From 0d1a14220bed8599ebf744f5f275b6868500362c Mon Sep 17 00:00:00 2001
From: Dylan Murray <dymurray@redhat.com>
Date: Mon, 9 May 2022 15:45:07 -0400
Subject: [PATCH] OADP 486 - Update velero service account permissions (#673)

* OADP 486 - Update velero service account permissions

* Add back velero-privileged

(cherry picked from commit 3612b14bf724c2743388fb4d62529ce0c81eed1d)
---
 .../oadp-operator.clusterserviceversion.yaml  | 33 ++++++++++++++++++
 config/velero/velero-role.yaml                | 34 ++++++++++++++++++-
 2 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/bundle/manifests/oadp-operator.clusterserviceversion.yaml b/bundle/manifests/oadp-operator.clusterserviceversion.yaml
index 64cfe7377a..8814259130 100644
--- a/bundle/manifests/oadp-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/oadp-operator.clusterserviceversion.yaml
@@ -421,8 +421,41 @@ spec:
           serviceAccountName: openshift-adp-controller-manager
         - rules:
             - apiGroups:
+                - build.openshift.io
+                - migration.openshift.io
+                - rbac.authorization.k8s.io
+                - velero.io
+              resources:
+                - '*'
+              verbs:
                 - '*'
+            - apiGroups:
+                - ""
               resources:
+                - serviceaccounts
+              verbs:
+                - '*'
+            - apiGroups:
+                - packages.operators.coreos.com
+              resources:
+                - packagemanifests
+              verbs:
+                - '*'
+            - apiGroups:
+                - '*'
+              resources:
+                - '*'
+              verbs:
+                - get
+                - watch
+                - list
+                - update
+                - patch
+                - create
+                - delete
+                - assign
+                - deletecollection
+            - nonResourceURLs:
                 - '*'
               verbs:
                 - '*'
diff --git a/config/velero/velero-role.yaml b/config/velero/velero-role.yaml
index cf51fe6738..1d2aa950a4 100644
--- a/config/velero/velero-role.yaml
+++ b/config/velero/velero-role.yaml
@@ -7,8 +7,41 @@ metadata:
   name: velero-role
 rules:
 - apiGroups:
+  - build.openshift.io
+  - migration.openshift.io
+  - rbac.authorization.k8s.io
+  - velero.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
   - '*'
+- apiGroups:
+  - packages.operators.coreos.com
   resources:
+  - packagemanifests
+  verbs:
+  - '*'
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - get
+  - watch
+  - list
+  - update
+  - patch
+  - create
+  - delete
+  - assign
+  - deletecollection
+- nonResourceURLs:
   - '*'
   verbs:
   - '*'
@@ -16,7 +49,6 @@ rules:
   - security.openshift.io
   resourceNames:
   - privileged
-  - velero-privileged
   resources:
   - securitycontextconstraints
   verbs: