fix(rbac): reconcile Role when ObjectStore spec changes

When an ObjectStore's credentials change (e.g., secret rename), the
RBAC Role granting the Cluster's ServiceAccount access to those secrets
was not updated because nothing triggered a Cluster reconciliation.

Implement the ObjectStore controller's Reconcile to detect referencing
Clusters and update their Roles directly. Extract ensureRole into a
shared rbac.EnsureRole function used by both the Pre hook and the
ObjectStore controller.

The shared EnsureRole accepts optional beforeCreate callbacks so the
Pre hook can set owner references on Role creation, while the
ObjectStore controller path skips ownership (it only updates existing
Roles).

Handle deleted ObjectStores gracefully by skipping NotFound errors
during Role reconciliation, and filter status-only changes with
GenerationChangedPredicate.

Add RBAC permission for the plugin to list/watch Clusters so the
ObjectStore controller can find affected Clusters. Regenerate
config/rbac/role.yaml.

Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>

Author: armru

config/rbac/role.yaml

@@ -44,6 +44,7 @@ rules:
   - postgresql.cnpg.io
   resources:
   - backups
+  - clusters
   verbs:
   - get
   - list

internal/cnpgi/operator/rbac/ensure.go

@@ -0,0 +1,91 @@
+/*
+Copyright © contributors to CloudNativePG, established as
+CloudNativePG a Series of LF Projects, LLC.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+// Package rbac contains utilities to reconcile RBAC resources
+// for the barman-cloud plugin.
+package rbac
+
+import (
+	"context"
+
+	cnpgv1 "github.com/cloudnative-pg/cloudnative-pg/api/v1"
+	"github.com/cloudnative-pg/machinery/pkg/log"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/equality"
+	apierrs "k8s.io/apimachinery/pkg/api/errors"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	barmancloudv1 "github.com/cloudnative-pg/plugin-barman-cloud/api/v1"
+	"github.com/cloudnative-pg/plugin-barman-cloud/internal/cnpgi/operator/specs"
+)
+
+// EnsureRole ensures the RBAC Role for the given Cluster matches
+// the desired state derived from the given ObjectStores.
+// Optional beforeCreate callbacks are applied to the Role before creation
+// (e.g. to set owner references). They are not called on updates.
+func EnsureRole(
+	ctx context.Context,
+	c client.Client,
+	cluster *cnpgv1.Cluster,
+	barmanObjects []barmancloudv1.ObjectStore,
+	beforeCreate ...func(*rbacv1.Role) error,
+) error {
+	contextLogger := log.FromContext(ctx)
+	newRole := specs.BuildRole(cluster, barmanObjects)
+
+	var role rbacv1.Role
+	if err := c.Get(ctx, client.ObjectKey{
+		Namespace: newRole.Namespace,
+		Name:      newRole.Name,
+	}, &role); err != nil {
+		if !apierrs.IsNotFound(err) {
+			return err
+		}
+
+		contextLogger.Info(
+			"Creating role",
+			"name", newRole.Name,
+			"namespace", newRole.Namespace,
+		)
+
+		for _, fn := range beforeCreate {
+			if err := fn(newRole); err != nil {
+				return err
+			}
+		}
+
+		return c.Create(ctx, newRole)
+	}
+
+	if equality.Semantic.DeepEqual(newRole.Rules, role.Rules) {
+		return nil
+	}
+
+	contextLogger.Info(
+		"Patching role",
+		"name", newRole.Name,
+		"namespace", newRole.Namespace,
+		"rules", newRole.Rules,
+	)
+
+	oldRole := role.DeepCopy()
+	role.Rules = newRole.Rules
+
+	return c.Patch(ctx, &role, client.MergeFrom(oldRole))
+}

