From 1616ec39684f890992aa53fedd91b63464d019ef Mon Sep 17 00:00:00 2001
From: Martin Gencur <mgencur@redhat.com>
Date: Mon, 4 Nov 2024 08:22:54 +0100
Subject: [PATCH] Allow kafka-controller to list JobSinks (#4155)

This is required otherwise KafkaBroker and KafkaSource can't forward
events to JobSink. This type of error is thrown:

failed to reconcile contract: failed to reconcile egress: failed to
resolve subscriber: failed to get lister for sinks.knative.dev/v1alpha1,
Resource=jobsinks: jobsinks.sinks.knative.dev is forbidden: User
"system:serviceaccount:knative-eventing:kafka-controller" cannot list
resource "jobsinks" in API group "sinks.knative.dev" at the cluster
scope
---
 .../200-controller/200-controller-cluster-role.yaml    | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/control-plane/config/eventing-kafka-broker/200-controller/200-controller-cluster-role.yaml b/control-plane/config/eventing-kafka-broker/200-controller/200-controller-cluster-role.yaml
index b91de4c342..78ef73b5bc 100644
--- a/control-plane/config/eventing-kafka-broker/200-controller/200-controller-cluster-role.yaml
+++ b/control-plane/config/eventing-kafka-broker/200-controller/200-controller-cluster-role.yaml
@@ -224,6 +224,16 @@ rules:
     verbs:
       - update
 
+  - apiGroups:
+      - "sinks.knative.dev"
+    resources:
+      - "jobsinks"
+      - "jobsinks/status"
+    verbs:
+      - get
+      - list
+      - watch
+
   # resources needed to grant eventtype autocreate rbac to namespaced data plane component
   - apiGroups:
       - "eventing.knative.dev"