Merge pull request #485 from mandre/ssc43

[release-4.3] Bug 1796822: Support deployment on OpenStack with self-signed certificate
openshift · Feb 5, 2020 · 873ab40 · 873ab40
2 parents f552d33 + 693775a
commit 873ab40
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 0 deletions.
diff --git a/install/0000_30_machine-api-operator_09_rbac.yaml b/install/0000_30_machine-api-operator_09_rbac.yaml
@@ -324,6 +324,21 @@ subjects:
     name: prometheus-k8s
     namespace: openshift-monitoring
 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: machine-api-cloud-provider-config-reader
+  namespace: openshift-config
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cloud-provider-config-reader
+subjects:
+  - kind: ServiceAccount
+    name: machine-api-controllers
+    namespace: openshift-machine-api
+
 ---
 # Roles needed by prometheus to scrape machine api Operator metrics endpoint
 apiVersion: rbac.authorization.k8s.io/v1
@@ -348,3 +363,21 @@ rules:
       - get
       - list
       - watch
+
+---
+# Roles needed by machine-api in order to read openshift-config:cloud-provider-config configmap
+# https://github.com/openshift/installer/blob/a76a6b34092d99835d0e947ae9343d231f38f7e1/pkg/asset/manifests/cloudproviderconfig.go#L80
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cloud-provider-config-reader
+  namespace: openshift-config
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    resourceNames:
+      - cloud-provider-config
+    verbs:
+      - get
diff --git a/pkg/operator/status.go b/pkg/operator/status.go
@@ -213,6 +213,12 @@ func (optr *Operator) getOrCreateClusterOperator() (*osconfigv1.ClusterOperator,
 			Resource: "clusterroles",
 			Name:     "machine-api-controllers",
 		},
+		{
+			Group:     "rbac.authorization.k8s.io",
+			Resource:  "roles",
+			Name:      "cloud-provider-config-reader",
+			Namespace: "openshift-config",
+		},
 	}
 	if !equality.Semantic.DeepEqual(co.Status.RelatedObjects, relatedObjects) {
 		co.Status.RelatedObjects = relatedObjects

diff --git a/pkg/operator/status_test.go b/pkg/operator/status_test.go
@@ -193,6 +193,12 @@ func TestGetOrCreateClusterOperator(t *testing.T) {
 							Resource: "clusterroles",
 							Name:     "machine-api-controllers",
 						},
+						{
+							Group:     "rbac.authorization.k8s.io",
+							Resource:  "roles",
+							Name:      "cloud-provider-config-reader",
+							Namespace: "openshift-config",
+						},
 					},
 				},
 			},
@@ -245,6 +251,12 @@ func TestGetOrCreateClusterOperator(t *testing.T) {
 							Resource: "clusterroles",
 							Name:     "machine-api-controllers",
 						},
+						{
+							Group:     "rbac.authorization.k8s.io",
+							Resource:  "roles",
+							Name:      "cloud-provider-config-reader",
+							Namespace: "openshift-config",
+						},
 					},
 					Conditions: conditions,
 				},