From 324e4e5ed3a9eb2d6f902c06d37f2c3c406bf425 Mon Sep 17 00:00:00 2001
From: Drew Walters <andrew.walters@att.com>
Date: Wed, 24 Feb 2021 20:10:45 +0000
Subject: [PATCH] Fix sipcluster-infra-service ClusterRole

SIP needs permission to create, modify, and watch deployments. While
deployments is listed in one of the SIP ClusterRoles, the apiGroup apps
is not present, so SIP cannot watch deplyoments that manage
infrastructure services. This change adds the missing apiGroup.

Signed-off-by: Drew Walters <andrew.walters@att.com>
Change-Id: Ie376649cd67a82501c72d3ffdbb67cfe6e802934
---
 config/rbac/auth_proxy_role_binding.yaml      | 2 +-
 config/rbac/leader_election_role_binding.yaml | 2 +-
 config/rbac/role_binding.yaml                 | 2 +-
 config/rbac/sipcluster_scheduler_binding.yaml | 6 +++---
 config/rbac/sipcluster_scheduler_role.yaml    | 3 ++-
 5 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml
index b0bb406..ddb21b7 100644
--- a/config/rbac/auth_proxy_role_binding.yaml
+++ b/config/rbac/auth_proxy_role_binding.yaml
@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: default
-  namespace: sip-cluster-system
+  namespace: sipcluster-system
diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml
index ec3f6f7..7d2bcbe 100644
--- a/config/rbac/leader_election_role_binding.yaml
+++ b/config/rbac/leader_election_role_binding.yaml
@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: default
-  namespace: sip-cluster-system
+  namespace: sipcluster-system
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
index 831bae5..e9c1ed3 100644
--- a/config/rbac/role_binding.yaml
+++ b/config/rbac/role_binding.yaml
@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: default
-  namespace: sip-cluster-system
+  namespace: sipcluster-system
diff --git a/config/rbac/sipcluster_scheduler_binding.yaml b/config/rbac/sipcluster_scheduler_binding.yaml
index 16646f4..c72eb9c 100644
--- a/config/rbac/sipcluster_scheduler_binding.yaml
+++ b/config/rbac/sipcluster_scheduler_binding.yaml
@@ -10,7 +10,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: default
-  namespace: sip-cluster-system
+  namespace: sipcluster-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -23,7 +23,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: default
-  namespace: sip-cluster-system
+  namespace: sipcluster-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -36,4 +36,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: default
-  namespace: sip-cluster-system
+  namespace: sipcluster-system
diff --git a/config/rbac/sipcluster_scheduler_role.yaml b/config/rbac/sipcluster_scheduler_role.yaml
index 381ace7..98fc2de 100644
--- a/config/rbac/sipcluster_scheduler_role.yaml
+++ b/config/rbac/sipcluster_scheduler_role.yaml
@@ -50,7 +50,6 @@ rules:
   - ""
   resources:
   - namespaces
-  - deployments
   - secrets
   verbs:
   - create
@@ -67,8 +66,10 @@ metadata:
 rules:
 - apiGroups:
   - ""
+  - apps
   resources:
   - configmaps
+  - deployments
   - services
   verbs:
   - create