From 2a6817d24978dfdb1e8a86274291a8f6325aa39c Mon Sep 17 00:00:00 2001
From: f41gh7 <nik@victoriametrics.com>
Date: Tue, 15 Oct 2024 13:09:26 +0200
Subject: [PATCH] controller/vmagent: properly assign OwnerReference to Role
 and RB

Previously, operator assigned VMAgent as Owner for Role and Rolebindg at VMAgent.
But the problem is, that at single-namespace mode operator cannot access CRD and assing proper Owner.
It led to empty OwnerRefence and created role/rolebinding could be deleted by ARGOCD with enabled pruning.

 This commit properly assign OwnerReference to VMAgent CR object not cluster CRD.

Signed-off-by: f41gh7 <nik@victoriametrics.com>
---
 docs/CHANGELOG.md                                   |  1 +
 .../controller/operator/factory/reconcile/rbac.go   | 13 ++++++++-----
 .../controller/operator/factory/vmagent/rbac.go     |  4 ++--
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 8f88b213..7a59d532 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -14,6 +14,7 @@ aliases:
 - [api](https://docs.victoriametrics.com/operator/api): adds new fields `maxDiskUsagePerUrl` and`forceVMProto` to the `VMagent` `remoteWriteSpec`
 - [vmuser](https://docs.victoriametrics.com/operator/resources/vmuser/): fixes the protocol of generated CRD target access url for vminsert and vmstorage when TLS is enabled.
 - [vmagent](https://docs.victoriametrics.com/operator/resources/vmagent/): properly make transition to `statefulMode`. See [this issue](https://github.com/VictoriaMetrics/operator/issues/1127) for details.
+- [vmagent](https://docs.victoriametrics.com/operator/resources/vmagent/): properly assign `OwnerRefrence` for `Role` and `RoleBinding` at `single-namespace` operator mode.
 - [operator](https://docs.victoriametrics.com/operator/): fixes pod scheduling with `useStrictSecurity` enabled by removing default values for `AppArmorProfile` and `SeccompProfile`. See [this issue](https://github.com/VictoriaMetrics/operator/issues/1120) for details.
 
 ## [v0.48.3](https://github.com/VictoriaMetrics/operator/releases/tag/v0.48.3) - 29 Sep 2024
diff --git a/internal/controller/operator/factory/reconcile/rbac.go b/internal/controller/operator/factory/reconcile/rbac.go
index 77667246..8aeaee3b 100644
--- a/internal/controller/operator/factory/reconcile/rbac.go
+++ b/internal/controller/operator/factory/reconcile/rbac.go
@@ -23,7 +23,7 @@ func RoleBinding(ctx context.Context, rclient client.Client, rb *rbacv1.RoleBind
 		if errors.IsNotFound(err) {
 			return rclient.Create(ctx, rb)
 		}
-		return fmt.Errorf("cannot get rolebinding for vmauth: %w", err)
+		return fmt.Errorf("cannot get exist rolebinding: %w", err)
 	}
 	if err := finalize.FreeIfNeeded(ctx, rclient, &existRoleBinding); err != nil {
 		return err
@@ -34,7 +34,8 @@ func RoleBinding(ctx context.Context, rclient client.Client, rb *rbacv1.RoleBind
 	if equality.Semantic.DeepEqual(rb.Subjects, existRoleBinding.Subjects) &&
 		equality.Semantic.DeepEqual(rb.RoleRef, existRoleBinding.RoleRef) &&
 		equality.Semantic.DeepEqual(rb.Labels, existRoleBinding.Labels) &&
-		equality.Semantic.DeepEqual(rb.Annotations, existRoleBinding.Annotations) {
+		equality.Semantic.DeepEqual(rb.Annotations, existRoleBinding.Annotations) &&
+		equality.Semantic.DeepEqual(rb.OwnerReferences, existRoleBinding.OwnerReferences) {
 		return nil
 	}
 	logger.WithContext(ctx).Info("updating rolebinding configuration", "rolebinding_name", rb.Name)
@@ -42,6 +43,7 @@ func RoleBinding(ctx context.Context, rclient client.Client, rb *rbacv1.RoleBind
 	existRoleBinding.Labels = rb.Labels
 	existRoleBinding.Subjects = rb.Subjects
 	existRoleBinding.RoleRef = rb.RoleRef
+	existRoleBinding.OwnerReferences = rb.OwnerReferences
 	vmv1beta1.AddFinalizer(&existRoleBinding, &existRoleBinding)
 
 	return rclient.Update(ctx, &existRoleBinding)
@@ -54,23 +56,24 @@ func Role(ctx context.Context, rclient client.Client, rl *rbacv1.Role) error {
 		if errors.IsNotFound(err) {
 			return rclient.Create(ctx, rl)
 		}
-		return fmt.Errorf("cannot get role for vmauth: %w", err)
+		return fmt.Errorf("cannot get exist role: %w", err)
 	}
 	if err := finalize.FreeIfNeeded(ctx, rclient, &existRole); err != nil {
 		return err
 	}
 	existRole.Annotations = labels.Merge(existRole.Annotations, rl.Annotations)
-	existRole.OwnerReferences = rl.OwnerReferences
 
 	if equality.Semantic.DeepEqual(rl.Rules, existRole.Rules) &&
 		equality.Semantic.DeepEqual(rl.Labels, existRole.Labels) &&
-		equality.Semantic.DeepEqual(rl.Annotations, existRole.Annotations) {
+		equality.Semantic.DeepEqual(rl.Annotations, existRole.Annotations) &&
+		equality.Semantic.DeepEqual(rl.OwnerReferences, existRole.OwnerReferences) {
 		return nil
 	}
 	logger.WithContext(ctx).Info("updating role configuration", "role_name", rl.Name)
 
 	existRole.Labels = rl.Labels
 	existRole.Rules = rl.Rules
+	existRole.OwnerReferences = rl.OwnerReferences
 	vmv1beta1.AddFinalizer(&existRole, &existRole)
 
 	return rclient.Update(ctx, &existRole)
diff --git a/internal/controller/operator/factory/vmagent/rbac.go b/internal/controller/operator/factory/vmagent/rbac.go
index c169aacc..21cc8da0 100644
--- a/internal/controller/operator/factory/vmagent/rbac.go
+++ b/internal/controller/operator/factory/vmagent/rbac.go
@@ -258,7 +258,7 @@ func buildVMAgentNamespaceRole(cr *vmv1beta1.VMAgent) *rbacv1.Role {
 			Labels:          cr.AllLabels(),
 			Annotations:     cr.AnnotationsFiltered(),
 			Finalizers:      []string{vmv1beta1.FinalizerName},
-			OwnerReferences: cr.AsCRDOwner(),
+			OwnerReferences: cr.AsOwner(),
 		},
 		Rules: singleNSPolicyRules,
 	}
@@ -272,7 +272,7 @@ func buildVMAgentNamespaceRoleBinding(cr *vmv1beta1.VMAgent) *rbacv1.RoleBinding
 			Labels:          cr.AllLabels(),
 			Annotations:     cr.AnnotationsFiltered(),
 			Finalizers:      []string{vmv1beta1.FinalizerName},
-			OwnerReferences: cr.AsCRDOwner(),
+			OwnerReferences: cr.AsOwner(),
 		},
 		Subjects: []rbacv1.Subject{
 			{