From e308b30f12d3be71d84d8608409caf67ef19fcfd Mon Sep 17 00:00:00 2001
From: Martin Gencur <mgencur@redhat.com>
Date: Tue, 5 Nov 2024 10:16:17 +0100
Subject: [PATCH] [release-v1.15] Add jobsinks-addressable-resolver cluster
 role (#950)

* Add jobsinks-addressable-resolver cluster role

This will ensure that alld ServiceAccount that are bound to
"addressable-resolver" ClusterRole can read JobSinks.

Fixes issues like this for SinkBindings:
```
{"level":"error","ts":"2024-11-04T08:06:16.160Z","logger":"eventing-webhook","caller":"sinkbinding/sinkbinding.go:87",
"msg":"Failed to get Addressable from Destination:
%!w(*fmt.wrapError=&{failed to get lister for
sinks.knative.dev/v1alpha1,
Resource=jobsinks: jobsinks.sinks.knative.dev is forbidden:
User \"system:serviceaccount:knative-eventing:eventing-webhook\"
cannot list resource \"jobsinks\" in API group \"sinks.knative.dev\"
```

* Run make generate-release
---
 .../addressable-resolvers-clusterrole.yaml    | 22 +++++++++++++++++++
 .../release/artifacts/eventing-core.yaml      | 22 +++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/config/core/roles/addressable-resolvers-clusterrole.yaml b/config/core/roles/addressable-resolvers-clusterrole.yaml
index 7bd948c7149..1f2ece335ef 100644
--- a/config/core/roles/addressable-resolvers-clusterrole.yaml
+++ b/config/core/roles/addressable-resolvers-clusterrole.yaml
@@ -144,3 +144,25 @@ rules:
   - get
   - list
   - watch
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: jobsinks-addressable-resolver
+  labels:
+    duck.knative.dev/addressable: "true"
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing
+# Do not use this role directly. These rules will be added to the "addressable-resolver" role.
+rules:
+- apiGroups:
+    - sinks.knative.dev
+  resources:
+    - jobsinks
+    - jobsinks/status
+  verbs:
+    - get
+    - list
+    - watch
diff --git a/openshift/release/artifacts/eventing-core.yaml b/openshift/release/artifacts/eventing-core.yaml
index 847968e2a4b..2c0660ac7a6 100644
--- a/openshift/release/artifacts/eventing-core.yaml
+++ b/openshift/release/artifacts/eventing-core.yaml
@@ -166,6 +166,28 @@ rules:
   - get
   - list
   - watch
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: jobsinks-addressable-resolver
+  labels:
+    duck.knative.dev/addressable: "true"
+    app.kubernetes.io/version: v1.15
+    app.kubernetes.io/name: knative-eventing
+# Do not use this role directly. These rules will be added to the "addressable-resolver" role.
+rules:
+- apiGroups:
+    - sinks.knative.dev
+  resources:
+    - jobsinks
+    - jobsinks/status
+  verbs:
+    - get
+    - list
+    - watch
 ---
 # Copyright 2019 The Knative Authors
 #