Skip to content

Update ClusterRole permissions of messaging topology operator to update secrets #1033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 1, 2025
Merged

Update ClusterRole permissions of messaging topology operator to update secrets #1033

merged 2 commits into from
Sep 1, 2025

Conversation

@barosch47
Copy link
Contributor

@barosch47 barosch47 commented Aug 28, 2025
edited
Loading

This closes #
I had communicated this problem in Discord on 27th Aug

Note to reviewers: remember to look at the commits in this PR and consider if they can be squashed
Note to contributors: remember to re-generate client set if there are any API changes

Summary Of Changes

The manager role currently is missing updating permissions of secrets which leads to some issues in case importCredentials is being used. Therefore the patch and update verbs have been added to the ClusterRole.

Additional Context

When creating a user and loading already existing secrets the manager-operator role will try to update it, it looks like it is adding metadata. Due to missing permissions this will fail with something like:

secrets "<user>-user-credentials" is forbidden: User "system:serviceaccount:<namespace>:messaging-topology-operator" cannot update resource "secrets" in API group "" in the namespace "<namespace>"

The ClusterRole rules is missing for secrets the verbs patch / update

I found a PR in bitnami helm charts which has dealt with the same problem.
@barosch47
fix: add patching and updating permissions to the manager-role
55de594 
The manager role currently is missing updating permissions of secrets which leads to some issues in case credentials can be imported.
@barosch47
Copy link
Contributor Author

barosch47 commented Aug 28, 2025

I am still in the process of signing CLA. Until then I will keep the PR in Draft mode.
@barosch47 barosch47 marked this pull request as ready for review August 30, 2025 19:17
@barosch47
Copy link
Contributor Author

barosch47 commented Aug 31, 2025

CLA was signed, feel free to review the PR.
@MirahImage MirahImage merged commit bca1508 into rabbitmq:main Sep 1, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@barosch47 @MirahImage