Grant OLM operator permissions to manage cert-manager certificates

This is required when setting `method: certmanager` for some Cilium TLS configuration (e.g. Hubble TLS).
projectsyn · Jan 14, 2025 · f16fb40 · f16fb40
1 parent f8b6463
commit f16fb40
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/component/olm.jsonnet b/component/olm.jsonnet
@@ -228,6 +228,21 @@ local patchManifests = function(file, has_csv)
             resources: [ 'leases' ],
             verbs: [ 'create', 'get', 'update', 'list', 'delete' ],
           },
+          // Grant OLM operator permission to manage cert-manager certificate
+          // resources. This is required when setting `method: certmanager`
+          // for some Cilium TLS configuration (e.g. Hubble TLS).
+          {
+            apiGroups: [ 'cert-manager.io' ],
+            resources: [ 'certificates' ],
+            verbs: [
+              'create',
+              'get',
+              'update',
+              'list',
+              'delete',
+              'deletecollection',
+            ],
+          },
         ] + if util.version.minor <= 15 then [
           // cilium <= 1.15 uses a clusterrole and clusterrolebinding for the
           // hubble certgen cronjob. This is changed to a role and rolebinding

diff --git a/...urce/cilium/cilium/olm/cluster-network-06-cilium-00008-cilium-cilium-olm-clusterrole.yaml b/...urce/cilium/cilium/olm/cluster-network-06-cilium-00008-cilium-cilium-olm-clusterrole.yaml
@@ -43,6 +43,17 @@ rules:
       - update
       - list
       - delete
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - certificates
+    verbs:
+      - create
+      - get
+      - update
+      - list
+      - delete
+      - deletecollection
   - apiGroups:
       - ''
     resources: