From 98d94579594ebd272e5fd79910b58eec30fb3aee Mon Sep 17 00:00:00 2001
From: Milan Pavlik <milan@gitpod.io>
Date: Tue, 31 Jan 2023 12:42:24 +0000
Subject: [PATCH] [spicedb] Add role & rolebinding to watch endpoints

---
 .../pkg/components/spicedb/objects.go         |  2 +
 .../installer/pkg/components/spicedb/role.go  | 38 +++++++++++++++++
 .../pkg/components/spicedb/rolebinding.go     | 41 +++++++++++++++++++
 3 files changed, 81 insertions(+)
 create mode 100644 install/installer/pkg/components/spicedb/role.go
 create mode 100644 install/installer/pkg/components/spicedb/rolebinding.go

diff --git a/install/installer/pkg/components/spicedb/objects.go b/install/installer/pkg/components/spicedb/objects.go
index f5fc8b83be5eb4..645b617fcfc68c 100644
--- a/install/installer/pkg/components/spicedb/objects.go
+++ b/install/installer/pkg/components/spicedb/objects.go
@@ -30,6 +30,8 @@ func Objects(ctx *common.RenderContext) ([]runtime.Object, error) {
 		networkpolicy,
 		secret,
 		bootstrap,
+		role,
+		rolebinding,
 	)(ctx)
 }
 
diff --git a/install/installer/pkg/components/spicedb/role.go b/install/installer/pkg/components/spicedb/role.go
new file mode 100644
index 00000000000000..6da11e8b93d09d
--- /dev/null
+++ b/install/installer/pkg/components/spicedb/role.go
@@ -0,0 +1,38 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package spicedb
+
+import (
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func role(ctx *common.RenderContext) ([]runtime.Object, error) {
+	labels := common.DefaultLabels(Component)
+
+	return []runtime.Object{
+		&rbacv1.Role{
+			TypeMeta: common.TypeMetaRole,
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      Component,
+				Namespace: ctx.Namespace,
+				Labels:    labels,
+			},
+			Rules: []rbacv1.PolicyRule{
+				{
+					APIGroups: []string{""},
+					Resources: []string{"endpoints"},
+					Verbs: []string{
+						"get",
+						"watch",
+					},
+				},
+			},
+		},
+	}, nil
+}
diff --git a/install/installer/pkg/components/spicedb/rolebinding.go b/install/installer/pkg/components/spicedb/rolebinding.go
new file mode 100644
index 00000000000000..003b4bd05d0313
--- /dev/null
+++ b/install/installer/pkg/components/spicedb/rolebinding.go
@@ -0,0 +1,41 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package spicedb
+
+import (
+	"fmt"
+
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
+	labels := common.DefaultLabels(Component)
+
+	return []runtime.Object{
+		&rbacv1.RoleBinding{
+			TypeMeta: common.TypeMetaRoleBinding,
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      fmt.Sprintf("%s-watch-service", Component),
+				Namespace: ctx.Namespace,
+				Labels:    labels,
+			},
+			RoleRef: rbacv1.RoleRef{
+				APIGroup: "rbac.authorization.k8s.io",
+				Kind:     "Role",
+				Name:     Component,
+			},
+			Subjects: []rbacv1.Subject{
+				{
+					Kind: "ServiceAccount",
+					Name: Component,
+				},
+			},
+		},
+	}, nil
+}