From eb336236f30a1ca18c80ebdf86a9f18dd79bf0a2 Mon Sep 17 00:00:00 2001
From: Thomas Pantelis <tompantelis@gmail.com>
Date: Tue, 21 May 2024 05:28:13 -0400
Subject: [PATCH] Add RBAC access to finalizers for the operator role (#515)

On Openshift, the operator failed with error

"\"submariner-gateway\" is forbidden: cannot set blockOwnerDeletion
if an ownerReference refers to a resource you can't set finalizers on"

Openshift enables OwnerReferencesPermissionEnforcement, so
in order to set blockOwnerDeletion for an object, the user needs
update permission for the finalizers subresource of the referenced
owner. In this case the owner is the Submariner object.

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
---
 submariner-operator/templates/rbac.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/submariner-operator/templates/rbac.yaml b/submariner-operator/templates/rbac.yaml
index 595f3db..581543c 100644
--- a/submariner-operator/templates/rbac.yaml
+++ b/submariner-operator/templates/rbac.yaml
@@ -80,6 +80,13 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - submariner.io
+    resources:
+      - submariners/finalizers
+      - servicediscoveries/finalizers
+    verbs:
+      - update
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1