RBAC issues with Pipe and Knative

[matzew]

What happened?

Based on #5402 but different error, hence a separate issue.

When I install SERVING and EVENTING (1.14), and than install the Camel-K operator Helm chart(2.3.0), I am getting RBAC errors:

brokers.eventing.knative.dev \"kamelet\" is forbidden: User \"system:serviceaccount:default:camel-k-operator\" cannot get resource \"brokers\" in API group \"eventing.knative.dev\" in the namespace \"default\""}

Steps to reproduce

1. install the script from https://github.com/matzew/eventing-cloud-integraton with serving
2. apply the samples manifest
3. Notice that no pipe gets created (no pod)
4. log the camel-operator and see the RBAC errors on the log

Relevant log output

camel-k-operator-56d74d67bd-ml8nd camel-k-operator {"level":"info","ts":"2024-04-24T06:50:18Z","logger":"camel-k.controller.build","msg":"Build duration 1m2.567014979s","request-namespace":"default","request-name":"beer-source-pipe","build-attempt":0,"build-result":"Succeeded","build-duration":62.567014979,"api-version":"camel.apache.org/v1","kind":"Build","ns":"default","name":"kit-cokamr7r05jt021tkk40"}
camel-k-operator-56d74d67bd-ml8nd camel-k-operator {"level":"info","ts":"2024-04-24T06:50:18Z","logger":"camel-k.controller.build","msg":"State transition","request-namespace":"default","request-name":"kit-cokamr7r05jt021tkk40","api-version":"camel.apache.org/v1","kind":"Build","ns":"default","name":"kit-cokamr7r05jt021tkk40","phase-from":"Running","phase-to":"Succeeded"}
camel-k-operator-56d74d67bd-ml8nd camel-k-operator {"level":"info","ts":"2024-04-24T06:50:18Z","logger":"camel-k.controller.integrationkit","msg":"Invoking action build","request-namespace":"default","request-name":"kit-cokamr7r05jt021tkk40","api-version":"camel.apache.org/v1","kind":"IntegrationKit","ns":"default","name":"kit-cokamr7r05jt021tkk40"}
camel-k-operator-56d74d67bd-ml8nd camel-k-operator {"level":"info","ts":"2024-04-24T06:50:18Z","logger":"camel-k.controller.integrationkit","msg":"State transition","request-namespace":"default","request-name":"kit-cokamr7r05jt021tkk40","api-version":"camel.apache.org/v1","kind":"IntegrationKit","ns":"default","name":"kit-cokamr7r05jt021tkk40","phase-from":"Build Running","phase-to":"Ready"}
camel-k-operator-56d74d67bd-ml8nd camel-k-operator {"level":"info","ts":"2024-04-24T06:50:18Z","logger":"camel-k","msg":"Kit kit-cokamr7r05jt021tkk40 ready, notify integration: beer-source-pipe"}
camel-k-operator-56d74d67bd-ml8nd camel-k-operator {"level":"info","ts":"2024-04-24T06:50:18Z","logger":"camel-k.controller.integrationkit","msg":"Invoking action monitor","request-namespace":"default","request-name":"kit-cokamr7r05jt021tkk40","api-version":"camel.apache.org/v1","kind":"IntegrationKit","ns":"default","name":"kit-cokamr7r05jt021tkk40"}
camel-k-operator-56d74d67bd-ml8nd camel-k-operator {"level":"info","ts":"2024-04-24T06:50:18Z","logger":"camel-k.controller.integration","msg":"State transition","request-namespace":"default","request-name":"beer-source-pipe","api-version":"camel.apache.org/v1","kind":"Integration","ns":"default","name":"beer-source-pipe","phase-from":"Building Kit","phase-to":"Deploying"}
camel-k-operator-56d74d67bd-ml8nd camel-k-operator {"level":"info","ts":"2024-04-24T06:50:18Z","logger":"camel-k.controller.integration","msg":"State transition","request-namespace":"default","request-name":"beer-source-pipe","api-version":"camel.apache.org/v1","kind":"Integration","ns":"default","name":"beer-source-pipe","phase-from":"Deploying","phase-to":"Error"}
camel-k-operator-56d74d67bd-ml8nd camel-k-operator {"level":"info","ts":"2024-04-24T06:50:18Z","logger":"camel-k.controller.integration","msg":"Integration error","request-namespace":"default","request-name":"beer-source-pipe","api-version":"camel.apache.org/v1","kind":"Integration","ns":"default","name":"beer-source-pipe","reason":"InitializationFailed","error-message":"error during trait customization: knative trait execution failed: unexpected error while executing handler for broker for event kamelet: cannot determine address of broker for event kamelet: brokers.eventing.knative.dev \"kamelet\" is forbidden: User \"system:serviceaccount:default:camel-k-operator\" cannot get resource \"brokers\" in API group \"eventing.knative.dev\" in the namespace \"default\""}
camel-k-operator-56d74d67bd-ml8nd camel-k-operator {"level":"error","ts":"2024-04-24T06:50:18Z","msg":"Reconciler error","controller":"integration-controller","controllerGroup":"camel.apache.org","controllerKind":"Integration","Integration":{"name":"beer-source-pipe","namespace":"default"},"namespace":"default","name":"beer-source-pipe","reconcileID":"5a90526c-1580-4943-8ff8-77dd310851e1","error":"error during trait customization: knative trait execution failed: unexpected error while executing handler for broker for event kamelet: cannot determine address of broker for event kamelet: brokers.eventing.knative.dev \"kamelet\" is forbidden: User \"system:serviceaccount:default:camel-k-operator\" cannot get resource \"brokers\" in API group \"eventing.knative.dev\" in the namespace \"default\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:226"}
camel-k-operator-56d74d67bd-ml8nd camel-k-operator {"level":"info","ts":"2024-04-24T06:50:18Z","logger":"camel-k.controller.pipe","msg":"State transition","request-namespace":"default","request-name":"beer-source-pipe","api-version":"camel.apache.org/v1","kind":"Pipe","ns":"default","name":"beer-source-pipe","phase-from":"Creating","phase-to":"Error"}

Camel K version

2.3.0

[christophd]

Probably an issue with the Camel K Helm chart installation @gansheer?

[gansheer]

Yes, that's exactly the issue @christophd . The triggers resources are declared but not brokers:
Helm:

camel-k/helm/camel-k/templates/operator-cluster-roles.yaml

Lines 295 to 303 in 494b004

	resources:
	- triggers
	verbs:
	- create
	- delete
	- get
	- list
	- patch
	- update

Default installation files:

camel-k/pkg/resources/config/rbac/descoped/operator-cluster-role-knative.yaml

Lines 38 to 49 in 494b004

	- apiGroups:
	- eventing.knative.dev
	resources:
	- triggers
	- brokers
	verbs:
	- create
	- delete
	- get
	- list
	- patch
	- update

That goes for descoped and namespaces files of course.

[matzew]

I just came to the same conclusion. I did

k edit roles.rbac.authorization.k8s.io camel-k-operator

and added the brokers, and it works

[matzew]

I added a PR for this:#5412

for the messaging group there were also a few types missing.

[christophd]

Fixed with #5412