From bf3a4d65de5e4893f03492d0fa6bd662cefde6cc Mon Sep 17 00:00:00 2001
From: Wolfgang Kulhanek <wkulhanek@users.noreply.github.com>
Date: Tue, 12 Nov 2024 15:29:45 +0100
Subject: [PATCH] Add missing permission on backuptarget namespaces (#8793)

* Add missing permission on backuptarget namespaces

* Change permissions to edit

---------

Co-authored-by: Wolfgang Kulhanek <WolfgangKulhanek@gmail.com>
---
 .../tasks/workload.yml                         |  1 +
 .../templates/rolebinding-namespace.yaml.j2    | 18 ++++++++++++++++++
 .../templates/rolebinding.yaml.j2              |  4 ++--
 3 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 ansible/roles_ocp_workloads/ocp4_workload_kasten_k10/templates/rolebinding-namespace.yaml.j2

diff --git a/ansible/roles_ocp_workloads/ocp4_workload_kasten_k10/tasks/workload.yml b/ansible/roles_ocp_workloads/ocp4_workload_kasten_k10/tasks/workload.yml
index 9ce50d7de04..d39463810eb 100644
--- a/ansible/roles_ocp_workloads/ocp4_workload_kasten_k10/tasks/workload.yml
+++ b/ansible/roles_ocp_workloads/ocp4_workload_kasten_k10/tasks/workload.yml
@@ -65,6 +65,7 @@
     - objectbucketclaim.yaml.j2
     - clusterrolebinding.yaml.j2
     - rolebinding.yaml.j2
+    - rolebinding-namespace.yaml.j2
     loop_control:
       loop_var: resource
 
diff --git a/ansible/roles_ocp_workloads/ocp4_workload_kasten_k10/templates/rolebinding-namespace.yaml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_kasten_k10/templates/rolebinding-namespace.yaml.j2
new file mode 100644
index 00000000000..c9046f37e78
--- /dev/null
+++ b/ansible/roles_ocp_workloads/ocp4_workload_kasten_k10/templates/rolebinding-namespace.yaml.j2
@@ -0,0 +1,18 @@
+{% if ocp4_workload_kasten_k10_multi_user | bool %}
+{%   for user_number in range(1, ocp4_workload_kasten_k10_num_users | int + 1) %}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: admin-{{ ocp4_workload_kasten_k10_objectbucket_namespace_base }}{{ user_number }}
+  namespace: {{ ocp4_workload_kasten_k10_objectbucket_namespace_base }}{{ user_number }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: {{ ocp4_workload_kasten_k10_objectbucket_user_base }}{{ user_number }}
+{%   endfor %}
+{% endif %}
diff --git a/ansible/roles_ocp_workloads/ocp4_workload_kasten_k10/templates/rolebinding.yaml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_kasten_k10/templates/rolebinding.yaml.j2
index 0a2d5d3aa56..2adacb61bdb 100644
--- a/ansible/roles_ocp_workloads/ocp4_workload_kasten_k10/templates/rolebinding.yaml.j2
+++ b/ansible/roles_ocp_workloads/ocp4_workload_kasten_k10/templates/rolebinding.yaml.j2
@@ -4,12 +4,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: view-{{ ocp4_workload_kasten_k10_objectbucket_user_base }}{{ user_number }}
+  name: edit-{{ ocp4_workload_kasten_k10_objectbucket_user_base }}{{ user_number }}
   namespace: kasten-io
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: view
+  name: edit
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User