stackabletech · adwk67 · Apr 4, 2023 · Apr 4, 2023 · Apr 4, 2023 · Apr 4, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ### Added
 
-- Cluster status conditions ([#428])
+- Cluster status conditions ([#428]).
 - Extend cluster resources for status and cluster operation (paused, stopped) ([430]).
 
 ### Changed
@@ -16,15 +16,18 @@ All notable changes to this project will be documented in this file.
   This change is breaking, because - for security reasons - we default to the `cluster-internal` `ListenerClass`.
   If you need your cluster to be accessible from outside of Kubernetes you need to set `clusterConfig.listenerClass`
   to `external-unstable` or `external-stable` ([#432]).
-- `operator-rs` `0.27.1` -> `0.39.0` ([#411], [#420], [#430]).
+- `operator-rs` `0.27.1` -> `0.40.0` ([#411], [#420], [#430], [#431]).
 - Fragmented `OpaConfig` ([#411]).
 - Bumped stackable image versions to `23.4.0-rc2` ([#420]).
 - Enabled logging ([#420]).
+- Openshift compatibility: extended roles ([#431]).
+- Use operator-rs `build_rbac_resources` method ([#431]).
 
 [#411]: https://github.com/stackabletech/opa-operator/pull/411
 [#420]: https://github.com/stackabletech/opa-operator/pull/420
 [#428]: https://github.com/stackabletech/opa-operator/pull/428
 [#430]: https://github.com/stackabletech/opa-operator/pull/430
+[#431]: https://github.com/stackabletech/opa-operator/pull/431
 [#432]: https://github.com/stackabletech/opa-operator/pull/432
 
 ## [23.1.0] - 2023-01-23

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/deploy/helm/opa-operator/templates/roles-opa-builder.yaml b/deploy/helm/opa-operator/templates/roles-opa-builder.yaml
@@ -11,3 +11,13 @@ rules:
       - get
       - watch
       - list
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - opa-scc
+    verbs:
+      - use
+{{ end }}
diff --git a/deploy/helm/opa-operator/templates/roles.yaml b/deploy/helm/opa-operator/templates/roles.yaml
@@ -90,3 +90,88 @@ rules:
       - {{ include "operator.name" . }}clusters/status
     verbs:
       - patch
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+    verbs:
+      - bind
+    resourceNames:
+      - {{ include "operator.name" . }}-clusterrole
+
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: opa-scc
+  annotations:
+    kubernetes.io/description: |-
+      This resource is derived from hostmount-anyuid. It provides all the features of the
+      restricted SCC but allows host mounts and any UID by a pod.  This is primarily
+      used by the persistent volume recycler. WARNING: this SCC allows host file
+      system access as any UID, including UID 0.  Grant with caution.
+    release.openshift.io/create-only: "true"
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+defaultAddCapabilities: null
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: null
+readOnlyRootFilesystem: false
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - hostPath
+  - nfs
+  - persistentVolumeClaim
+  - projected
+  - secret
+  - ephemeral
+{{ end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "operator.name" . }}-clusterrole
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - secrets
+      - serviceaccounts
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - opa-scc
+    verbs:
+      - use
+{{ end }}
diff --git a/rust/crd/Cargo.toml b/rust/crd/Cargo.toml
@@ -9,7 +9,7 @@ version = "0.0.0-dev"
 publish = false
 
 [dependencies]
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.39.0" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.40.0" }
 
 semver = "1.0"
 serde = { version = "1.0", features = ["derive"] }

diff --git a/rust/operator-binary/Cargo.toml b/rust/operator-binary/Cargo.toml
@@ -10,7 +10,7 @@ version = "0.0.0-dev"
 publish = false
 
 [dependencies]
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.39.0" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.40.0" }
 stackable-opa-crd = { path = "../crd" }
 
 clap = "4.1"
@@ -27,5 +27,5 @@ pin-project = "1.0"
 
 [build-dependencies]
 built = { version =  "0.5", features = ["chrono", "git2"] }
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.39.0" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.40.0" }
 stackable-opa-crd = { path = "../crd" }