From a23682296947cb320cb0094110c6c1cf307e6240 Mon Sep 17 00:00:00 2001
From: Miciah Masters <miciah.masters@gmail.com>
Date: Sun, 16 Oct 2022 16:29:32 -0400
Subject: [PATCH] Replace GCP role with explicit permissions

Instead of using a predefined role in the cloud credentials request for
GCP, enumerate permissions explicitly.

The Google Cloud DNS API permissions are documented here:
<https://cloud.google.com/dns/docs/access-control>

Each method in the Cloud DNS API has a corresponding permission.  The
operator's DNS provider implementation for GCP only calls two methods:

- dns.changes.create
- dns.resourcerecordsets.list

These methods require the following permissions:

- dns.changes.create
- dns.resourceRecordSets.create
- dns.resourceRecordSets.update
- dns.resourceRecordSets.delete
- dns.resourceRecordSets.list

This commit replaces the dns.admin role with these permissions in the
credentials request.

This commit resolves CCO-249.

https://issues.redhat.com/browse/CCO-249

* manifests/00-ingress-credentials-request.yaml: Replace the
roles/dns.admin predefined role with an explicit list of permissions.
---
 manifests/00-ingress-credentials-request.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/manifests/00-ingress-credentials-request.yaml b/manifests/00-ingress-credentials-request.yaml
index fcea8d284b..ce9b0df9ad 100644
--- a/manifests/00-ingress-credentials-request.yaml
+++ b/manifests/00-ingress-credentials-request.yaml
@@ -75,8 +75,12 @@ spec:
   providerSpec:
     apiVersion: cloudcredential.openshift.io/v1
     kind: GCPProviderSpec
-    predefinedRoles:
-    - roles/dns.admin
+    permissions:
+    - dns.changes.create
+    - dns.resourceRecordSets.create
+    - dns.resourceRecordSets.update
+    - dns.resourceRecordSets.delete
+    - dns.resourceRecordSets.list
 ---
 apiVersion: cloudcredential.openshift.io/v1
 kind: CredentialsRequest