Fix VM file restore controller deployment and permissions

shubham-pampattiwar · claude · shubham-pampattiwar · commit a7441f632344 · 2025-11-07T16:18:59.000-08:00
This commit fixes issues found during live cluster testing: 1. Add missing RBAC permissions: - events permission for controller to create events - coordination.k8s.io/leases for leader election 2. Fix reconciliation loop in OADP operator: - Only update dynamic container fields (Image, ImagePullPolicy, Env, Resources) - Make PodSecurityContext conditional (set only if nil) - Prevents continuous reconciliation by leaving static fields unchanged 3. Bundle generation fixes: - Add vm-file-restore RBAC kustomization.yaml - Add oadp-vm-file-restore-controller-manager to Makefile BUNDLE_GEN_FLAGS - Reference vm-file-restore RBAC in config/manifests/kustomization.yaml - Clean unwanted RBAC from CSV (buckets, velero-privileged SCC, wildcards) Tested on live cluster - controller now deploys successfully, performs leader election, and no longer causes reconciliation loops. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/Makefile b/Makefile
@@ -47,7 +47,7 @@ IMAGE_TAG_BASE ?= openshift.io/oadp-operator
 BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
 
 # BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command
-BUNDLE_GEN_FLAGS ?= -q --extra-service-accounts "velero,non-admin-controller" --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+BUNDLE_GEN_FLAGS ?= -q --extra-service-accounts "velero,non-admin-controller,oadp-vm-file-restore-controller-manager" --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
 
 # USE_IMAGE_DIGESTS defines if images are resolved via tags or digests
 # You can enable this value if you would like to use SHA Based Digests
diff --git a/bundle/manifests/oadp-operator.clusterserviceversion.yaml b/bundle/manifests/oadp-operator.clusterserviceversion.yaml
@@ -841,6 +841,149 @@ spec:
           verbs:
           - get
         serviceAccountName: non-admin-controller
+      - rules:
+        - apiGroups:
+          - ""
+          resources:
+          - events
+          - namespaces
+          - pods
+          - secrets
+          - serviceaccounts
+          - services
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - ""
+          resources:
+          - persistentvolumeclaims
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - apps
+          resources:
+          - deployments
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - coordination.k8s.io
+          resources:
+          - leases
+          verbs:
+          - get
+          - list
+          - watch
+          - create
+          - update
+          - patch
+          - delete
+        - apiGroups:
+          - oadp.openshift.io
+          resources:
+          - virtualmachinebackupsdiscoveries
+          - virtualmachinefilerestores
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - oadp.openshift.io
+          resources:
+          - virtualmachinebackupsdiscoveries/finalizers
+          - virtualmachinefilerestores/finalizers
+          verbs:
+          - update
+        - apiGroups:
+          - oadp.openshift.io
+          resources:
+          - virtualmachinebackupsdiscoveries/status
+          - virtualmachinefilerestores/status
+          verbs:
+          - get
+          - patch
+          - update
+        - apiGroups:
+          - rbac.authorization.k8s.io
+          resources:
+          - rolebindings
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - route.openshift.io
+          resources:
+          - routes
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - velero.io
+          resources:
+          - backups
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - velero.io
+          resources:
+          - datadownloads
+          verbs:
+          - get
+          - list
+          - patch
+          - watch
+        - apiGroups:
+          - velero.io
+          resources:
+          - downloadrequests
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - velero.io
+          resources:
+          - restores
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        serviceAccountName: oadp-vm-file-restore-controller-manager
       - rules:
         - apiGroups:
           - ""
@@ -930,7 +1073,6 @@ spec:
         - apiGroups:
           - oadp.openshift.io
           resources:
-          - '*'
           - cloudstorages
           - dataprotectionapplications
           - dataprotectiontests
@@ -992,6 +1134,14 @@ spec:
           - securitycontextconstraints
           verbs:
           - use
+        - apiGroups:
+          - security.openshift.io
+          resourceNames:
+          - privileged
+          resources:
+          - securitycontextconstraints
+          verbs:
+          - use
         - apiGroups:
           - snapshot.storage.k8s.io
           resources:
@@ -1017,7 +1167,10 @@ spec:
         - apiGroups:
           - velero.io
           resources:
-          - '*'
+          - backups
+          - backupstoragelocations
+          - restores
+          - volumesnapshotlocations
           verbs:
           - create
           - delete
diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
 - ../scorecard
 - ../velero
 - ../non-admin-controller_rbac
+- ../vm-file-restore-controller_rbac
 
 # [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager.
diff --git a/config/vm-file-restore-controller_rbac/kustomization.yaml b/config/vm-file-restore-controller_rbac/kustomization.yaml
@@ -0,0 +1,9 @@
+resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
diff --git a/config/vm-file-restore-controller_rbac/role.yaml b/config/vm-file-restore-controller_rbac/role.yaml
@@ -7,6 +7,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - events
   - namespaces
   - pods
   - secrets
@@ -40,6 +41,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
 - apiGroups:
   - oadp.openshift.io
   resources:
diff --git a/internal/controller/vmfilerestore_controller.go b/internal/controller/vmfilerestore_controller.go
@@ -238,12 +238,14 @@ func ensureVMFileRestoreRequiredSpecs(
 		deploymentObject.Spec.Template.SetAnnotations(templateObjectAnnotations)
 	}
 
-	// Set pod security context
-	deploymentObject.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
-		RunAsNonRoot: ptr.To(true),
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeRuntimeDefault,
-		},
+	// Set pod security context only if not already set (to avoid reconciliation loops)
+	if deploymentObject.Spec.Template.Spec.SecurityContext == nil {
+		deploymentObject.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
+			RunAsNonRoot: ptr.To(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: corev1.SeccompProfileTypeRuntimeDefault,
+			},
+		}
 	}
 
 	// Build container spec
@@ -306,7 +308,14 @@ func ensureVMFileRestoreRequiredSpecs(
 	} else {
 		for index, container := range deploymentObject.Spec.Template.Spec.Containers {
 			if container.Name == "manager" {
-				deploymentObject.Spec.Template.Spec.Containers[index] = containerSpec
+				// Update only dynamic fields that can change based on DPA configuration
+				// Static fields (Command, Args, Ports, SecurityContext, Probes) are left as-is
+				vmFileRestoreContainer := &deploymentObject.Spec.Template.Spec.Containers[index]
+				vmFileRestoreContainer.Image = image
+				vmFileRestoreContainer.ImagePullPolicy = imagePullPolicy
+				vmFileRestoreContainer.Env = envVars
+				vmFileRestoreContainer.Resources = resources
+				vmFileRestoreContainer.TerminationMessagePolicy = corev1.TerminationMessageFallbackToLogsOnError
 				vmFileRestoreContainerFound = true
 				break
 			}
