From 0405af11077bc271529f9eca790a7dac4edf3891 Mon Sep 17 00:00:00 2001
From: jeremy-thuon <18218996+jeremythuon@users.noreply.github.com>
Date: Mon, 3 Jul 2023 11:20:51 +0200
Subject: [PATCH] [cilium] add custom vars for clusterrole cilium operator
 (#10267)

---
 .../group_vars/k8s_cluster/k8s-net-cilium.yml | 19 ++++++++++++++++++
 roles/network_plugin/cilium/defaults/main.yml | 19 ++++++++++++++++++
 .../templates/cilium-operator/cr.yml.j2       | 20 +++++++++++++++++++
 3 files changed, 58 insertions(+)

diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
index 9023e09c7..a1704844d 100644
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
@@ -243,3 +243,22 @@
 
 # -- Whether to enable CNP status updates.
 # cilium_disable_cnp_status_updates: true
+
+# A list of extra rules variables to add to clusterrole for cilium operator, formatted like:
+#   cilium_clusterrole_rules_operator_extra_vars:
+#     - apiGroups:
+#       - '""'
+#       resources:
+#       - pods
+#       verbs:
+#       - delete
+#     - apiGroups:
+#       - '""'
+#       resources:
+#       - nodes
+#       verbs:
+#       - list
+#       - watch
+#       resourceNames:
+#       - toto
+# cilium_clusterrole_rules_operator_extra_vars: []
diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
index 29dd08350..b6f68c9c0 100644
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -290,3 +290,22 @@ cilium_certgen_args:
   hubble-relay-client-cert-validity-duration: 94608000s
   hubble-relay-client-cert-secret-name: hubble-relay-client-certs
   hubble-relay-server-cert-generate: false
+
+# A list of extra rules variables to add to clusterrole for cilium operator, formatted like:
+#   cilium_clusterrole_rules_operator_extra_vars:
+#     - apiGroups:
+#       - '""'
+#       resources:
+#       - pods
+#       verbs:
+#       - delete
+#     - apiGroups:
+#       - '""'
+#       resources:
+#       - nodes
+#       verbs:
+#       - list
+#       - watch
+#       resourceNames:
+#       - toto
+cilium_clusterrole_rules_operator_extra_vars: []
diff --git a/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2 b/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
index 044695022..642a66702 100644
--- a/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
@@ -147,3 +147,23 @@ rules:
   - ciliumnetworkpolicies.cilium.io
   - ciliumnodes.cilium.io
 {% endif %}
+{% for rules in cilium_clusterrole_rules_operator_extra_vars %}
+- apiGroups:
+{% for api in rules['apiGroups'] %}
+  - {{ api }}
+{% endfor %}
+  resources:
+{% for resource in rules['resources'] %}
+  - {{ resource }}
+{% endfor %}
+  verbs:
+{% for verb in rules['verbs'] %}
+  - {{ verb }}
+{% endfor %}
+{% if 'resourceNames' in rules %}
+  resourceNames:
+{% for resourceName in rules['resourceNames'] %}
+  - {{ resourceName }}
+{% endfor %}
+{% endif %}
+{% endfor %}