Skip to content

Grant the hook Role configmap access for CA publish#1335

Merged
RAVEENSR merged 1 commit into
wso2:mainfrom
RAVEENSR:fix-hooks-configmap-rbac
Jul 16, 2026
Merged

Grant the hook Role configmap access for CA publish#1335
RAVEENSR merged 1 commit into
wso2:mainfrom
RAVEENSR:fix-hooks-configmap-rbac

Conversation

@RAVEENSR

@RAVEENSR RAVEENSR commented Jul 16, 2026

Copy link
Copy Markdown
Member

Purpose

Every fresh install currently fails during the agent-manager chart's pre-install hooks, and the nightly e2e fails with it. The tls-certs hook Job was extended to publish the gateway-management CA as a ConfigMap (amp-api-gateway-mgmt-ca) for the control-plane gateway's BackendTLSPolicy, but the scoped hook Role only grants access to secrets. The Job runs as the amp-hooks ServiceAccount, so its kubectl apply of the ConfigMap is rejected:

configmaps "amp-api-gateway-mgmt-ca" is forbidden:
  User "system:serviceaccount:wso2-amp:amp-hooks" cannot get resource "configmaps" in the namespace "wso2-amp"

The Job then exhausts its backoff limit and the installer aborts.

Goals

Let the hook Job manage the CA ConfigMap it is responsible for, so fresh installs (and the nightly e2e) complete again.

Approach

Add a configmaps rule (get, create, patch — what kubectl apply needs) to rbac.rules in the wso2-agent-manager chart values, alongside the existing secrets rule. The Role stays scoped to the two resources the hooks actually touch.

User stories

As an operator, a fresh agent-manager install completes without the pre-install hook failing on a ConfigMap permission error.

Release note

Fixed a regression where fresh installs failed because the pre-install TLS-certs hook lacked permission to publish the gateway-management CA ConfigMap.

Documentation

N/A — no user-facing documentation change.

Training

N/A — no training-content impact.

Certification

N/A — no impact on certification exams.

Marketing

N/A — bug fix.

Automation tests

  • helm template … --show-only templates/rbac.yaml renders the hook Role with both secrets and configmaps (get/create/patch).
  • Verified on a real k3d + sslip install that the amp-api-tls-certs hook previously died with BackoffLimitExceeded on the ConfigMap Forbidden error; this grant is the missing permission it needs.

Security checks

  • Followed secure coding standards: yes
  • Ran FindSecurityBugs plugin and verified report? N/A — Helm chart values change, no Java.
  • Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes

Samples

N/A.

Related PRs

N/A.

Migrations (if applicable)

N/A — the Role is re-applied on the next install/upgrade hook run.

Test environment

k3d (Kubernetes v1.32) on Ubuntu; Helm 3.

Learning

The hook Role grants must track what the hook Jobs actually do; the CA-ConfigMap publish step was added to the Job without extending the Role.

Summary by CodeRabbit

  • Bug Fixes
    • Updated deployment permissions to allow TLS certificate setup jobs to create and update the gateway management CA configuration.
    • Improved compatibility with secure gateway backend connections using TLS policies.

The tls-certs pre-install/pre-upgrade hook Job was extended to publish the
gateway-management CA as a ConfigMap (amp-api-gateway-mgmt-ca) for the
control-plane gateway's BackendTLSPolicy, but the scoped hook Role only
grants access to secrets. The Job runs as the amp-hooks ServiceAccount,
so `kubectl apply` of the ConfigMap fails with "configmaps is forbidden",
the Job exhausts its backoff limit, and the whole install aborts — every
fresh install fails, including the nightly e2e.

Add configmaps (get/create/patch) to rbac.rules so the hook can manage
the CA ConfigMap.

Related to wso2#1329
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2c098dfe-2e23-4b7a-95b4-8174252258d6

📥 Commits

Reviewing files that changed from the base of the PR and between 18851a8 and 52da2a6.

📒 Files selected for processing (1)
  • deployments/helm-charts/wso2-agent-manager/values.yaml

📝 Walkthrough

Walkthrough

Changes

Hook RBAC permissions

Layer / File(s) Summary
Add ConfigMap permissions
deployments/helm-charts/wso2-agent-manager/values.yaml
The scoped hook Role now grants get, create, and patch permissions on ConfigMaps for the TLS certs hook.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

Suggested reviewers: jhivandb, hanzjk

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: adding configmap access to the hook Role for CA publishing.
Description check ✅ Passed The description follows the required template and includes the key sections with concrete details and testing notes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@RAVEENSR
RAVEENSR merged commit a77a40b into wso2:main Jul 16, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants