From 265418956c9ee85046e20dae970739799b9d6f7a Mon Sep 17 00:00:00 2001
From: Simon Gerber <simon.gerber@vshn.ch>
Date: Wed, 25 Sep 2024 16:19:08 +0200
Subject: [PATCH] Give default organization controller permissions to
 create/update arbitrary users

---
 config/rbac/controller/role.yaml               | 8 ++++++++
 controllers/default_organization_controller.go | 3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/config/rbac/controller/role.yaml b/config/rbac/controller/role.yaml
index d6b0131a..11e67220 100644
--- a/config/rbac/controller/role.yaml
+++ b/config/rbac/controller/role.yaml
@@ -179,6 +179,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - rbac.appuio.io
+  resources:
+  - users
+  verbs:
+  - create
+  - patch
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
diff --git a/controllers/default_organization_controller.go b/controllers/default_organization_controller.go
index a879d182..1ef9f8b6 100644
--- a/controllers/default_organization_controller.go
+++ b/controllers/default_organization_controller.go
@@ -24,7 +24,8 @@ type DefaultOrganizationReconciler struct {
 }
 
 //+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers,verbs=get;list;watch
-//+kubebuilder:rbac:groups=appuio.io,resources=users,verbs=get;list;watch;update;patch
+//+kubebuilder:rbac:groups=appuio.io,resources=users,verbs=get;list;watch
+//+kubebuilder:rbac:groups=rbac.appuio.io,resources=users,verbs=create;update;patch
 //+kubebuilder:rbac:groups=appuio.io,resources=users/status,verbs=get
 
 // Reconcile reacts on changes of memberships and sets members' default organization if appropriate