Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 7943cf88a8e967d7c6cafdfd42a58b9fcb7b2bf7^! / .
commit7943cf88a8e967d7c6cafdfd42a58b9fcb7b2bf7[log] [tgz]
authorMohammed Naser <mnaser@vexxhost.com>Thu Feb 23 04:31:30 2023 +0000
committerMohammed Naser <mnaser@vexxhost.com>Thu Feb 23 04:37:17 2023 +0000
treea694730f600e8734cd6d1d4a1c54122eb8ecc39f
parentaffae522aba2c84f4837b5ed00113a5073f8f2b2 [diff]
fix: add rbac for magnum

diff --git a/roles/magnum/tasks/main.yml b/roles/magnum/tasks/main.yml
index 4f23a50..93fbf7b 100644
--- a/roles/magnum/tasks/main.yml
+++ b/roles/magnum/tasks/main.yml

@@ -67,6 +67,72 @@
     CLUSTER_TOPOLOGY: "true"
     EXP_CLUSTER_RESOURCE_SET: "true"
 
+- name: Deploy Cluster API for Magnum RBAC
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      - apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: magnum-system
+
+      - apiVersion: rbac.authorization.k8s.io/v1
+        kind: Role
+        metadata:
+          name: magnum-cluster-api
+          namespace: magnum-system
+        rules:
+          - apiGroups: [""]
+            resources: [namespaces]
+            verbs: [patch]
+          - apiGroups: [""]
+            resources: [configmaps, secrets]
+            verbs: [create, update, patch, get, delete]
+          - apiGroups: [cluster.x-k8s.io]
+            resources: [clusters]
+            verbs: [create, update, patch, get, delete]
+          - apiGroups: [cluster.x-k8s.io]
+            resources: [clusterclasses]
+            verbs: [create, update, patch]
+          - apiGroups: [cluster.x-k8s.io]
+            resources: [machinedeployments]
+            verbs: [list, patch]
+          - apiGroups: [bootstrap.cluster.x-k8s.io]
+            resources: [kubeadmconfigtemplates]
+            verbs: [create, update, patch]
+          - apiGroups: [controlplane.cluster.x-k8s.io]
+            resources: [kubeadmcontrolplanes]
+            verbs: [list]
+          - apiGroups: [controlplane.cluster.x-k8s.io]
+            resources: [kubeadmcontrolplanetemplates]
+            verbs: [create, update, patch]
+          - apiGroups: [infrastructure.cluster.x-k8s.io]
+            resources: [openstackclustertemplates, openstackmachinetemplates]
+            verbs: [create, update, patch]
+          - apiGroups: [addons.cluster.x-k8s.io]
+            resources: [clusterresourcesets]
+            verbs: [create, update, patch, delete]
+          - apiGroups: [source.toolkit.fluxcd.io]
+            resources: [helmrepositories]
+            verbs: [create, update, patch, delete]
+          - apiGroups: [helm.toolkit.fluxcd.io]
+            resources: [helmreleases]
+            verbs: [create, update, patch, delete]
+
+      - apiVersion: rbac.authorization.k8s.io/v1
+        kind: RoleBinding
+        metadata:
+          name: magnum-cluster-api
+          namespace: magnum-system
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: Role
+          name: magnum-cluster-api
+        subjects:
+          - kind: ServiceAccount
+            name: magnum-conductor
+            namespace: "{{ magnum_helm_release_namespace }}"
+
 - name: Deploy Helm chart
   run_once: true
   kubernetes.core.helm: