Fix CRD roles generation and correct editor verbs

notandy · notandy · commit 3d79e2af3424 · 2025-09-08T20:43:08.000-04:00
diff --git a/charts/openstack-hypervisor-operator/templates/manager-rbac.yaml b/charts/openstack-hypervisor-operator/templates/manager-rbac.yaml
@@ -26,9 +26,9 @@ rules:
   resources:
   - deployments
   verbs:
-  - ;get
   - create
   - delete
+  - get
   - list
   - patch
   - update
@@ -48,6 +48,8 @@ rules:
   - kvm.cloud.sap
   resources:
   - evictions
+  - hypervisors
+  - hypervisors/status
   verbs:
   - create
   - delete
@@ -70,16 +72,6 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - kvm.cloud.sap
-  resources:
-  - hypervisors
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - watch
 - apiGroups:
   - policy
   resources:
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -3,6 +3,7 @@
 # It should be run by config/default
 resources:
 - bases/kvm.cloud.sap_evictions.yaml
+- bases/kvm.cloud.sap_hypervisors.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
diff --git a/config/rbac/hypervisor_editor_role.yaml b/config/rbac/hypervisor_editor_role.yaml
@@ -0,0 +1,27 @@
+# permissions for end users to edit hypervisors.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: kvm-node-agent
+    app.kubernetes.io/managed-by: kustomize
+  name: hypervisor-editor-role
+rules:
+- apiGroups:
+  - kvm.cloud.sap
+  resources:
+  - hypervisors
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kvm.cloud.sap
+  resources:
+  - hypervisors/status
+  verbs:
+  - get
diff --git a/config/rbac/hypervisor_viewer_role.yaml b/config/rbac/hypervisor_viewer_role.yaml
@@ -0,0 +1,23 @@
+# permissions for end users to view hypervisors.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: kvm-node-agent
+    app.kubernetes.io/managed-by: kustomize
+  name: hypervisor-viewer-role
+rules:
+- apiGroups:
+  - kvm.cloud.sap
+  resources:
+  - hypervisors
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - kvm.cloud.sap
+  resources:
+  - hypervisors/status
+  verbs:
+  - get
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -24,4 +24,5 @@ resources:
 # if you do not want those helpers be installed with your Project.
 - eviction_editor_role.yaml
 - eviction_viewer_role.yaml
-
+- hypervisor_editor_role.yaml
+- hypervisor_viewer_role.yaml
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -25,9 +25,9 @@ rules:
   resources:
   - deployments
   verbs:
-  - ;get
   - create
   - delete
+  - get
   - list
   - patch
   - update
@@ -47,6 +47,8 @@ rules:
   - kvm.cloud.sap
   resources:
   - evictions
+  - hypervisors
+  - hypervisors/status
   verbs:
   - create
   - delete
@@ -69,16 +71,6 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - kvm.cloud.sap
-  resources:
-  - hypervisors
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - watch
 - apiGroups:
   - policy
   resources:
diff --git a/internal/controller/hypervisor_controller.go b/internal/controller/hypervisor_controller.go
@@ -55,7 +55,8 @@ type HypervisorController struct {
 
 // +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=nodes/status,verbs=get
-// +kubebuilder:rbac:groups=kvm.cloud.sap,resources=hypervisors,verbs=get;list;watch;create;delete
+// +kubebuilder:rbac:groups=kvm.cloud.sap,resources=hypervisors,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=kvm.cloud.sap,resources=hypervisors/status,verbs=get;list;watch;create;update;patch;delete
 
 func (hv *HypervisorController) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	var lifecycleEnabled, skipTest bool
diff --git a/internal/controller/maintenance_controller.go b/internal/controller/maintenance_controller.go
@@ -61,7 +61,7 @@ const (
 // https://github.com/gardener/machine-controller-manager/blob/rel-v0.56/pkg/util/provider/machinecontroller/machine.go#L646
 
 // +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch;patch;update;watch
-// +kubebuilder:rbac:groups="apps",resources=deployments,verbs=create;delete;;get;list;patch;update;watch
+// +kubebuilder:rbac:groups="apps",resources=deployments,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups="policy",resources=poddisruptionbudgets,verbs=create;delete;get;list;patch;update;watch
 
 func (r *MaintenanceController) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
diff --git a/internal/controller/onboarding_controller.go b/internal/controller/onboarding_controller.go
@@ -132,11 +132,7 @@ func (r *OnboardingController) Reconcile(ctx context.Context, req ctrl.Request)
 			Reason:  ConditionReasonInitial,
 			Message: "Initial onboarding",
 		})
-		if err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
-			return r.Status().Update(ctx, hv)
-		}); err != nil {
-			return ctrl.Result{}, err
-		}
+		return ctrl.Result{}, r.Status().Update(ctx, hv)
 	}
 
 	// TODO: cleanup node retrieval
