RBAC rules for activedirectoryidentityprovider

2021-07-07 11:15:52 -07:00 · 2021-07-07 11:15:52 -07:00 · be6f9f83ce
commit be6f9f83ce
parent 3b8edb84a5
3 changed files with 23 additions and 1 deletions
--- a/deploy/supervisor/rbac.yaml
+++ b/deploy/supervisor/rbac.yaml
@ -40,6 +40,14 @@ rules:
      - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
    resources: [ldapidentityproviders/status]
    verbs: [get, patch, update]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
+    resources: [activedirectoryidentityproviders]
+    verbs: [get, list, watch]
+  - apiGroups:
+      - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
+    resources: [activedirectoryidentityproviders/status]
+    verbs: [get, patch, update]
    #! We want to be able to read pods/replicasets/deployment so we can learn who our deployment is to set
    #! as an owner reference.
  - apiGroups: [""]
--- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go
@ -1,7 +1,7 @@
 // Copyright 2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

-// Package activedirectoryupstreamwatcher implements a controller which watches LDAPIdentityProviders.
+// Package activedirectoryupstreamwatcher implements a controller which watches ActiveDirectoryIdentityProviders.
 package activedirectoryupstreamwatcher

 import (
--- a/test/integration/kube_api_discovery_test.go
+++ b/test/integration/kube_api_discovery_test.go
@ -184,6 +184,20 @@ func TestGetAPIResourceList(t *testing.T) {
 						Kind:       "LDAPIdentityProvider",
 						Verbs:      []string{"get", "patch", "update"},
 					},
+					{
+						Name:         "activedirectoryidentityproviders",
+						SingularName: "activedirectoryidentityprovider",
+						Namespaced:   true,
+						Kind:         "ActiveDirectoryIdentityProvider",
+						Verbs:        []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
+						Categories:   []string{"pinniped", "pinniped-idp", "pinniped-idps"},
+					},
+					{
+						Name:       "activedirectoryidentityproviders/status",
+						Namespaced: true,
+						Kind:       "ActiveDirectoryIdentityProvider",
+						Verbs:      []string{"get", "patch", "update"},
+					},
 				},
 			},
 		},