From b091c986e532b05ead4cdb515905b9ffa7c39786 Mon Sep 17 00:00:00 2001
From: James Busche <jbusche@us.ibm.com>
Date: Mon, 11 Sep 2023 14:33:31 -0700
Subject: [PATCH 1/2] adjust rbac to match mcad

Signed-off-by: James Busche <jbusche@us.ibm.com>
---
 config/rbac/role.yaml          | 36 ++++++++++++++++++----------------
 controllers/mcad_controller.go |  2 +-
 2 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 691c9dfb4..a2cc83f90 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -270,6 +270,25 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - quota.codeflare.dev
+  - workload.codeflare.dev
+  resources:
+  - appwrappers
+  - appwrappers/finalizers
+  - appwrappers/status
+  - queuejobs
+  - quotasubtrees
+  - schedulingspecs
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
@@ -318,20 +337,3 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - workload.codeflare.dev
-  resources:
-  - appwrappers
-  - appwrappers/finalizers
-  - appwrappers/status
-  - queuejobs
-  - schedulingspecs
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - get
-  - list
-  - patch
-  - update
-  - watch
diff --git a/controllers/mcad_controller.go b/controllers/mcad_controller.go
index 9dfecc24a..ce32f08bd 100644
--- a/controllers/mcad_controller.go
+++ b/controllers/mcad_controller.go
@@ -102,7 +102,7 @@ func (r *MCADReconciler) DeleteResource(params *MCADParams, template string, fns
 // +kubebuilder:rbac:groups=codeflare.codeflare.dev,resources=mcads,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=codeflare.codeflare.dev,resources=mcads/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=codeflare.codeflare.dev,resources=mcads/finalizers,verbs=update
-// +kubebuilder:rbac:groups=workload.codeflare.dev,resources=queuejobs;schedulingspecs;appwrappers;appwrappers/finalizers;appwrappers/status,verbs=get;list;watch;create;update;patch;delete;deletecollection
+// +kubebuilder:rbac:groups=workload.codeflare.dev;quota.codeflare.dev,resources=queuejobs;schedulingspecs;appwrappers;appwrappers/finalizers;appwrappers/status;quotasubtrees,verbs=get;list;watch;create;update;patch;delete;deletecollection
 // +kubebuilder:rbac:groups=core,resources=pods;lists;namespaces,verbs=get;list;watch;create;update;patch;delete;deletecollection
 // +kubebuilder:rbac:groups=core,resources=bindings;pods/binding,verbs=create
 // +kubebuilder:rbac:groups=core,resources=kube-scheduler,verbs=get;update

From 3a251b230a1a14a95ff02d5d074c32b263c5b0fe Mon Sep 17 00:00:00 2001
From: James Busche <jbusche@us.ibm.com>
Date: Tue, 12 Sep 2023 10:34:12 -0700
Subject: [PATCH 2/2] add quota items to the clusterrole

Signed-off-by: James Busche <jbusche@us.ibm.com>
---
 config/internal/mcad/clusterrole_mcad-controller.yaml.tmpl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/internal/mcad/clusterrole_mcad-controller.yaml.tmpl b/config/internal/mcad/clusterrole_mcad-controller.yaml.tmpl
index 49dfe097a..8812cfc34 100644
--- a/config/internal/mcad/clusterrole_mcad-controller.yaml.tmpl
+++ b/config/internal/mcad/clusterrole_mcad-controller.yaml.tmpl
@@ -11,10 +11,12 @@ metadata:
     codeflare.codeflare.dev/cr-namespace: {{.Namespace}}
 rules:
   - apiGroups:
+      - quota.codeflare.dev
       - workload.codeflare.dev
     resources:
       - queuejobs
       - schedulingspecs
+      - quotasubtrees
       - appwrappers
       - appwrappers/finalizers
       - appwrappers/status