fix: add cluster/finalizers update permission (#465)

Add the required missing permission to operate in k8s environments where the Admission Controller Plugin "OwnerReferencesPermissionEnforcement" is enabled. Signed-off-by: Gabriele Fedi <gabriele.fedi@enterprisedb.com>
2026-01-10 21:03:12 +01:00 · 2025-08-14 22:55:25 +02:00 · 2025-08-14 22:55:25 +02:00 · e0c8b64470
commit e0c8b64470
parent 3a770798c7
4 changed files with 14 additions and 1 deletions
--- a/2
+++ b/2
@ -45,7 +45,7 @@ help: ## Display this help.

 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=plugin-barman-cloud crd webhook paths="./api/..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=plugin-barman-cloud crd webhook paths="./api/..." paths="./internal/controller/..." output:crd:artifacts:config=config/crd/bases

 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@ -48,6 +48,12 @@ rules:
  - get
  - list
  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - clusters/finalizers
+  verbs:
+  - update
 - apiGroups:
  - rbac.authorization.k8s.io
  resources:
--- a/internal/controller/objectstore_controller.go
+++ b/internal/controller/objectstore_controller.go
@ -37,6 +37,7 @@ type ObjectStoreReconciler struct {
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=create;patch;update;get;list;watch
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=create;patch;update;get;list;watch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=create;list;get;watch;delete
+// +kubebuilder:rbac:groups=postgresql.cnpg.io,resources=clusters/finalizers,verbs=update
 // +kubebuilder:rbac:groups=postgresql.cnpg.io,resources=backups,verbs=get;list;watch
 // +kubebuilder:rbac:groups=barmancloud.cnpg.io,resources=objectstores,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=barmancloud.cnpg.io,resources=objectstores/status,verbs=get;update;patch
--- a/manifest.yaml
+++ b/manifest.yaml
@ -807,6 +807,12 @@ rules:
  - get
  - list
  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - clusters/finalizers
+  verbs:
+  - update
 - apiGroups:
  - rbac.authorization.k8s.io
  resources: