From f16fb400e2f81d3899151864ad7113b3e2ea748f Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Tue, 14 Jan 2025 15:44:52 +0100 Subject: [PATCH] Grant OLM operator permissions to manage cert-manager certificates This is required when setting `method: certmanager` for some Cilium TLS configuration (e.g. Hubble TLS). --- component/olm.jsonnet | 15 +++++++++++++++ ...ilium-00008-cilium-cilium-olm-clusterrole.yaml | 11 +++++++++++ 2 files changed, 26 insertions(+) diff --git a/component/olm.jsonnet b/component/olm.jsonnet index a0b80603..7cd68179 100644 --- a/component/olm.jsonnet +++ b/component/olm.jsonnet @@ -228,6 +228,21 @@ local patchManifests = function(file, has_csv) resources: [ 'leases' ], verbs: [ 'create', 'get', 'update', 'list', 'delete' ], }, + // Grant OLM operator permission to manage cert-manager certificate + // resources. This is required when setting `method: certmanager` + // for some Cilium TLS configuration (e.g. Hubble TLS). + { + apiGroups: [ 'cert-manager.io' ], + resources: [ 'certificates' ], + verbs: [ + 'create', + 'get', + 'update', + 'list', + 'delete', + 'deletecollection', + ], + }, ] + if util.version.minor <= 15 then [ // cilium <= 1.15 uses a clusterrole and clusterrolebinding for the // hubble certgen cronjob. This is changed to a role and rolebinding diff --git a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00008-cilium-cilium-olm-clusterrole.yaml b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00008-cilium-cilium-olm-clusterrole.yaml index bffa5f36..bb12c261 100644 --- a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00008-cilium-cilium-olm-clusterrole.yaml +++ b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00008-cilium-cilium-olm-clusterrole.yaml @@ -43,6 +43,17 @@ rules: - update - list - delete + - apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - get + - update + - list + - delete + - deletecollection - apiGroups: - '' resources: