From 84de74492c1472c2f863d4f3d212dbc6a6e0f93b Mon Sep 17 00:00:00 2001
From: Sebastian Widmer <sebastian.widmer@vshn.net>
Date: Wed, 17 May 2023 14:00:13 +0200
Subject: [PATCH] Allow bypassing user name validation

---
 config/rbac/role.yaml          | 6 ++++++
 controllers/periodic_syncer.go | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 17f54ed..11f2efa 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -109,6 +109,12 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - rbac.appuio.io
+  resources:
+  - users
+  verbs:
+  - create
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
diff --git a/controllers/periodic_syncer.go b/controllers/periodic_syncer.go
index 13e1b04..7e89883 100644
--- a/controllers/periodic_syncer.go
+++ b/controllers/periodic_syncer.go
@@ -36,6 +36,9 @@ type PeriodicSyncer struct {
 //+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers,verbs=create
 //+kubebuilder:rbac:groups=appuio.io,resources=teams,verbs=create
 //+kubebuilder:rbac:groups=appuio.io,resources=users,verbs=create
+// Allows managing other users than the one used by the controller itself
+// See https://github.com/appuio/control-api/pull/163
+//+kubebuilder:rbac:groups=rbac.appuio.io,resources=users,verbs=create
 //+kubebuilder:rbac:groups=organization.appuio.io;rbac.appuio.io,resources=organizations,verbs=create
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=subjects;rolebindings,verbs=*