From 9a073fdb16ec1e21ae678e43e225036e23184d45 Mon Sep 17 00:00:00 2001
From: Tom Pantelis <tompantelis@gmail.com>
Date: Mon, 20 May 2024 10:34:06 -0400
Subject: [PATCH] Add RBAC access to finalizers for the operator role

On Openshift, the operator failed with error

"\"submariner-gateway\" is forbidden: cannot set blockOwnerDeletion
if an ownerReference refers to a resource you can't set finalizers on"

Openshift enables OwnerReferencesPermissionEnforcement, so
in order to set blockOwnerDeletion for an object, the user needs
update permission for the finalizers subresource of the referenced
owner. In this case the owner is the Submariner object.

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
---
 submariner-operator/templates/rbac.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/submariner-operator/templates/rbac.yaml b/submariner-operator/templates/rbac.yaml
index ae1a370..5b4a081 100644
--- a/submariner-operator/templates/rbac.yaml
+++ b/submariner-operator/templates/rbac.yaml
@@ -81,6 +81,13 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - submariner.io
+    resources:
+      - submariners/finalizers
+      - servicediscoveries/finalizers
+    verbs:
+      - update
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1