From be6f9f83ce854d223ae126e61b769726a8bab484 Mon Sep 17 00:00:00 2001
From: Margo Crawford <margaretc@vmware.com>
Date: Wed, 7 Jul 2021 11:15:52 -0700
Subject: [PATCH] RBAC rules for activedirectoryidentityprovider

---
 deploy/supervisor/rbac.yaml                        |  8 ++++++++
 .../active_directory_upstream_watcher.go           |  2 +-
 test/integration/kube_api_discovery_test.go        | 14 ++++++++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/deploy/supervisor/rbac.yaml b/deploy/supervisor/rbac.yaml
index 60447f7c..65530dc4 100644
--- a/deploy/supervisor/rbac.yaml
+++ b/deploy/supervisor/rbac.yaml
@@ -40,6 +40,14 @@ rules:
       - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
     resources: [ldapidentityproviders/status]
     verbs: [get, patch, update]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
+    resources: [activedirectoryidentityproviders]
+    verbs: [get, list, watch]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
+    resources: [activedirectoryidentityproviders/status]
+    verbs: [get, patch, update]
     #! We want to be able to read pods/replicasets/deployment so we can learn who our deployment is to set
     #! as an owner reference.
   - apiGroups: [""]
diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
index 5936c6bd..39e5a0b3 100644
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
@@ -1,7 +1,7 @@
 // Copyright 2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-// Package activedirectoryupstreamwatcher implements a controller which watches LDAPIdentityProviders.
+// Package activedirectoryupstreamwatcher implements a controller which watches ActiveDirectoryIdentityProviders.
 package activedirectoryupstreamwatcher
 
 import (
diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go
index 9632ee70..2e73cd78 100644
--- a/test/integration/kube_api_discovery_test.go
+++ b/test/integration/kube_api_discovery_test.go
@@ -184,6 +184,20 @@ func TestGetAPIResourceList(t *testing.T) {
 						Kind:       "LDAPIdentityProvider",
 						Verbs:      []string{"get", "patch", "update"},
 					},
+					{
+						Name:         "activedirectoryidentityproviders",
+						SingularName: "activedirectoryidentityprovider",
+						Namespaced:   true,
+						Kind:         "ActiveDirectoryIdentityProvider",
+						Verbs:        []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
+						Categories:   []string{"pinniped", "pinniped-idp", "pinniped-idps"},
+					},
+					{
+						Name:       "activedirectoryidentityproviders/status",
+						Namespaced: true,
+						Kind:       "ActiveDirectoryIdentityProvider",
+						Verbs:      []string{"get", "patch", "update"},
+					},
 				},
 			},
 		},