 +33,7 @@ rules:
 - apiGroups:
   - backup.appuio.ch
   resources:
+  - archives/finalizers
   - archives/status
   verbs:
   - get
@@ -53,6 +54,7 @@ rules:
 - apiGroups:
   - backup.appuio.ch
   resources:
+  - backups/finalizers
   - backups/status
   verbs:
   - get
@@ -73,6 +75,7 @@ rules:
 - apiGroups:
   - backup.appuio.ch
   resources:
+  - checks/finalizers
   - checks/status
   verbs:
   - get
@@ -111,6 +114,7 @@ rules:
 - apiGroups:
   - backup.appuio.ch
   resources:
+  - prebackuppods/finalizers
   - prebackuppods/status
   verbs:
   - get
@@ -131,6 +135,7 @@ rules:
 - apiGroups:
   - backup.appuio.ch
   resources:
+  - prunes/finalizers
   - prunes/status
   verbs:
   - get
@@ -151,6 +156,7 @@ rules:
 - apiGroups:
   - backup.appuio.ch
   resources:
+  - restores/finalizers
   - restores/status
   verbs:
   - get
@@ -171,6 +177,7 @@ rules:
 - apiGroups:
   - backup.appuio.ch
   resources:
+  - schedules/finalizers
   - schedules/status
   verbs:
   - get
@@ -191,6 +198,7 @@ rules:
 - apiGroups:
   - batch
   resources:
+  - jobs/finalizers
   - jobs/status
   verbs:
   - get
diff --git a/controllers/archive_controller.go b/controllers/archive_controller.go
index 99278463e..ba01856f5 100644
--- a/controllers/archive_controller.go
+++ b/controllers/archive_controller.go
@@ -25,7 +25,7 @@ type ArchiveReconciler struct {
 }
 
 // +kubebuilder:rbac:groups=backup.appuio.ch,resources=archives,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=backup.appuio.ch,resources=archives/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=backup.appuio.ch,resources=archives/status;archives/finalizers,verbs=get;update;patch
 
 // Reconcile is the entrypoint to manage the given resource.
 func (r *ArchiveReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
diff --git a/controllers/backup_controller.go b/controllers/backup_controller.go
index b0e1960eb..02316a2e4 100644
--- a/controllers/backup_controller.go
+++ b/controllers/backup_controller.go
@@ -25,9 +25,9 @@ type BackupReconciler struct {
 }
 
 // +kubebuilder:rbac:groups=backup.appuio.ch,resources=backups,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=backup.appuio.ch,resources=backups/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=backup.appuio.ch,resources=backups/status;backups/finalizers,verbs=get;update;patch
 // +kubebuilder:rbac:groups=backup.appuio.ch,resources=prebackuppods,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=backup.appuio.ch,resources=prebackuppods/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=backup.appuio.ch,resources=prebackuppods/status;prebackuppods/finalizers,verbs=get;update;patch
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=pods,verbs="*"
diff --git a/controllers/check_controller.go b/controllers/check_controller.go
index 7914ffefb..22d82281c 100644
--- a/controllers/check_controller.go
+++ b/controllers/check_controller.go
@@ -25,7 +25,7 @@ type CheckReconciler struct {
 }
 
 // +kubebuilder:rbac:groups=backup.appuio.ch,resources=checks,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=backup.appuio.ch,resources=checks/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=backup.appuio.ch,resources=checks/status;checks/finalizers,verbs=get;update;patch
 
 // Reconcile is the entrypoint to manage the given resource.
 func (r *CheckReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
diff --git a/controllers/job_controller.go b/controllers/job_controller.go
index aa370a155..519ca0888 100644
--- a/controllers/job_controller.go
+++ b/controllers/job_controller.go
@@ -22,7 +22,7 @@ type JobReconciler struct {
 }
 
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=batch,resources=jobs/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=batch,resources=jobs/status;jobs/finalizers,verbs=get;update;patch
 
 // Reconcile is the entrypoint to manage the given resource.
 func (r *JobReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
diff --git a/controllers/prune_controller.go b/controllers/prune_controller.go
index a0be7d5c3..fdc5fcead 100644
--- a/controllers/prune_controller.go
+++ b/controllers/prune_controller.go
@@ -25,7 +25,7 @@ type PruneReconciler struct {
 }
 
 // +kubebuilder:rbac:groups=backup.appuio.ch,resources=prunes,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=backup.appuio.ch,resources=prunes/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=backup.appuio.ch,resources=prunes/status;prunes/finalizers,verbs=get;update;patch
 
 // Reconcile is the entrypoint to manage the given resource.
 func (r *PruneReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
diff --git a/controllers/restore_controller.go b/controllers/restore_controller.go
index f7632822d..07048cf52 100644
--- a/controllers/restore_controller.go
+++ b/controllers/restore_controller.go
@@ -25,7 +25,7 @@ type RestoreReconciler struct {
 }
 
 // +kubebuilder:rbac:groups=backup.appuio.ch,resources=restores,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=backup.appuio.ch,resources=restores/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=backup.appuio.ch,resources=restores/status;restores/finalizers,verbs=get;update;patch
 
 // Reconcile is the entrypoint to manage the given resource.
 func (r *RestoreReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
diff --git a/controllers/schedule_controller.go b/controllers/schedule_controller.go
index f1ea931b3..05caa4aa4 100644
--- a/controllers/schedule_controller.go
+++ b/controllers/schedule_controller.go
@@ -26,7 +26,7 @@ type ScheduleReconciler struct {
 }
 
 // +kubebuilder:rbac:groups=backup.appuio.ch,resources=schedules,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=backup.appuio.ch,resources=schedules/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=backup.appuio.ch,resources=schedules/status;schedules/finalizers,verbs=get;update;patch
 // +kubebuilder:rbac:groups=backup.appuio.ch,resources=effectiveschedules,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=backup.appuio.ch,resources=effectiveschedules/finalizers,verbs=update