From 7106390cbe36d06e879af4ff718d916459e8cdf0 Mon Sep 17 00:00:00 2001
From: Anatolii Bazko <abazko@redhat.com>
Date: Mon, 5 Feb 2024 16:16:52 +0100
Subject: [PATCH] feat: Add pods/portforward permissions

Signed-off-by: Anatolii Bazko <abazko@redhat.com>
---
 .../che-operator.clusterserviceversion.yaml          | 12 ++++++++++--
 config/rbac/cluster_role.yaml                        |  8 ++++++++
 deploy/deployment/kubernetes/combined.yaml           |  8 ++++++++
 .../kubernetes/objects/che-operator.ClusterRole.yaml |  8 ++++++++
 deploy/deployment/openshift/combined.yaml            |  8 ++++++++
 .../openshift/objects/che-operator.ClusterRole.yaml  |  8 ++++++++
 .../next/templates/che-operator.ClusterRole.yaml     |  8 ++++++++
 pkg/deploy/server/rbac.go                            |  5 +++++
 8 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml
index 7d8443643a..b98087af9f 100644
--- a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml
+++ b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml
@@ -77,7 +77,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che.v7.81.0-832.next
+  name: eclipse-che.v7.82.0-835.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -806,6 +806,14 @@ spec:
                 - get
                 - list
                 - watch
+            - apiGroups:
+                - ""
+              resources:
+                - pods/portforward
+              verbs:
+                - get
+                - list
+                - create
             - apiGroups:
                 - workspace.devfile.io
               resources:
@@ -1240,7 +1248,7 @@ spec:
   minKubeVersion: 1.19.0
   provider:
     name: Eclipse Foundation
-  version: 7.81.0-832.next
+  version: 7.82.0-835.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1
diff --git a/config/rbac/cluster_role.yaml b/config/rbac/cluster_role.yaml
index 49b1305d50..52f8cc32e9 100644
--- a/config/rbac/cluster_role.yaml
+++ b/config/rbac/cluster_role.yaml
@@ -343,6 +343,14 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - ''
+    resources:
+      - pods/portforward
+    verbs:
+      - get
+      - list
+      - create
   - apiGroups:
       - workspace.devfile.io
     resources:
diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml
index c4b089b4f3..524be8bca3 100644
--- a/deploy/deployment/kubernetes/combined.yaml
+++ b/deploy/deployment/kubernetes/combined.yaml
@@ -8745,6 +8745,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/portforward
+  verbs:
+  - get
+  - list
+  - create
 - apiGroups:
   - workspace.devfile.io
   resources:
diff --git a/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml b/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml
index 5ddd32c303..a504afcd16 100644
--- a/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml
+++ b/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml
@@ -343,6 +343,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/portforward
+  verbs:
+  - get
+  - list
+  - create
 - apiGroups:
   - workspace.devfile.io
   resources:
diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml
index 94a4284cc5..bc5c3d461e 100644
--- a/deploy/deployment/openshift/combined.yaml
+++ b/deploy/deployment/openshift/combined.yaml
@@ -8745,6 +8745,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/portforward
+  verbs:
+  - get
+  - list
+  - create
 - apiGroups:
   - workspace.devfile.io
   resources:
diff --git a/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml b/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml
index 5ddd32c303..a504afcd16 100644
--- a/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml
+++ b/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml
@@ -343,6 +343,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/portforward
+  verbs:
+  - get
+  - list
+  - create
 - apiGroups:
   - workspace.devfile.io
   resources:
diff --git a/helmcharts/next/templates/che-operator.ClusterRole.yaml b/helmcharts/next/templates/che-operator.ClusterRole.yaml
index 5ddd32c303..a504afcd16 100644
--- a/helmcharts/next/templates/che-operator.ClusterRole.yaml
+++ b/helmcharts/next/templates/che-operator.ClusterRole.yaml
@@ -343,6 +343,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/portforward
+  verbs:
+  - get
+  - list
+  - create
 - apiGroups:
   - workspace.devfile.io
   resources:
diff --git a/pkg/deploy/server/rbac.go b/pkg/deploy/server/rbac.go
index 5445557dc6..80cafa7a82 100644
--- a/pkg/deploy/server/rbac.go
+++ b/pkg/deploy/server/rbac.go
@@ -208,6 +208,11 @@ func (s *CheServerReconciler) getUserCommonPolicies() []rbacv1.PolicyRule {
 			Resources: []string{"pods/log"},
 			Verbs:     []string{"get", "list", "watch"},
 		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"pods/portforward"},
+			Verbs:     []string{"get", "list", "create"},
+		},
 		{
 			APIGroups: []string{""},
 			Resources: []string{"secrets"},