From 7055eaad58ae9f5379b1cc8d5e898369f8e65b92 Mon Sep 17 00:00:00 2001
From: Gabriele Fedi <gabriele.fedi@enterprisedb.com>
Date: Fri, 8 Aug 2025 14:37:10 +0200
Subject: [PATCH] fix: add clusters/finalizers rbac Add the required missing
 permission to operate in k8s environments where the Admission Controller
 Plugin "OwnerReferencesPermissionEnforcement" is enabled.

Signed-off-by: Gabriele Fedi <gabriele.fedi@enterprisedb.com>
---
 config/rbac/role.yaml                         | 6 ++++++
 internal/controller/objectstore_controller.go | 1 +
 2 files changed, 7 insertions(+)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index c4a62a3..6d58dec 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -48,6 +48,12 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - clusters/finalizers
+  verbs:
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
diff --git a/internal/controller/objectstore_controller.go b/internal/controller/objectstore_controller.go
index d68b2d3..7e0dad6 100644
--- a/internal/controller/objectstore_controller.go
+++ b/internal/controller/objectstore_controller.go
@@ -37,6 +37,7 @@ type ObjectStoreReconciler struct {
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=create;patch;update;get;list;watch
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=create;patch;update;get;list;watch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=create;list;get;watch;delete
+// +kubebuilder:rbac:groups=postgresql.cnpg.io,resources=clusters/finalizers,verbs=update
 // +kubebuilder:rbac:groups=postgresql.cnpg.io,resources=backups,verbs=get;list;watch
 // +kubebuilder:rbac:groups=barmancloud.cnpg.io,resources=objectstores,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=barmancloud.cnpg.io,resources=objectstores/status,verbs=get;update;patch