Grant the hook Role configmap access for CA publish#1335
Merged
Conversation
The tls-certs pre-install/pre-upgrade hook Job was extended to publish the gateway-management CA as a ConfigMap (amp-api-gateway-mgmt-ca) for the control-plane gateway's BackendTLSPolicy, but the scoped hook Role only grants access to secrets. The Job runs as the amp-hooks ServiceAccount, so `kubectl apply` of the ConfigMap fails with "configmaps is forbidden", the Job exhausts its backoff limit, and the whole install aborts — every fresh install fails, including the nightly e2e. Add configmaps (get/create/patch) to rbac.rules so the hook can manage the CA ConfigMap. Related to wso2#1329
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughChangesHook RBAC permissions
Estimated code review effort: 1 (Trivial) | ~2 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
jhivandb
approved these changes
Jul 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Every fresh install currently fails during the
agent-managerchart's pre-install hooks, and the nightly e2e fails with it. Thetls-certshook Job was extended to publish the gateway-management CA as a ConfigMap (amp-api-gateway-mgmt-ca) for the control-plane gateway'sBackendTLSPolicy, but the scoped hookRoleonly grants access tosecrets. The Job runs as theamp-hooksServiceAccount, so itskubectl applyof the ConfigMap is rejected:The Job then exhausts its backoff limit and the installer aborts.
Goals
Let the hook Job manage the CA ConfigMap it is responsible for, so fresh installs (and the nightly e2e) complete again.
Approach
Add a
configmapsrule (get,create,patch— whatkubectl applyneeds) torbac.rulesin thewso2-agent-managerchart values, alongside the existingsecretsrule. The Role stays scoped to the two resources the hooks actually touch.User stories
As an operator, a fresh
agent-managerinstall completes without the pre-install hook failing on a ConfigMap permission error.Release note
Fixed a regression where fresh installs failed because the pre-install TLS-certs hook lacked permission to publish the gateway-management CA ConfigMap.
Documentation
N/A — no user-facing documentation change.
Training
N/A — no training-content impact.
Certification
N/A — no impact on certification exams.
Marketing
N/A — bug fix.
Automation tests
helm template … --show-only templates/rbac.yamlrenders the hookRolewith bothsecretsandconfigmaps(get/create/patch).amp-api-tls-certshook previously died withBackoffLimitExceededon the ConfigMapForbiddenerror; this grant is the missing permission it needs.Security checks
Samples
N/A.
Related PRs
N/A.
Migrations (if applicable)
N/A — the Role is re-applied on the next install/upgrade hook run.
Test environment
k3d (Kubernetes v1.32) on Ubuntu; Helm 3.
Learning
The hook
Rolegrants must track what the hook Jobs actually do; the CA-ConfigMap publish step was added to the Job without extending the Role.Summary by CodeRabbit