reorgnise controller permissions

Signed-off-by: Guilherme Cassolato <guicassolato@gmail.com>

api/v1/authpolicy_types.go

@@ -70,11 +70,6 @@ func (p *AuthPolicy) GetLocator() string {
 	return machinery.LocatorFromObject(p)
 }
 
-// TODO: remove
-func (p *AuthPolicy) IsAtomicOverride() bool {
-	return p.Spec.Overrides != nil && p.Spec.Overrides.Strategy == AtomicMergeStrategy
-}
-
 // DEPRECATED: Use GetTargetRefs instead
 func (p *AuthPolicy) GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference {
 	return p.Spec.TargetRef.LocalPolicyTargetReference

api/v1/ratelimitpolicy_types.go

@@ -28,12 +28,6 @@ import (
 	"github.com/kuadrant/kuadrant-operator/pkg/utils"
 )
 
-const (
-	// TODO: remove after fixing the integration tests that still depend on these
-	RateLimitPolicyBackReferenceAnnotationName   = "kuadrant.io/ratelimitpolicies"
-	RateLimitPolicyDirectReferenceAnnotationName = "kuadrant.io/ratelimitpolicy"
-)
-
 var (
 	RateLimitPolicyGroupKind  = schema.GroupKind{Group: GroupVersion.Group, Kind: "RateLimitPolicy"}
 	RateLimitPoliciesResource = GroupVersion.WithResource("ratelimitpolicies")

bundle/manifests/kuadrant-operator.clusterserviceversion.yaml

@@ -286,14 +286,9 @@ spec:
           resources:
           - gatewayclasses
           verbs:
+          - get
           - list
           - watch
-        - apiGroups:
-          - gateway.networking.k8s.io
-          resources:
-          - gateways/finalizers
-          verbs:
-          - update
         - apiGroups:
           - gateway.networking.k8s.io
           resources:
@@ -415,17 +410,6 @@ spec:
           - patch
           - update
           - watch
-        - apiGroups:
-          - operator.istio.io
-          resources:
-          - istios
-          verbs:
-          - create
-          - get
-          - list
-          - patch
-          - update
-          - watch
         serviceAccountName: kuadrant-operator-controller-manager
       deployments:
       - label:

charts/kuadrant-operator/templates/manifests.yaml

@@ -8637,14 +8637,9 @@ rules:
   resources:
   - gatewayclasses
   verbs:
+  - get
   - list
   - watch
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
-  - gateways/finalizers
-  verbs:
-  - update
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
@@ -8766,17 +8761,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - operator.istio.io
-  resources:
-  - istios
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
-  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

config/rbac/role.yaml

@@ -134,14 +134,9 @@ rules:
   resources:
   - gatewayclasses
   verbs:
+  - get
   - list
   - watch
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
-  - gateways/finalizers
-  verbs:
-  - update
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
@@ -161,23 +156,11 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - install.istio.io
-  resources:
-  - istiooperators
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - kuadrant.io
   resources:
   - authpolicies
   - dnsrecords
-  - kuadrants
   - ratelimitpolicies
   verbs:
   - create
@@ -192,7 +175,6 @@ rules:
   resources:
   - authpolicies/finalizers
   - dnspolicies/finalizers
-  - kuadrants/finalizers
   - ratelimitpolicies/finalizers
   - tlspolicies/finalizers
   verbs:
@@ -228,21 +210,19 @@ rules:
   verbs:
   - get
 - apiGroups:
-  - limitador.kuadrant.io
+  - kuadrant.io
   resources:
-  - limitadors
+  - kuadrants
   verbs:
-  - create
-  - delete
   - get
   - list
   - patch
   - update
   - watch
 - apiGroups:
-  - networking.istio.io
+  - limitador.kuadrant.io
   resources:
-  - envoyfilters
+  - limitadors
   verbs:
   - create
   - delete
@@ -252,9 +232,9 @@ rules:
   - update
   - watch
 - apiGroups:
-  - operator.authorino.kuadrant.io
+  - networking.istio.io
   resources:
-  - authorinos
+  - envoyfilters
   verbs:
   - create
   - delete
@@ -264,11 +244,12 @@ rules:
   - update
   - watch
 - apiGroups:
-  - operator.istio.io
+  - operator.authorino.kuadrant.io
   resources:
-  - istios
+  - authorinos
   verbs:
   - create
+  - delete
   - get
   - list
   - patch

