diff --git a/bindata/rbac/barbican-operator-rbac.yaml b/bindata/rbac/barbican-operator-rbac.yaml index 4143bb878b..0cd0680572 100644 --- a/bindata/rbac/barbican-operator-rbac.yaml +++ b/bindata/rbac/barbican-operator-rbac.yaml @@ -402,19 +402,6 @@ subjects: name: barbican-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: barbican-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: barbican-operator-proxy-role -subjects: -- kind: ServiceAccount - name: barbican-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/cinder-operator-rbac.yaml b/bindata/rbac/cinder-operator-rbac.yaml index 9540937efd..e2db8f0750 100644 --- a/bindata/rbac/cinder-operator-rbac.yaml +++ b/bindata/rbac/cinder-operator-rbac.yaml @@ -446,19 +446,6 @@ subjects: name: cinder-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cinder-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cinder-operator-proxy-role -subjects: -- kind: ServiceAccount - name: cinder-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/designate-operator-rbac.yaml b/bindata/rbac/designate-operator-rbac.yaml index 0151cc3ac2..0f671638f3 100644 --- a/bindata/rbac/designate-operator-rbac.yaml +++ b/bindata/rbac/designate-operator-rbac.yaml @@ -555,19 +555,6 @@ subjects: name: designate-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: designate-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: designate-operator-proxy-role -subjects: -- kind: ServiceAccount - name: designate-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/glance-operator-rbac.yaml b/bindata/rbac/glance-operator-rbac.yaml index 67f6a1e57a..80199ca2b8 100644 --- a/bindata/rbac/glance-operator-rbac.yaml +++ b/bindata/rbac/glance-operator-rbac.yaml @@ -393,19 +393,6 @@ subjects: name: glance-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: glance-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: glance-operator-proxy-role -subjects: -- kind: ServiceAccount - name: glance-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/heat-operator-rbac.yaml b/bindata/rbac/heat-operator-rbac.yaml index dabb74f067..dca715c230 100644 --- a/bindata/rbac/heat-operator-rbac.yaml +++ b/bindata/rbac/heat-operator-rbac.yaml @@ -403,19 +403,6 @@ subjects: name: heat-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: heat-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: heat-operator-proxy-role -subjects: -- kind: ServiceAccount - name: heat-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/horizon-operator-rbac.yaml b/bindata/rbac/horizon-operator-rbac.yaml index fbb603dacf..799371206e 100644 --- a/bindata/rbac/horizon-operator-rbac.yaml +++ b/bindata/rbac/horizon-operator-rbac.yaml @@ -275,19 +275,6 @@ subjects: name: horizon-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: horizon-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: horizon-operator-proxy-role -subjects: -- kind: ServiceAccount - name: horizon-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/infra-operator-rbac.yaml b/bindata/rbac/infra-operator-rbac.yaml index db00144ddb..60e59539d4 100644 --- a/bindata/rbac/infra-operator-rbac.yaml +++ b/bindata/rbac/infra-operator-rbac.yaml @@ -576,19 +576,6 @@ subjects: name: infra-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: infra-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: infra-operator-proxy-role -subjects: -- kind: ServiceAccount - name: infra-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/ironic-operator-rbac.yaml b/bindata/rbac/ironic-operator-rbac.yaml index d58529bf83..131b1a0153 100644 --- a/bindata/rbac/ironic-operator-rbac.yaml +++ b/bindata/rbac/ironic-operator-rbac.yaml @@ -481,19 +481,6 @@ subjects: name: ironic-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ironic-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ironic-operator-proxy-role -subjects: -- kind: ServiceAccount - name: ironic-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/keystone-operator-rbac.yaml b/bindata/rbac/keystone-operator-rbac.yaml index b8ac001509..c4c5be8b0f 100644 --- a/bindata/rbac/keystone-operator-rbac.yaml +++ b/bindata/rbac/keystone-operator-rbac.yaml @@ -385,19 +385,6 @@ subjects: name: keystone-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: keystone-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: keystone-operator-proxy-role -subjects: -- kind: ServiceAccount - name: keystone-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/manila-operator-rbac.yaml b/bindata/rbac/manila-operator-rbac.yaml index 14a7aa8a80..d1c5b8f070 100644 --- a/bindata/rbac/manila-operator-rbac.yaml +++ b/bindata/rbac/manila-operator-rbac.yaml @@ -438,19 +438,6 @@ subjects: name: manila-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manila-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manila-operator-proxy-role -subjects: -- kind: ServiceAccount - name: manila-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/mariadb-operator-rbac.yaml b/bindata/rbac/mariadb-operator-rbac.yaml index 61c3d14f04..75cdb48645 100644 --- a/bindata/rbac/mariadb-operator-rbac.yaml +++ b/bindata/rbac/mariadb-operator-rbac.yaml @@ -344,19 +344,6 @@ subjects: name: mariadb-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mariadb-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: mariadb-operator-proxy-role -subjects: -- kind: ServiceAccount - name: mariadb-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/neutron-operator-rbac.yaml b/bindata/rbac/neutron-operator-rbac.yaml index 78c4668fd5..c81e363b79 100644 --- a/bindata/rbac/neutron-operator-rbac.yaml +++ b/bindata/rbac/neutron-operator-rbac.yaml @@ -333,19 +333,6 @@ subjects: name: neutron-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: neutron-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: neutron-operator-proxy-role -subjects: -- kind: ServiceAccount - name: neutron-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/nova-operator-rbac.yaml b/bindata/rbac/nova-operator-rbac.yaml index a4e625a9bb..0fe3a2f32b 100644 --- a/bindata/rbac/nova-operator-rbac.yaml +++ b/bindata/rbac/nova-operator-rbac.yaml @@ -554,19 +554,6 @@ subjects: name: nova-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: nova-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nova-operator-proxy-role -subjects: -- kind: ServiceAccount - name: nova-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/octavia-operator-rbac.yaml b/bindata/rbac/octavia-operator-rbac.yaml index 6c2ca42139..96b30c443c 100644 --- a/bindata/rbac/octavia-operator-rbac.yaml +++ b/bindata/rbac/octavia-operator-rbac.yaml @@ -470,19 +470,6 @@ subjects: name: octavia-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: octavia-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: octavia-operator-proxy-role -subjects: -- kind: ServiceAccount - name: octavia-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/openstack-baremetal-operator-rbac.yaml b/bindata/rbac/openstack-baremetal-operator-rbac.yaml index 4bb850a059..6734fb14bc 100644 --- a/bindata/rbac/openstack-baremetal-operator-rbac.yaml +++ b/bindata/rbac/openstack-baremetal-operator-rbac.yaml @@ -331,19 +331,6 @@ subjects: name: openstack-baremetal-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openstack-baremetal-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: openstack-baremetal-operator-proxy-role -subjects: -- kind: ServiceAccount - name: openstack-baremetal-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/ovn-operator-rbac.yaml b/bindata/rbac/ovn-operator-rbac.yaml index e823b58501..556725a605 100644 --- a/bindata/rbac/ovn-operator-rbac.yaml +++ b/bindata/rbac/ovn-operator-rbac.yaml @@ -365,19 +365,6 @@ subjects: name: ovn-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ovn-operator-proxy-role -subjects: -- kind: ServiceAccount - name: ovn-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/placement-operator-rbac.yaml b/bindata/rbac/placement-operator-rbac.yaml index ffa2eadfa9..d123bfd634 100644 --- a/bindata/rbac/placement-operator-rbac.yaml +++ b/bindata/rbac/placement-operator-rbac.yaml @@ -324,19 +324,6 @@ subjects: name: placement-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: placement-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: placement-operator-proxy-role -subjects: -- kind: ServiceAccount - name: placement-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/rabbitmq-cluster-operator-rbac.yaml b/bindata/rbac/rabbitmq-cluster-operator-rbac.yaml index d52d2a60f7..0741b5a16f 100644 --- a/bindata/rbac/rabbitmq-cluster-operator-rbac.yaml +++ b/bindata/rbac/rabbitmq-cluster-operator-rbac.yaml @@ -200,19 +200,6 @@ subjects: name: