create or update rbac rules

pkg/k8shandler/rbac.go

@@ -6,7 +6,10 @@ import (
 	v1alpha1 "github.com/openshift/elasticsearch-operator/pkg/apis/elasticsearch/v1alpha1"
 	"github.com/openshift/elasticsearch-operator/pkg/utils"
 	"github.com/operator-framework/operator-sdk/pkg/sdk"
+	"github.com/sirupsen/logrus"
+	rbac "k8s.io/api/rbac/v1"
 	errors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/client-go/util/retry"
 )
 
 func CreateOrUpdateRBAC(dpl *v1alpha1.Elasticsearch) error {
@@ -29,8 +32,8 @@ func CreateOrUpdateRBAC(dpl *v1alpha1.Elasticsearch) error {
 
 	addOwnerRefToObject(elasticsearchRole, owner)
 
-	if err := sdk.Create(elasticsearchRole); err != nil && !errors.IsAlreadyExists(err) {
-		return fmt.Errorf("failed to create ClusterRole %s: %v", "elasticsearch-metrics", err)
+	if err := createOrUpdateClusterRole(elasticsearchRole); err != nil {
+		return err
 	}
 
 	subject := utils.NewSubject(
@@ -50,8 +53,8 @@ func CreateOrUpdateRBAC(dpl *v1alpha1.Elasticsearch) error {
 
 	addOwnerRefToObject(elasticsearchRoleBinding, owner)
 
-	if err := sdk.Create(elasticsearchRoleBinding); err != nil && !errors.IsAlreadyExists(err) {
-		return fmt.Errorf("failed to create ClusterRoleBinding %s: %v", "elasticsearch-metrics", err)
+	if err := createOrUpdateClusterRoleBinding(elasticsearchRoleBinding); err != nil {
+		return err
 	}
 
 	// proxy RBAC
@@ -77,8 +80,8 @@ func CreateOrUpdateRBAC(dpl *v1alpha1.Elasticsearch) error {
 
 	addOwnerRefToObject(proxyRole, owner)
 
-	if err := sdk.Create(proxyRole); err != nil && !errors.IsAlreadyExists(err) {
-		return fmt.Errorf("failed to create ClusterRole %s: %v", "oauth-proxy", err)
+	if err := createOrUpdateClusterRole(proxyRole); err != nil {
+		return err
 	}
 
 	subject = utils.NewSubject(
@@ -98,9 +101,60 @@ func CreateOrUpdateRBAC(dpl *v1alpha1.Elasticsearch) error {
 
 	addOwnerRefToObject(proxyRoleBinding, owner)
 
-	if err := sdk.Create(proxyRoleBinding); err != nil && !errors.IsAlreadyExists(err) {
-		return fmt.Errorf("failed to create ClusterRoleBinding %s: %v", "oauth-proxy", err)
+	if err := createOrUpdateClusterRoleBinding(proxyRoleBinding); err != nil {
+		return err
 	}
 
 	return nil
 }
+
+func createOrUpdateClusterRole(role *rbac.ClusterRole) error {
+	if err := sdk.Create(role); err != nil {
+		if !errors.IsAlreadyExists(err) {
+			return fmt.Errorf("failed to create ClusterRole %s: %v", role.Name, err)
+		}
+		existingRole := utils.NewClusterRole(
+			role.Name,
+			utils.NewPolicyRules(),
+		)
+		return retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			if getErr := sdk.Get(existingRole); getErr != nil {
+				logrus.Debugf("could not get ClusterRole %v: %v", existingRole.Name, getErr)
+				return getErr
+			}
+			existingRole.Rules = role.Rules
+			if updateErr := sdk.Update(existingRole); updateErr != nil {
+				logrus.Debugf("failed to update ClusterRole %v status: %v", existingRole.Name, updateErr)
+				return updateErr
+			}
+			return nil
+		})
+	}
+	return nil
+}
+
+func createOrUpdateClusterRoleBinding(roleBinding *rbac.ClusterRoleBinding) error {
+	if err := sdk.Create(roleBinding); err != nil {
+		if !errors.IsAlreadyExists(err) {
+			return fmt.Errorf("failed to create ClusterRoleBindig %s: %v", roleBinding.Name, err)
+		}
+		existingRoleBinding := utils.NewClusterRoleBinding(
+			roleBinding.Name,
+			roleBinding.RoleRef.Name,
+			utils.NewSubjects(),
+		)
+		return retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			if getErr := sdk.Get(existingRoleBinding); getErr != nil {
+				logrus.Debugf("could not get ClusterRole %v: %v", existingRoleBinding.Name, getErr)
+				return getErr
+			}
+			existingRoleBinding.Subjects = roleBinding.Subjects
+			if updateErr := sdk.Update(existingRoleBinding); updateErr != nil {
+				logrus.Debugf("failed to update ClusterRoleBinding %v status: %v", existingRoleBinding.Name, updateErr)
+				return updateErr
+			}
+			return nil
+		})
+	}
+	return nil
+}