controllers/auth_policy_status_updater.go

@@ -23,7 +23,6 @@ import (
 
 	kuadrantv1 "github.com/kuadrant/kuadrant-operator/api/v1"
 	kuadrantv1beta1 "github.com/kuadrant/kuadrant-operator/api/v1beta1"
-	"github.com/kuadrant/kuadrant-operator/pkg/authorino"
 	kuadrantauthorino "github.com/kuadrant/kuadrant-operator/pkg/authorino"
 	kuadrantenvoygateway "github.com/kuadrant/kuadrant-operator/pkg/envoygateway"
 	kuadrantgatewayapi "github.com/kuadrant/kuadrant-operator/pkg/gatewayapi"
@@ -46,7 +45,7 @@ func (r *AuthPolicyStatusUpdater) Subscription() controller.Subscription {
 			{Kind: &machinery.GatewayGroupKind},
 			{Kind: &machinery.HTTPRouteGroupKind},
 			{Kind: &kuadrantv1.AuthPolicyGroupKind},
-			{Kind: &authorino.AuthConfigGroupKind},
+			{Kind: &kuadrantauthorino.AuthConfigGroupKind},
 			{Kind: &kuadrantistio.EnvoyFilterGroupKind},
 			{Kind: &kuadrantistio.WasmPluginGroupKind},
 			{Kind: &kuadrantenvoygateway.EnvoyPatchPolicyGroupKind},

controllers/auth_workflow_helpers.go

@@ -34,11 +34,6 @@ var (
 	ErrMissingStateEffectiveAuthPolicies = fmt.Errorf("missing auth effective policies stored in the reconciliation state")
 )
 
-//+kubebuilder:rbac:groups=kuadrant.io,resources=authpolicies,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=kuadrant.io,resources=authpolicies/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=kuadrant.io,resources=authpolicies/finalizers,verbs=update
-//+kubebuilder:rbac:groups=authorino.kuadrant.io,resources=authconfigs,verbs=get;list;watch;create;update;patch;delete
-
 func GetAuthorinoFromTopology(topology *machinery.Topology) (*authorinooperatorv1beta1.Authorino, error) {
 	kuadrant, err := GetKuadrantFromTopology(topology)
 	if err != nil {

controllers/authconfigs_reconciler.go

@@ -23,6 +23,8 @@ import (
 	"github.com/kuadrant/kuadrant-operator/pkg/utils"
 )
 
+//+kubebuilder:rbac:groups=authorino.kuadrant.io,resources=authconfigs,verbs=get;list;watch;create;update;patch;delete
+
 type AuthConfigsReconciler struct {
 	client *dynamic.DynamicClient
 }

controllers/authorino_reconciler.go

@@ -21,6 +21,8 @@ type AuthorinoReconciler struct {
 	Client *dynamic.DynamicClient
 }
 
+//+kubebuilder:rbac:groups=operator.authorino.kuadrant.io,resources=authorinos,verbs=get;list;watch;create;update;delete;patch
+
 func NewAuthorinoReconciler(client *dynamic.DynamicClient) *AuthorinoReconciler {
 	return &AuthorinoReconciler{Client: client}
 }

controllers/data_plane_policies_workflow.go

@@ -46,6 +46,14 @@ var (
 	}
 )
 
+//+kubebuilder:rbac:groups=kuadrant.io,resources=authpolicies,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=kuadrant.io,resources=authpolicies/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=kuadrant.io,resources=authpolicies/finalizers,verbs=update
+
+//+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies/finalizers,verbs=update
+
 func NewDataPlanePoliciesWorkflow(client *dynamic.DynamicClient, isIstioInstalled, isEnvoyGatewayInstalled bool) *controller.Workflow {
 	dataPlanePoliciesValidation := &controller.Workflow{
 		Tasks: []controller.ReconcileFunc{

controllers/envoy_gateway_auth_cluster_reconciler.go

@@ -25,6 +25,8 @@ import (
 	kuadrantpolicymachinery "github.com/kuadrant/kuadrant-operator/pkg/policymachinery"
 )
 
+//+kubebuilder:rbac:groups=gateway.envoyproxy.io,resources=envoypatchpolicies,verbs=get;list;watch;create;update;patch;delete
+
 // EnvoyGatewayAuthClusterReconciler reconciles Envoy Gateway EnvoyPatchPolicy custom resources for auth
 type EnvoyGatewayAuthClusterReconciler struct {
 	client *dynamic.DynamicClient

controllers/envoy_gateway_extension_reconciler.go

@@ -26,6 +26,8 @@ import (
 	"github.com/kuadrant/kuadrant-operator/pkg/wasm"
 )
 
+//+kubebuilder:rbac:groups=gateway.envoyproxy.io,resources=envoyextensionpolicies,verbs=get;list;watch;create;update;patch;delete
+
 // EnvoyGatewayExtensionReconciler reconciles Envoy Gateway EnvoyExtensionPolicy custom resources
 type EnvoyGatewayExtensionReconciler struct {
 	client *dynamic.DynamicClient

controllers/envoy_gateway_ratelimit_cluster_reconciler.go

@@ -25,6 +25,8 @@ import (
 	kuadrantpolicymachinery "github.com/kuadrant/kuadrant-operator/pkg/policymachinery"
 )
 
