From ba82e644d28f6273c8894496172d4bf470168153 Mon Sep 17 00:00:00 2001
From: maskarb <mskarbek@redhat.com>
Date: Tue, 21 May 2024 13:16:31 -0400
Subject: [PATCH 1/3] [COST-2590] update roles

---
 config/rbac/role.yaml                         | 25 ++++++++++++++-----
 .../kokumetricsconfig_controller.go           |  3 ++-
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 054221a18..0649a28c9 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -28,12 +28,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
 - apiGroups:
   - monitoring.coreos.com
   resources:
@@ -78,6 +72,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
 - apiGroups:
   - koku-metrics-cfg.openshift.io
   resources:
@@ -108,3 +108,16 @@ rules:
   - patch
   - update
   - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-role
+  namespace: openshift-config
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
diff --git a/internal/controller/kokumetricsconfig_controller.go b/internal/controller/kokumetricsconfig_controller.go
index 3ba9f02a3..d1016e4f0 100644
--- a/internal/controller/kokumetricsconfig_controller.go
+++ b/internal/controller/kokumetricsconfig_controller.go
@@ -726,7 +726,8 @@ func (r *MetricsConfigReconciler) setAuthAndUpload(ctx context.Context, cr *metr
 // +kubebuilder:rbac:groups=operators.coreos.com,namespace=koku-metrics-operator,resources=clusterserviceversions,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=config.openshift.io,resources=clusterversions,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch
-// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get
+// +kubebuilder:rbac:groups=core,resources=secrets,namespace=openshift-config,verbs=get
+// +kubebuilder:rbac:groups=core,resources=secrets,namespace=koku-metrics-operator,verbs=get
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,namespace=koku-metrics-operator,resources=pods;services;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets;serviceaccounts,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups=apps,namespace=koku-metrics-operator,resources=deployments,verbs=get;list;patch;watch

From 6696de9a8892a7574e327b6b8efc972a2f3f3464 Mon Sep 17 00:00:00 2001
From: maskarb <mskarbek@redhat.com>
Date: Tue, 21 May 2024 13:18:14 -0400
Subject: [PATCH 2/3] remove reduntant rbac rule

---
 config/rbac/role.yaml                               | 6 ------
 internal/controller/kokumetricsconfig_controller.go | 1 -
 2 files changed, 7 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 0649a28c9..43601f958 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -72,12 +72,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
 - apiGroups:
   - koku-metrics-cfg.openshift.io
   resources:
diff --git a/internal/controller/kokumetricsconfig_controller.go b/internal/controller/kokumetricsconfig_controller.go
index d1016e4f0..938a3b0e1 100644
--- a/internal/controller/kokumetricsconfig_controller.go
+++ b/internal/controller/kokumetricsconfig_controller.go
@@ -727,7 +727,6 @@ func (r *MetricsConfigReconciler) setAuthAndUpload(ctx context.Context, cr *metr
 // +kubebuilder:rbac:groups=config.openshift.io,resources=clusterversions,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,resources=secrets,namespace=openshift-config,verbs=get
-// +kubebuilder:rbac:groups=core,resources=secrets,namespace=koku-metrics-operator,verbs=get
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,namespace=koku-metrics-operator,resources=pods;services;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets;serviceaccounts,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups=apps,namespace=koku-metrics-operator,resources=deployments,verbs=get;list;patch;watch

From 21674a476724fa61cb83d0eba3a4d78d5e3bb090 Mon Sep 17 00:00:00 2001
From: maskarb <mskarbek@redhat.com>
Date: Tue, 21 May 2024 14:29:47 -0400
Subject: [PATCH 3/3] get more specific

---
 config/rbac/role.yaml                         | 27 +++++++++++++------
 .../kokumetricsconfig_controller.go           |  4 +--
 2 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 43601f958..c10cac8f0 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -12,14 +12,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -111,7 +103,26 @@ metadata:
 rules:
 - apiGroups:
   - ""
+  resourceNames:
+  - pull-secret
   resources:
   - secrets
   verbs:
   - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-role
+  namespace: openshift-monitoring
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - cluster-monitoring-config
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/internal/controller/kokumetricsconfig_controller.go b/internal/controller/kokumetricsconfig_controller.go
index 938a3b0e1..c10098c58 100644
--- a/internal/controller/kokumetricsconfig_controller.go
+++ b/internal/controller/kokumetricsconfig_controller.go
@@ -726,8 +726,8 @@ func (r *MetricsConfigReconciler) setAuthAndUpload(ctx context.Context, cr *metr
 // +kubebuilder:rbac:groups=operators.coreos.com,namespace=koku-metrics-operator,resources=clusterserviceversions,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=config.openshift.io,resources=clusterversions,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch
-// +kubebuilder:rbac:groups=core,resources=secrets,namespace=openshift-config,verbs=get
-// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch
+// +kubebuilder:rbac:groups=core,resources=secrets,resourceNames=pull-secret,namespace=openshift-config,verbs=get
+// +kubebuilder:rbac:groups=core,resources=configmaps,resourceNames=cluster-monitoring-config,namespace=openshift-monitoring,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,namespace=koku-metrics-operator,resources=pods;services;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets;serviceaccounts,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups=apps,namespace=koku-metrics-operator,resources=deployments,verbs=get;list;patch;watch
 // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=prometheuses/api,verbs=get;create;update