[camel-k] 10/15: fix(registry): Do not grant bind permission by default and log when creating role binding is forbidden

[astefanutti]

This is an automated email from the ASF dual-hosted git repository.

astefanutti pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel-k.git

commit ab8f86925a337176833916a6577ecc197f6357ae
Author: Antonin Stefanutti <anto...@stefanutti.fr>
AuthorDate: Tue Feb 25 13:56:55 2020 +0100

    fix(registry): Do not grant bind permission by default and log when 
creating role binding is forbidden
---
 deploy/operator-role-openshift.yaml | 8 --------
 deploy/resources.go                 | 4 ++--
 pkg/platform/defaults.go            | 9 +++++++--
 3 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/deploy/operator-role-openshift.yaml 
b/deploy/operator-role-openshift.yaml
index cf903c4..d939b96 100644
--- a/deploy/operator-role-openshift.yaml
+++ b/deploy/operator-role-openshift.yaml
@@ -171,11 +171,3 @@ rules:
   - routes/custom-host
   verbs:
   - create
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - clusterroles
-  verbs:
-  - bind
-  resourceNames:
-  - system:image-builder
diff --git a/deploy/resources.go b/deploy/resources.go
index 72fd268..191ee4e 100644
--- a/deploy/resources.go
+++ b/deploy/resources.go
@@ -203,9 +203,9 @@ var assets = func() http.FileSystem {
                "/operator-role-openshift.yaml": &vfsgen۰CompressedFileInfo{
                        name:             "operator-role-openshift.yaml",
                        modTime:          time.Time{},
-                       uncompressedSize: 3160,
+                       uncompressedSize: 3027,
 
-                       compressedContent: 
[]byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xc4\x55\xc1\x8e\xdb\x36\x10\xbd\xeb\x2b\x06\xd2\x25\x29\xd6\x76\xd3\x53\xe1\x9e\xdc\xcd\x6e\x6b\x34\xb0\x81\xb5\xd3\x20\xc7\x11\x35\x96\xa6\x4b\x71\x58\x92\xb2\xe3\x7e\x7d\x41\x4a\x4e\xe4\xf5\x2e\x92\x00\x01\xec\x8b\xa9\xe1\xe8\xcd\x9b\xf7\x86\x54\x01\x93\x1f\xf7\xcb\x0a\x78\xc7\x8a\x8c\xa7\x0a\x82\x40\x68\x08\x16\x16\x55\x43\xb0\x91\x5d\x38\xa0\x23\xb8\x97\xce\x54\x18\x58\x0c\xbc\x5a\x6c\xee\x5f\x43\x67\x2a\x72\x20\x
 [...]
+                       compressedContent: 
[]byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xc4\x54\xc1\x8e\xdb\x46\x0c\xbd\xeb\x2b\x08\xe9\x92\x14\x6b\xb9\xe9\xa9\x70\x4f\x6e\xb2\xdb\x1a\x0d\xbc\xc0\xca\x69\x90\x23\x35\xa2\x25\x76\x47\xc3\xe9\xcc\xc8\x8a\xfb\xf5\x85\x46\x72\x62\xaf\x76\x91\x16\x08\x60\x5f\x4c\x71\xa8\xc7\xc7\xf7\xa8\xc9\x60\xf1\xfd\x7e\x49\x06\xef\x59\x91\xf1\x54\x41\x10\x08\x0d\xc1\xda\xa2\x6a\x08\x0a\xd9\x87\x1e\x1d\xc1\x9d\x74\xa6\xc2\xc0\x62\xe0\xd5\xba\xb8\x7b\x0d\x9d\xa9\xc8\x81\x18\x
 [...]
                },
                "/operator-service-account.yaml": &vfsgen۰CompressedFileInfo{
                        name:             "operator-service-account.yaml",
diff --git a/pkg/platform/defaults.go b/pkg/platform/defaults.go
index c75de42..3ad4db1 100644
--- a/pkg/platform/defaults.go
+++ b/pkg/platform/defaults.go
@@ -320,8 +320,13 @@ func createBuilderRegistryRoleBinding(ctx context.Context, 
client client.Client,
        }
 
        err := client.Create(ctx, rb)
-       if err != nil && !k8serrors.IsAlreadyExists(err) {
-               return err
+       if err != nil {
+               if k8serrors.IsForbidden(err) {
+                       log.Log.Infof("Cannot grant permission to push images 
to the registry. "+
+                               "Run 'oc policy add-role-to-user 
system:image-builder system:serviceaccount:%s:%s' as a system admin.", 
p.Namespace, BuilderServiceAccount)
+               } else if !k8serrors.IsAlreadyExists(err) {
+                       return err
+               }
        }
 
        return nil