rabbitmq-cluster-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: rabbitmq-cluster-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: rabbitmq-cluster-operator-proxy-role -subjects: -- kind: ServiceAccount - name: rabbitmq-cluster-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/swift-operator-rbac.yaml b/bindata/rbac/swift-operator-rbac.yaml index ee1fb209ee..1b1d8b76fb 100644 --- a/bindata/rbac/swift-operator-rbac.yaml +++ b/bindata/rbac/swift-operator-rbac.yaml @@ -447,19 +447,6 @@ subjects: name: swift-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: swift-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: swift-operator-proxy-role -subjects: -- kind: ServiceAccount - name: swift-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/telemetry-operator-rbac.yaml b/bindata/rbac/telemetry-operator-rbac.yaml index f9a85ef325..747fe0978a 100644 --- a/bindata/rbac/telemetry-operator-rbac.yaml +++ b/bindata/rbac/telemetry-operator-rbac.yaml @@ -564,19 +564,6 @@ subjects: name: telemetry-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: telemetry-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: telemetry-operator-proxy-role -subjects: -- kind: ServiceAccount - name: telemetry-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/test-operator-rbac.yaml b/bindata/rbac/test-operator-rbac.yaml index d0c543b5b5..92aa90155f 100644 --- a/bindata/rbac/test-operator-rbac.yaml +++ b/bindata/rbac/test-operator-rbac.yaml @@ -261,19 +261,6 @@ subjects: name: test-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: test-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: test-operator-proxy-role -subjects: -- kind: ServiceAccount - name: test-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/watcher-operator-rbac.yaml b/bindata/rbac/watcher-operator-rbac.yaml index f3191f6bea..df3742f905 100644 --- a/bindata/rbac/watcher-operator-rbac.yaml +++ b/bindata/rbac/watcher-operator-rbac.yaml @@ -427,19 +427,6 @@ subjects: name: watcher-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: watcher-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: watcher-operator-proxy-role -subjects: -- kind: ServiceAccount - name: watcher-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/controllers/operator/openstack_controller.go b/controllers/operator/openstack_controller.go index 998b2c1d8e..ae62ca0e10 100644 --- a/controllers/operator/openstack_controller.go +++ b/controllers/operator/openstack_controller.go @@ -45,6 +45,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" discoveryv1 "k8s.io/api/discovery/v1" + rbacv1 "k8s.io/api/rbac/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" uns "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -916,6 +917,33 @@ func (r *OpenStackReconciler) postCleanupObsoleteResources(ctx context.Context, } } + // Cleanup obsolete proxy ClusterRoleBindings for service operators + clusterRoleBindingList := &rbacv1.ClusterRoleBindingList{} + err = r.Client.List(ctx, clusterRoleBindingList) + if err != nil { + return err + } + for _, clusterRoleBinding := range clusterRoleBindingList.Items { + // Check if this is a proxy rolebinding for a service operator + if strings.HasSuffix(clusterRoleBinding.Name, "-operator-proxy-rolebinding") { + // Extract operator name by removing the suffix + operatorName := strings.TrimSuffix(clusterRoleBinding.Name, "-operator-proxy-rolebinding") + if isServiceOperatorResource(operatorName) { + Log.Info("Deleting obsolete proxy ClusterRoleBinding", "name", clusterRoleBinding.Name) + err = r.Client.Delete(ctx, &clusterRoleBinding) + if err != nil { + if apierrors.IsNotFound(err) { + Log.Info("ClusterRoleBinding not found on delete. Continuing...", "name", clusterRoleBinding.Name) + continue + } + return err + } + Log.Info("ClusterRoleBinding deleted successfully", "name", clusterRoleBinding.Name) + break + } + } + } + return nil } diff --git a/hack/sync-bindata.sh b/hack/sync-bindata.sh index b2de0372a2..422a6e1420 100755 --- a/hack/sync-bindata.sh +++ b/hack/sync-bindata.sh @@ -228,19 +228,6 @@ subjects: name: ${OPERATOR_NAME}-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ${OPERATOR_NAME}-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ${OPERATOR_NAME}-proxy-role -subjects: -- kind: ServiceAccount - name: ${OPERATOR_NAME}-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: