From fa174c00db0d4469d779b7266c5a4f0d2060ebbf Mon Sep 17 00:00:00 2001
From: "Parsons, Cliff (cp769u)" <cp769u@att.com>
Date: Tue, 17 Aug 2021 03:39:27 +0000
Subject: [PATCH] Fix ceph-provisioner rbd-healer error

This patchset fixes the following error which was recently introduced
by changing the cephcsi image version to v3.4.0:

E0816 18:37:30.966684   62307 rbd_healer.go:131] list volumeAttachments failed, err: volumeattachments.storage.k8s.io is forbidden: User "system:serviceaccount:ceph:clcp-ucp-ceph-provisioners-ceph-rbd-csi-nodeplugin" cannot list resource "volumeattachments" in API group "storage.k8s.io" at the cluster scope
E0816 18:37:30.966758   62307 driver.go:208] healer had failures, err volumeattachments.storage.k8s.io is forbidden: User "system:serviceaccount:ceph:clcp-ucp-ceph-provisioners-ceph-rbd-csi-nodeplugin" cannot list resource "volumeattachments" in API group "storage.k8s.io" at the cluster scope

Change-Id: Ia7cc61cf1df6690f25408b7aa8797e51d1c516ff
---
 ceph-provisioners/Chart.yaml                              | 2 +-
 ceph-provisioners/templates/daemonset-csi-rbd-plugin.yaml | 5 ++++-
 releasenotes/notes/ceph-provisioners.yaml                 | 1 +
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/ceph-provisioners/Chart.yaml b/ceph-provisioners/Chart.yaml
index 777a19c73..a6ec5103b 100644
--- a/ceph-provisioners/Chart.yaml
+++ b/ceph-provisioners/Chart.yaml
@@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ceph Provisioner
 name: ceph-provisioners
-version: 0.1.12
+version: 0.1.13
 home: https://github.com/ceph/ceph
 ...
diff --git a/ceph-provisioners/templates/daemonset-csi-rbd-plugin.yaml b/ceph-provisioners/templates/daemonset-csi-rbd-plugin.yaml
index 8933f340b..71d595cd6 100644
--- a/ceph-provisioners/templates/daemonset-csi-rbd-plugin.yaml
+++ b/ceph-provisioners/templates/daemonset-csi-rbd-plugin.yaml
@@ -25,7 +25,10 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["nodes"]
-    verbs: ["get"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+    verbs: ["get", "watch", "list"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/releasenotes/notes/ceph-provisioners.yaml b/releasenotes/notes/ceph-provisioners.yaml
index 1fed15e08..1b6988286 100644
--- a/releasenotes/notes/ceph-provisioners.yaml
+++ b/releasenotes/notes/ceph-provisioners.yaml
@@ -12,4 +12,5 @@ ceph-provisioners:
   - 0.1.10 Add check for empty ceph endpoint
   - 0.1.11 Limit Ceph Provisioner Container Security Contexts
   - 0.1.12 Add ceph mon v2 port for ceph csi provisioner
+  - 0.1.13 Fix ceph-provisioner rbd-healer error
 ...