[BUG]: operator clusterRole's permission is insufficient to enable Rabbitmq as event source

[hoyhbx]

Describe the bug

We are using Knative-Operator to configure out Knative-Eventing instance.

We observed that when we tries to enable Rabbitmq to be the event source, the operator fails to apply the manifest rabbitmq-source.yaml due to insufficient RABC permission.

The below events described the error:

18:26:35 KnativeEventing test-cluster 941:	Updated "test-cluster" finalizers
18:31:21 KnativeEventing test-cluster 2836:	failed to apply (cluster)rolebindings: clusterrolebindings.rbac.authorization.k8s.io "eventing-sources-rabbitmq-controller" is forbidden: user "system:serviceaccount:knative-eventing:knative-operator" (groups=["system:serviceaccounts" "system:serviceaccounts:knative-eventing" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["rabbitmq.com"], Resources:["bindings"], Verbs:["create" "delete" "get" "list" "patch" "update" "watch"]}
{APIGroups:["rabbitmq.com"], Resources:["bindings/status"], Verbs:["get"]}
{APIGroups:["rabbitmq.com"], Resources:["exchanges"], Verbs:["create" "delete" "get" "list" "patch" "update" "watch"]}
{APIGroups:["rabbitmq.com"], Resources:["exchanges/status"], Verbs:["get"]}
{APIGroups:["rabbitmq.com"], Resources:["queues"], Verbs:["create" "delete" "get" "list" "patch" "update" "watch"]}
{APIGroups:["rabbitmq.com"], Resources:["queues/status"], Verbs:["get"]}
{APIGroups:["rabbitmq.com"], Resources:["rabbitmqclusters"], Verbs:["get" "list" "watch"]}

Expected behavior

We expect that Rabbitmq can be used as event sources when enabled by setting cr.spec.source.rabbitmq.enabled to true.

To Reproduce

1. Deploy Knative-Operator v1.6.0 and create the knative-eventing namespace.

2. Apply the following CustomResource to deploy Knative-Eventing with rabbitmq enabled as source

   apiVersion: operator.knative.dev/v1beta1
   kind: KnativeEventing
   metadata:
     name: test-cluster
     namespace: knative-eventing
   spec:
     version: 1.6.0
     source:
       rabbitmq:
         enabled: true 

3. Execute kubectl get events -A and observe the error message mentioned above.

Knative release version

• Knative v1.6.0

Additional Context

• Kubernetes Version

  Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:22:29Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
  Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.9", GitCommit:"6df4433e288edc9c40c2e344eb336f63fad45cd2", GitTreeState:"clean", BuildDate:"2022-05-19T19:53:08Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}

Suspected Root Cause

As the error messages suggested, the error is caused by insufficient access.

To enable 'rabbitmq' as event source, the clusterRole eventing-sources-rabbitmq-controller will be deployed by the operator. However, the apiGroup rabbitmq.com, included in this clusterRole, is not included in the operator serviceAccount, leading to insufficient permission.

[houshengbo]

Looking at this one...