From 860c15cec17931adb73b80f9a7f4e22d1237144d Mon Sep 17 00:00:00 2001
From: Baargav <baargavrag@gmail.com>
Date: Sat, 28 Sep 2024 21:30:02 -0400
Subject: [PATCH] Update cluster-role for cilium to prevent errors in agent
 startup (#11466)

* Update cluster-role for cilium to prevent errors in agent startup

ciliumloadbalancerippools permissions exists in the cilium helm chart for version 1.13.0
https://github.com/cilium/cilium/blob/v1.13.0/install/kubernetes/cilium/templates/cilium-agent/clusterrole.yaml#L71

The agent also needs permissions to read/watch secrets for bgp auth secrets when using CiliumBGPPeeringPolicy with a secret.

* Remove list/watch permissions for secrets

* Remove secrets from list/watch permissions
---
 roles/network_plugin/cilium/templates/cilium/cr.yml.j2 | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/roles/network_plugin/cilium/templates/cilium/cr.yml.j2 b/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
index 833076de1..e32673ae9 100644
--- a/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
@@ -32,6 +32,12 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
 {% if cilium_version | regex_replace('v') is version('1.12', '<') %}
 - apiGroups:
   - ""
@@ -98,6 +104,9 @@ rules:
 {% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
   - ciliumbgploadbalancerippools
   - ciliumbgppeeringpolicies
+{% if cilium_version | regex_replace('v') is version('1.13', '>=') %}
+  - ciliumloadbalancerippools
+{% endif %}
 {% endif %}
 {% if cilium_version | regex_replace('v') is version('1.11.5', '<') %}
   - ciliumnetworkpolicies/finalizers