[CASCL-610] Add require RBAC for ArgoRollout support (#2221)

* [CASCL-610] Add require RBAC ArgoRollout support

* Add container-autoscaling in CODEOWNERS config

---------

Co-authored-by: Fanny Jiang <fanny.jiang@datadoghq.com>

Author: clamoriniere

.github/CODEOWNERS

@@ -19,6 +19,7 @@ README.md               @DataDog/documentation @DataDog/container-ecosystems
 /internal/controller/datadogagent/feature/clusterchecks/*          @DataDog/container-platform
 /internal/controller/datadogagent/feature/kubernetesstatecore/*    @DataDog/container-integrations
 /internal/controller/datadogagent/feature/helmcheck/*              @DataDog/container-integrations
+/internal/controller/datadogagent/feature/autoscaling/*            @DataDog/container-autoscaling
 
 
 /api/**/datadogpodautoscaler*.go              @DataDog/container-autoscaling

config/rbac/role.yaml

@@ -129,6 +129,7 @@ rules:
   - rollouts
   verbs:
   - list
+  - patch
   - watch
 - apiGroups:
   - authentication.k8s.io

internal/controller/datadogagent/feature/autoscaling/feature_test.go

@@ -121,6 +121,11 @@ func testRBACResources(t testing.TB, store store.StoreClient) {
 					APIGroups: []string{"apps"},
 					Resources: []string{"deployments"},
 				},
+				{
+					Verbs:     []string{"patch"},
+					APIGroups: []string{"argoproj.io"},
+					Resources: []string{"rollouts"},
+				},
 			}),
 			"ClusterRole Policy Rules \ndiff = %s", cmp.Diff(cr.Rules, ""),
 		)

internal/controller/datadogagent/feature/autoscaling/rbac.go

@@ -50,7 +50,7 @@ func getDCAClusterPolicyRules() []rbacv1.PolicyRule {
 			// Patching POD to add annotations. TODO: Remove when we have a better way to generate single event
 			APIGroups: []string{rbac.CoreAPIGroup},
 			Resources: []string{
-				"pods",
+				rbac.PodsResource,
 			},
 			Verbs: []string{
 				rbac.PatchVerb,
@@ -60,11 +60,18 @@ func getDCAClusterPolicyRules() []rbacv1.PolicyRule {
 			// Patching Deployment to trigger rollout.
 			APIGroups: []string{rbac.AppsAPIGroup},
 			Resources: []string{
-				"deployments",
+				rbac.DeploymentsResource,
 			},
 			Verbs: []string{
 				rbac.PatchVerb,
 			},
 		},
+		{
+			APIGroups: []string{rbac.ArgoProjAPIGroup},
+			Resources: []string{rbac.Rollout},
+			Verbs: []string{
+				rbac.PatchVerb,
+			},
+		},
 	}
 }

internal/controller/datadogagent_controller.go

@@ -88,6 +88,8 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups=datadoghq.com,resources=datadogpodautoscalers,verbs=*
 // +kubebuilder:rbac:groups=datadoghq.com,resources=datadogpodautoscalers/status,verbs=*
 // +kubebuilder:rbac:groups=*,resources=*/scale,verbs=get;update
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=patch
+// +kubebuilder:rbac:groups=argoproj.io,resources=rollouts,verbs=patch
 
 // Use ExtendedDaemonSet
 // +kubebuilder:rbac:groups=datadoghq.com,resources=extendeddaemonsets,verbs=get;list;watch;create;update;patch;delete