From 33c98f7467e7353f940a0cfded7851692109e90a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Wed, 16 Oct 2024 12:20:52 +0200
Subject: [PATCH] Allow appowners to create pods in MirrorManager
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ref: https://discussion.fedoraproject.org/t/openshift-permissions-for-appowners/133816

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 playbooks/openshift-apps/mirrormanager.yml    |  1 +
 roles/openshift/project/defaults/main.yml     |  1 +
 .../project/templates/role-appowners.yml      | 20 ++++++++++++++++---
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/playbooks/openshift-apps/mirrormanager.yml b/playbooks/openshift-apps/mirrormanager.yml
index 3705911220..75464859ce 100644
--- a/playbooks/openshift-apps/mirrormanager.yml
+++ b/playbooks/openshift-apps/mirrormanager.yml
@@ -52,6 +52,7 @@
         - abompard
         - nphilipp
         - adrian
+      allow_pod_creation: true
       tags:
         - apply-appowners
 
diff --git a/roles/openshift/project/defaults/main.yml b/roles/openshift/project/defaults/main.yml
index 907b9a0c59..b5450f1675 100644
--- a/roles/openshift/project/defaults/main.yml
+++ b/roles/openshift/project/defaults/main.yml
@@ -1,6 +1,7 @@
 ---
 allow_fas_db: false
 allow_iad2: true
+allow_pod_creation: false
 
 egress_policy_template: "{{roles_path}}/openshift/project/templates/egresspolicy.yml"
 
diff --git a/roles/openshift/project/templates/role-appowners.yml b/roles/openshift/project/templates/role-appowners.yml
index 476083c33e..5848c2ae2d 100644
--- a/roles/openshift/project/templates/role-appowners.yml
+++ b/roles/openshift/project/templates/role-appowners.yml
@@ -17,9 +17,6 @@ rules:
   resources:
   - endpoints
   - persistentvolumeclaims
-  - pods
-  - pods/attach
-  - pods/exec
   - replicationcontrollers
   - serviceaccounts
   - services
@@ -32,6 +29,23 @@ rules:
   - delete
   - update
 {% endif %}
+# Permissions for pods
+- apiGroups:
+  - "*"
+  attributeRestrictions: null
+  resources:
+  - pods
+  - pods/attach
+  - pods/exec
+  verbs:
+  - get
+  - list
+  - watch
+{% if env == "staging" or allow_pod_creation %}
+  - create
+  - delete
+  - update
+{% endif %}
 - apiGroups:
   - "*"
   attributeRestrictions: null