internal/cnpgi/operator/rbac/ensure_test.go

@@ -0,0 +1,206 @@
+/*
+Copyright © contributors to CloudNativePG, established as
+CloudNativePG a Series of LF Projects, LLC.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package rbac_test
+
+import (
+	"context"
+	"fmt"
+
+	cnpgv1 "github.com/cloudnative-pg/cloudnative-pg/api/v1"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	barmanapi "github.com/cloudnative-pg/barman-cloud/pkg/api"
+	machineryapi "github.com/cloudnative-pg/machinery/pkg/api"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	barmancloudv1 "github.com/cloudnative-pg/plugin-barman-cloud/api/v1"
+	"github.com/cloudnative-pg/plugin-barman-cloud/internal/cnpgi/operator/rbac"
+)
+
+func newScheme() *runtime.Scheme {
+	s := runtime.NewScheme()
+	_ = rbacv1.AddToScheme(s)
+	_ = cnpgv1.AddToScheme(s)
+	_ = barmancloudv1.AddToScheme(s)
+	return s
+}
+
+func newCluster(name, namespace string) *cnpgv1.Cluster {
+	return &cnpgv1.Cluster{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+	}
+}
+
+func newObjectStore(name, namespace, secretName string) barmancloudv1.ObjectStore {
+	return barmancloudv1.ObjectStore{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+		Spec: barmancloudv1.ObjectStoreSpec{
+			Configuration: barmanapi.BarmanObjectStoreConfiguration{
+				DestinationPath: "s3://bucket/path",
+				BarmanCredentials: barmanapi.BarmanCredentials{
+					AWS: &barmanapi.S3Credentials{
+						AccessKeyIDReference: &machineryapi.SecretKeySelector{
+							LocalObjectReference: machineryapi.LocalObjectReference{
+								Name: secretName,
+							},
+							Key: "ACCESS_KEY_ID",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+var _ = Describe("EnsureRole", func() {
+	var (
+		ctx       context.Context
+		cluster   *cnpgv1.Cluster
+		objects   []barmancloudv1.ObjectStore
+		fakeClient client.Client
+	)
+
+	BeforeEach(func() {
+		ctx = context.Background()
+		cluster = newCluster("test-cluster", "default")
+		objects = []barmancloudv1.ObjectStore{
+			newObjectStore("my-store", "default", "aws-creds"),
+		}
+	})
+
+	Context("when the Role does not exist", func() {
+		BeforeEach(func() {
+			fakeClient = fake.NewClientBuilder().WithScheme(newScheme()).Build()
+		})
+
+		It("should create the Role", func() {
+			err := rbac.EnsureRole(ctx, fakeClient, cluster, objects)
+			Expect(err).NotTo(HaveOccurred())
+
+			var role rbacv1.Role
+			err = fakeClient.Get(ctx, client.ObjectKey{
+				Namespace: "default",
+				Name:      "test-cluster-barman-cloud",
+			}, &role)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(role.Rules).To(HaveLen(3))
+		})
+
+		It("should apply beforeCreate callbacks", func() {
+			called := false
+			err := rbac.EnsureRole(ctx, fakeClient, cluster, objects, func(role *rbacv1.Role) error {
+				called = true
+				role.Labels = map[string]string{"owner": "test-cluster"}
+				return nil
+			})
+			Expect(err).NotTo(HaveOccurred())
+			Expect(called).To(BeTrue())
+
+			var role rbacv1.Role
+			err = fakeClient.Get(ctx, client.ObjectKey{
+				Namespace: "default",
+				Name:      "test-cluster-barman-cloud",
+			}, &role)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(role.Labels).To(HaveKeyWithValue("owner", "test-cluster"))
+		})
+
+		It("should return error if beforeCreate callback fails", func() {
+			err := rbac.EnsureRole(ctx, fakeClient, cluster, objects, func(_ *rbacv1.Role) error {
+				return fmt.Errorf("callback error")
+			})
+			Expect(err).To(MatchError("callback error"))
+		})
+	})
+
+	Context("when the Role exists with matching rules", func() {
+		BeforeEach(func() {
+			fakeClient = fake.NewClientBuilder().WithScheme(newScheme()).Build()
+			Expect(rbac.EnsureRole(ctx, fakeClient, cluster, objects)).To(Succeed())
+		})
+
+		It("should not patch the Role", func() {
+			var before rbacv1.Role
+			Expect(fakeClient.Get(ctx, client.ObjectKey{
+				Namespace: "default",
+				Name:      "test-cluster-barman-cloud",
+			}, &before)).To(Succeed())
+
+			err := rbac.EnsureRole(ctx, fakeClient, cluster, objects)
+			Expect(err).NotTo(HaveOccurred())
+
+			var after rbacv1.Role
+			Expect(fakeClient.Get(ctx, client.ObjectKey{
+				Namespace: "default",
+				Name:      "test-cluster-barman-cloud",
+			}, &after)).To(Succeed())
+
+			Expect(after.ResourceVersion).To(Equal(before.ResourceVersion))
+		})
+	})
+
+	Context("when the Role exists with different rules", func() {
+		BeforeEach(func() {
+			fakeClient = fake.NewClientBuilder().WithScheme(newScheme()).Build()
+			// Create with old secret
+			oldObjects := []barmancloudv1.ObjectStore{
+				newObjectStore("my-store", "default", "old-secret"),
+			}
+			Expect(rbac.EnsureRole(ctx, fakeClient, cluster, oldObjects)).To(Succeed())
+		})
+
+		It("should patch the Role with new rules", func() {
+			// Now call with new secret name
+			err := rbac.EnsureRole(ctx, fakeClient, cluster, objects)
+			Expect(err).NotTo(HaveOccurred())
+
+			var role rbacv1.Role
+			Expect(fakeClient.Get(ctx, client.ObjectKey{
+				Namespace: "default",
+				Name:      "test-cluster-barman-cloud",
+			}, &role)).To(Succeed())
+
+			// The secrets rule should reference the new secret
+			secretsRule := role.Rules[2]
+			Expect(secretsRule.ResourceNames).To(ContainElement("aws-creds"))
+			Expect(secretsRule.ResourceNames).NotTo(ContainElement("old-secret"))
+		})
+
+		It("should not call beforeCreate callbacks on update", func() {
+			called := false
+			err := rbac.EnsureRole(ctx, fakeClient, cluster, objects, func(_ *rbacv1.Role) error {
+				called = true
+				return nil
+			})
+			Expect(err).NotTo(HaveOccurred())
+			Expect(called).To(BeFalse())
+		})
+	})
+})

internal/cnpgi/operator/rbac/suite_test.go

@@ -0,0 +1,32 @@
+/*
+Copyright © contributors to CloudNativePG, established as
+CloudNativePG a Series of LF Projects, LLC.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package rbac_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestRBAC(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "RBAC Suite")
+}