@@ -1360,31 +1360,36 @@ func (i *Installer) createOrPatchTridentServiceAccounts(
13601360func (i * Installer ) createOrPatchTridentClusterRole (
13611361 controllingCRDetails , labels map [string ]string , shouldUpdate bool ,
13621362) error {
1363- clusterRoleName := getControllerRBACResourceName ( )
1364-
1365- currentClusterRole , unwantedClusterRoles , createClusterRole , err := i . client . GetClusterRoleInformation (
1366- clusterRoleName , appLabel , shouldUpdate )
1367- if err != nil {
1368- return fmt . Errorf ( "failed to get Trident cluster roles; %v" , err )
1369- }
1370-
1371- // Retrieve cluster roles with node label
1372- // This needs to happen to identify the cluster roles defined for node pods, prior to 23.xx so that
1373- // they can be removed
1374- nodeClusterRoles , err := i . client . GetClusterRolesByLabel ( TridentNodeLabel )
1375- if err == nil && len ( nodeClusterRoles ) > 0 {
1376- unwantedClusterRoles = append ( unwantedClusterRoles , nodeClusterRoles ... )
1377- }
1363+ // Create cluster roles for all RBAC resources (controller and node pods )
1364+ rbacResourceNames := getRBACResourceNames ()
1365+
1366+ // Create or update cluster role for each RBAC resource
1367+ for _ , resourceName := range rbacResourceNames {
1368+ // Get appropriate labels for this resource type (controller vs node )
1369+ resourceLabels , resourceLabelString := getAppLabelForResource ( resourceName )
1370+
1371+ // Get cluster role information for this resource
1372+ // Pass all RBAC resource names to prevent accidental deletion of related resources
1373+ currentClusterRole , unwantedClusterRoles , createClusterRole , err := i . client . GetClusterRoleInformation (
1374+ resourceName , rbacResourceNames , resourceLabelString , shouldUpdate )
1375+ if err != nil {
1376+ return fmt . Errorf ( "failed to get Trident cluster role %s; %v" , resourceName , err )
1377+ }
13781378
1379- if err = i .client .RemoveMultipleClusterRoles (unwantedClusterRoles ); err != nil {
1380- return fmt .Errorf ("failed to remove unwanted Trident cluster roles; %v" , err )
1381- }
1379+ // Remove unwanted cluster roles
1380+ if len (unwantedClusterRoles ) > 0 {
1381+ if err = i .client .RemoveMultipleClusterRoles (unwantedClusterRoles ); err != nil {
1382+ return fmt .Errorf ("failed to remove unwanted cluster roles; %v" , err )
1383+ }
1384+ }
13821385
1383- newClusterRoleYAML := k8sclient .GetClusterRoleYAML (clusterRoleName , labels , controllingCRDetails )
1386+ // Create or patch the cluster role
1387+ newClusterRoleYAML := k8sclient .GetClusterRoleYAML (resourceName , resourceLabels , controllingCRDetails )
13841388
1385- err = i .client .PutClusterRole (currentClusterRole , createClusterRole , newClusterRoleYAML , appLabel )
1386- if err != nil {
1387- return fmt .Errorf ("failed to create or patch Trident cluster role; %v" , err )
1389+ err = i .client .PutClusterRole (currentClusterRole , createClusterRole , newClusterRoleYAML , resourceLabelString )
1390+ if err != nil {
1391+ return fmt .Errorf ("failed to create or patch Trident cluster role %s; %v" , resourceName , err )
1392+ }
13881393 }
13891394
13901395 return nil
@@ -1459,33 +1464,38 @@ func (i *Installer) createOrPatchTridentRoleBindings(
14591464func (i * Installer ) createOrPatchTridentClusterRoleBinding (
14601465 controllingCRDetails , labels map [string ]string , shouldUpdate bool ,
14611466) error {
1462- clusterRoleBindingName := getControllerRBACResourceName ( )
1463-
1464- currentClusterRoleBinding , unwantedClusterRoleBindings , createClusterRoleBinding ,
1465- err := i . client . GetClusterRoleBindingInformation ( clusterRoleBindingName , appLabel , shouldUpdate )
1466- if err != nil {
1467- return fmt . Errorf ( "failed to get Trident cluster role bindings; %v" , err )
1468- }
1469-
1470- // Retrieve cluster role bindings with node label
1471- // This needs to happen to identify the cluster role bindings defined for node pods, prior to 23.xx so that
1472- // they can be removed
1473- nodeClusterRoleBindings , err := i . client . GetClusterRoleBindingsByLabel ( TridentNodeLabel )
1474- if err == nil && len ( nodeClusterRoleBindings ) > 0 {
1475- unwantedClusterRoleBindings = append ( unwantedClusterRoleBindings , nodeClusterRoleBindings ... )
1476- }
1467+ // Create cluster role bindings for all RBAC resources (controller and node pods )
1468+ rbacResourceNames := getRBACResourceNames ()
1469+
1470+ // Create or update cluster role binding for each RBAC resource
1471+ for _ , resourceName := range rbacResourceNames {
1472+ // Get appropriate labels for this resource type (controller vs node )
1473+ resourceLabels , resourceLabelString := getAppLabelForResource ( resourceName )
1474+
1475+ // Get cluster role binding information for this resource
1476+ // Pass all RBAC resource names to prevent accidental deletion of related resources
1477+ currentClusterRoleBinding , unwantedClusterRoleBindings , createClusterRoleBinding , err := i . client . GetClusterRoleBindingInformation (
1478+ resourceName , rbacResourceNames , resourceLabelString , shouldUpdate )
1479+ if err != nil {
1480+ return fmt . Errorf ( "failed to get Trident cluster role binding %s; %v" , resourceName , err )
1481+ }
14771482
1478- if err = i .client .RemoveMultipleClusterRoleBindings (unwantedClusterRoleBindings ); err != nil {
1479- return fmt .Errorf ("failed to remove unwanted Trident cluster role bindings; %v" , err )
1480- }
1483+ // Remove unwanted cluster role bindings
1484+ if len (unwantedClusterRoleBindings ) > 0 {
1485+ if err = i .client .RemoveMultipleClusterRoleBindings (unwantedClusterRoleBindings ); err != nil {
1486+ return fmt .Errorf ("failed to remove unwanted cluster role bindings; %v" , err )
1487+ }
1488+ }
14811489
1482- newClusterRoleBindingYAML := k8sclient .GetClusterRoleBindingYAML (i .namespace , clusterRoleBindingName ,
1483- i .client .Flavor (), labels , controllingCRDetails )
1490+ // Create or patch the cluster role binding
1491+ newClusterRoleBindingYAML := k8sclient .GetClusterRoleBindingYAML (i .namespace , resourceName ,
1492+ i .client .Flavor (), resourceLabels , controllingCRDetails )
14841493
1485- err = i .client .PutClusterRoleBinding (currentClusterRoleBinding , createClusterRoleBinding ,
1486- newClusterRoleBindingYAML , appLabel )
1487- if err != nil {
1488- return fmt .Errorf ("failed to create or patch Trident cluster role binding; %v" , err )
1494+ err = i .client .PutClusterRoleBinding (currentClusterRoleBinding , createClusterRoleBinding ,
1495+ newClusterRoleBindingYAML , resourceLabelString )
1496+ if err != nil {
1497+ return fmt .Errorf ("failed to create or patch Trident cluster role binding %s; %v" , resourceName , err )
1498+ }
14891499 }
14901500
14911501 return nil
0 commit comments