Controller Missing Priveleges for OpenShift Route with Custom Host #2247
Description
Describe the bug
The RouterAccess (and SecuredAccess) domain setting in combination with accessType=route (default in OpenShift) results in perpetually Pending RouterAccess and a SecuredAccess that is in Error state. This feature is important for Sites in private networks where remote sites may be able to address them using some alternate name that is not the default domain. See #2243.
How To Reproduce
Apply the following Site and RouterAccess combo to an OpenShift cluster
apiVersion: skupper.io/v2alpha1
kind: Site
metadata:
name: customdomain
spec: {}
---
apiVersion: skupper.io/v2alpha1
kind: RouterAccess
metadata:
name: skupper-router
spec:
generateTlsCredentials: true
issuer: skupper-site-ca
roles:
- name: inter-router
port: 55671
tlsCredentials: skupper-site-server
settings:
domain: my-ingress-domain.testing
See that the routeraccess never becomes ready
$ k get routeraccesses.skupper.io
NAME STATUS MESSAGE
skupper-router Pending Pending
$ k get securedaccesses.skupper.io
NAME STATUS MESSAGE
skupper-router Error Route.route.openshift.io "skupper-router-inter-router" is invalid: spec.host: Forbidden: you do not have permission to set the host field of the route
Expected behavior
I would expect to see Routes created with host set similar to skupper 1.x with skupper init --ingress-host=my-ingress-domain.testing
Environment details
- Skupper Operator (if applicable): 2.x
- Platform: OpenShift
Additional context
The missing rule is this:
- apiGroups:
- route.openshift.io
resources:
- routes/custom-host
verbs:
- create