+//+kubebuilder:rbac:groups=gateway.envoyproxy.io,resources=envoypatchpolicies,verbs=get;list;watch;create;update;patch;delete
+
 // EnvoyGatewayRateLimitClusterReconciler reconciles Envoy Gateway EnvoyPatchPolicy custom resources for rate limiting
 type EnvoyGatewayRateLimitClusterReconciler struct {
 	client *dynamic.DynamicClient

controllers/istio_auth_cluster_reconciler.go

@@ -25,6 +25,8 @@ import (
 	kuadrantpolicymachinery "github.com/kuadrant/kuadrant-operator/pkg/policymachinery"
 )
 
+//+kubebuilder:rbac:groups=networking.istio.io,resources=envoyfilters,verbs=get;list;watch;create;update;patch;delete
+
 // IstioAuthClusterReconciler reconciles Istio EnvoyFilter custom resources for auth
 type IstioAuthClusterReconciler struct {
 	client *dynamic.DynamicClient

controllers/istio_extension_reconciler.go

@@ -27,6 +27,8 @@ import (
 	"github.com/kuadrant/kuadrant-operator/pkg/wasm"
 )
 
+//+kubebuilder:rbac:groups=extensions.istio.io,resources=wasmplugins,verbs=get;list;watch;create;update;patch;delete
+
 // IstioExtensionReconciler reconciles Istio WasmPlugin custom resources
 type IstioExtensionReconciler struct {
 	client *dynamic.DynamicClient

controllers/istio_ratelimit_cluster_reconciler.go

@@ -25,6 +25,8 @@ import (
 	kuadrantpolicymachinery "github.com/kuadrant/kuadrant-operator/pkg/policymachinery"
 )
 
+//+kubebuilder:rbac:groups=networking.istio.io,resources=envoyfilters,verbs=get;list;watch;create;update;patch;delete
+
 // IstioRateLimitClusterReconciler reconciles Istio EnvoyFilter custom resources for rate limiting
 type IstioRateLimitClusterReconciler struct {
 	client *dynamic.DynamicClient

controllers/limitador_reconciler.go

@@ -22,6 +22,8 @@ type LimitadorReconciler struct {
 	Client *dynamic.DynamicClient
 }
 
+//+kubebuilder:rbac:groups=limitador.kuadrant.io,resources=limitadors,verbs=get;list;watch;create;update;patch;delete
+
 func NewLimitadorReconciler(client *dynamic.DynamicClient) *LimitadorReconciler {
 	return &LimitadorReconciler{Client: client}
 }

controllers/ratelimit_workflow_helpers.go

@@ -39,11 +39,6 @@ var (
 	ErrMissingStateEffectiveRateLimitPolicies = fmt.Errorf("missing rate limit effective policies stored in the reconciliation state")
 )
 
-//+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies/finalizers,verbs=update
-//+kubebuilder:rbac:groups=limitador.kuadrant.io,resources=limitadors,verbs=get;list;watch;create;update;patch;delete
-
 func GetLimitadorFromTopology(topology *machinery.Topology) (*limitadorv1alpha1.Limitador, error) {
 	kuadrant, err := GetKuadrantFromTopology(topology)
 	if err != nil {

controllers/state_of_the_world.go

@@ -49,26 +49,14 @@ var (
 )
 
 // gateway-api permissions
-//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses,verbs=list;watch
+//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses,verbs=get;list;watch
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/finalizers,verbs=update
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes,verbs=get;list;watch;update;patch
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes/status,verbs=get;update;patch
 
-// istio permissions
-//+kubebuilder:rbac:groups=networking.istio.io,resources=envoyfilters,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=extensions.istio.io,resources=wasmplugins,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=install.istio.io,resources=istiooperators,verbs=get;list;watch;create;update;patch
-//+kubebuilder:rbac:groups=operator.istio.io,resources=istios,verbs=get;list;watch;create;update;patch
-
-// envoy gateway permissions
-//+kubebuilder:rbac:groups=gateway.envoyproxy.io,resources=envoypatchpolicies,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=gateway.envoyproxy.io,resources=envoyextensionpolicies,verbs=get;list;watch;create;update;patch;delete
-
 // kuadrant permissions
-//+kubebuilder:rbac:groups=kuadrant.io,resources=kuadrants,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=kuadrant.io,resources=kuadrants,verbs=get;list;watch;update;patch
 //+kubebuilder:rbac:groups=kuadrant.io,resources=kuadrants/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=kuadrant.io,resources=kuadrants/finalizers,verbs=update
 
 // core, apps, coordination.k8s,io permissions
 //+kubebuilder:rbac:groups=core,resources=serviceaccounts;configmaps;services,verbs=get;list;watch;create;update;patch;delete
@@ -77,9 +65,6 @@ var (
 //+kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 //+kubebuilder:rbac:groups="",resources=leases,verbs=get;list;watch;create;update;patch;delete
 
-// authorino permissions
-//+kubebuilder:rbac:groups=operator.authorino.kuadrant.io,resources=authorinos,verbs=get;list;watch;create;update;delete;patch
-
 func NewPolicyMachineryController(manager ctrlruntime.Manager, client *dynamic.DynamicClient, logger logr.Logger) *controller.Controller {
 	// Base options
 	controllerOpts := []controller.ControllerOption{