From e27e8e134d6cb0ec4d149683b706beacc33524f3 Mon Sep 17 00:00:00 2001
From: Pablo Acevedo Montserrat <pacevedo@redhat.com>
Date: Fri, 17 Jan 2025 13:28:13 +0100
Subject: [PATCH] OCPBUGS-48110: Update router cluster roles

---
 .../cluster-role-aggregate-admin-route.yaml       | 15 +++++++++++++++
 ...aml => cluster-role-aggregate-edit-route.yaml} | 13 +++----------
 .../cluster-role-system-router.yaml               |  2 ++
 pkg/components/controllers.go                     |  3 ++-
 scripts/auto-rebase/assets.yaml                   |  4 +++-
 5 files changed, 25 insertions(+), 12 deletions(-)
 create mode 100644 assets/components/openshift-router/cluster-role-aggregate-admin-route.yaml
 rename assets/components/openshift-router/{cluster-role-aggregate-route.yaml => cluster-role-aggregate-edit-route.yaml} (70%)

diff --git a/assets/components/openshift-router/cluster-role-aggregate-admin-route.yaml b/assets/components/openshift-router/cluster-role-aggregate-admin-route.yaml
new file mode 100644
index 00000000000..1190aea8e93
--- /dev/null
+++ b/assets/components/openshift-router/cluster-role-aggregate-admin-route.yaml
@@ -0,0 +1,15 @@
+# This ClusterRole will allow admin access to routes resources.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: aggregate-route-admin
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+- apiGroups:
+  - ""
+  - route.openshift.io
+  resources:
+  - routes/status
+  verbs:
+  - update
diff --git a/assets/components/openshift-router/cluster-role-aggregate-route.yaml b/assets/components/openshift-router/cluster-role-aggregate-edit-route.yaml
similarity index 70%
rename from assets/components/openshift-router/cluster-role-aggregate-route.yaml
rename to assets/components/openshift-router/cluster-role-aggregate-edit-route.yaml
index 4a8c791d297..274a9a4ccf5 100644
--- a/assets/components/openshift-router/cluster-role-aggregate-route.yaml
+++ b/assets/components/openshift-router/cluster-role-aggregate-edit-route.yaml
@@ -1,10 +1,10 @@
-# This ClusterRole will allow access to routes resources.
+# This ClusterRole will allow edit access to routes resources.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: aggregate-route
+  name: aggregate-route-edit
   labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
 rules:
 - apiGroups:
   - ""
@@ -36,13 +36,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  - route.openshift.io
-  resources:
-  - routes/status
-  verbs:
-  - update
 - apiGroups:
   - ""
   - route.openshift.io
diff --git a/assets/components/openshift-router/cluster-role-system-router.yaml b/assets/components/openshift-router/cluster-role-system-router.yaml
index d848fc47b61..cf692ab2495 100644
--- a/assets/components/openshift-router/cluster-role-system-router.yaml
+++ b/assets/components/openshift-router/cluster-role-system-router.yaml
@@ -1,6 +1,8 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
   name: system:router
 rules:
 - apiGroups:
diff --git a/pkg/components/controllers.go b/pkg/components/controllers.go
index 3802dcec1e4..f6b3971aff3 100644
--- a/pkg/components/controllers.go
+++ b/pkg/components/controllers.go
@@ -119,7 +119,8 @@ func startIngressController(ctx context.Context, cfg *config.Config, kubeconfigP
 		}
 		clusterRole = []string{
 			"components/openshift-router/cluster-role.yaml",
-			"components/openshift-router/cluster-role-aggregate-route.yaml",
+			"components/openshift-router/cluster-role-aggregate-edit-route.yaml",
+			"components/openshift-router/cluster-role-aggregate-admin-route.yaml",
 			"components/openshift-router/cluster-role-system-router.yaml",
 		}
 		apps = []string{
diff --git a/scripts/auto-rebase/assets.yaml b/scripts/auto-rebase/assets.yaml
index 00c2c7a3cf9..d1cd01bb06e 100644
--- a/scripts/auto-rebase/assets.yaml
+++ b/scripts/auto-rebase/assets.yaml
@@ -37,7 +37,9 @@ assets:
       - file: service-cloud.yaml
       - file: serving-certificate.yaml
         git_restore: True
-      - file: cluster-role-aggregate-route.yaml
+      - file: cluster-role-aggregate-edit-route.yaml
+        git_restore: True
+      - file: cluster-role-aggregate-admin-route.yaml
         git_restore: True
 
   - dir: components/ovn/