From 69407f2eb5a2ab25064a8eca37a1d7c4e607d8ed Mon Sep 17 00:00:00 2001
From: Matous Jobanek <mjobanek@redhat.com>
Date: Fri, 13 Sep 2024 15:32:46 +0200
Subject: [PATCH] drop crtadmin-specific Roles (#78)

---
 README.adoc                                   | 14 ++++----
 resources/roles/member.yaml                   | 36 -------------------
 .../kubesaw-admins.yaml                       |  5 ++-
 3 files changed, 10 insertions(+), 45 deletions(-)

diff --git a/README.adoc b/README.adoc
index 72b265f..acfe1a2 100644
--- a/README.adoc
+++ b/README.adoc
@@ -246,24 +246,26 @@ To add a -crtadmin user for a particular component in member cluster, update the
 For an admin of the component that needs to manually approve operator updates:
 ```yaml
 users:
-- name: <your-name>-crtadmin
+- name: <your-name>-maintainer
   id:
   - <sso-identities>
   member:
     roleBindings:
     - namespace: <namespace-name>
       roles:
-      - approve-operator-update
+      - view-secrets
       clusterRoles:
-      - admin
+      - <edit/admin>
+      - some-extra-permissions
     clusterRoleBindings:
       clusterRoles:
-      - list-operators-group
+      - some-extra-cluster-scope-permissions
 ```
+NOTE: The creation of the ClusterRoles is not managed via ksctl, you need to make sure that they are created in the cluster.
 
 For a maintainer of the component with limited permissions:
 ```yaml
-- name: <your-name>-crtadmin
+- name: <your-name>-maintainer
   id:
   - <sso-identities>
   member:
@@ -275,7 +277,7 @@ For a maintainer of the component with limited permissions:
 
 If you need any permissions also in a namespace in host cluster (to be used mainly by KubeSaw maintainers), then include the host section in the user's definition as well:
 ```yaml
-- name: <your-name>-crtadmin
+- name: <your-name>-maintainer
   id:
   - <sso-identities>
   host:
diff --git a/resources/roles/member.yaml b/resources/roles/member.yaml
index 7c3558e..5532c84 100644
--- a/resources/roles/member.yaml
+++ b/resources/roles/member.yaml
@@ -4,25 +4,6 @@ metadata:
   name: member-roles
 objects:
 
-- kind: Role
-  apiVersion: rbac.authorization.k8s.io/v1
-  metadata:
-    name: approve-operator-update
-    labels:
-      provider: ksctl
-  rules:
-  - apiGroups:
-    - operators.coreos.com
-    resources:
-    - "installplans"
-    verbs:
-    - "get"
-    - "list"
-    - "create"
-    - "patch"
-    - "update"
-    - "delete"
-
 - kind: Role
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
@@ -73,20 +54,3 @@ objects:
     - "create"
     - "update"
     - "patch"
-
-- kind: Role
-  apiVersion: rbac.authorization.k8s.io/v1
-  metadata:
-    name: edit-csv
-    labels:
-      provider: ksctl
-  rules:
-  - apiGroups:
-    - operators.coreos.com
-    resources:
-    - "clusterserviceversions"
-    verbs:
-    - "get"
-    - "list"
-    - "patch"
-    - "update"
diff --git a/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml b/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml
index d29a72a..3f30078 100644
--- a/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml
+++ b/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml
@@ -143,13 +143,12 @@ users:
   member:
     roleBindings:
     - namespace: some-component
-      roles:
-      - approve-operator-update
       clusterRoles:
       - edit
+      - approve-operator-update # needs to be created separately
     clusterRoleBindings:
       clusterRoles:
-      - list-operators-group
+      - list-operators-group # needs to be created separately
 
 - name: other-component-viewer
   id: