From 7ab172bdbe0719109b4d81546879ba3d1f5ef72d Mon Sep 17 00:00:00 2001
From: Christian Schwede <cschwede@redhat.com>
Date: Wed, 21 Feb 2024 09:48:55 +0100
Subject: [PATCH] Create Keystone roles for Swift RBAC

Create the SwiftProjectReader and SwiftSystemReader default roles
that can be assigned to users to provide limited read access.
---
 controllers/swiftproxy_controller.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/controllers/swiftproxy_controller.go b/controllers/swiftproxy_controller.go
index d024c5eb..6a907b32 100644
--- a/controllers/swiftproxy_controller.go
+++ b/controllers/swiftproxy_controller.go
@@ -393,6 +393,20 @@ func (r *SwiftProxyReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrlResult, err
 	}
 
+	// Create OpenStack roles for Swift RBAC
+	os, _, err := keystonev1.GetAdminServiceClient(ctx, helper, keystoneAPI)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+	_, err = os.CreateRole(r.Log, "SwiftProjectReader")
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+	_, err = os.CreateRole(r.Log, "SwiftSystemReader")
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
 	// Get the service password
 	sps, hash, err := secret.GetSecret(ctx, helper, instance.Spec.Secret, instance.Namespace)
 	if err != nil {