From eb0914d9997b0d4d25d1e0f750569113e1b575fd Mon Sep 17 00:00:00 2001
From: Jon Donovan <jondonovan@google.com>
Date: Tue, 24 Mar 2020 18:00:40 -0700
Subject: [PATCH 1/3] Install from the manifest in a strict order.

This order, Roles -> RoleBindings -> The Rest, prevents the operand from
needing to structure their manifest such that this ordering exists, while
allowing the Operator to use the bootstrapping mechanism described in
https://github.com/knative/eventing-operator/pull/109 to 'escalate' itself
into management of the Knative Eventing installation without a *** clusterrole.
---
 .../knativeeventing/knativeeventing.go          | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/pkg/reconciler/knativeeventing/knativeeventing.go b/pkg/reconciler/knativeeventing/knativeeventing.go
index e856014e..24850fa1 100644
--- a/pkg/reconciler/knativeeventing/knativeeventing.go
+++ b/pkg/reconciler/knativeeventing/knativeeventing.go
@@ -42,6 +42,8 @@ import (
 
 var (
 	platform common.Platforms
+	role mf.Predicate = mf.Any(mf.ByKind("ClusterRole"), mf.ByKind("Role"))
+	rolebinding mf.Predicate = mf.Any(mf.ByKind("ClusterRoleBinding"), mf.ByKind("RoleBinding"))
 )
 
 // Reconciler implements controller.Reconciler for Knativeeventing resources.
@@ -71,7 +73,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, key string) error {
 	if apierrs.IsNotFound(err) {
 		// The resource was deleted
 		r.eventings.Delete(key)
-		var RBAC = mf.Any(mf.ByKind("Role"), mf.ByKind("ClusterRole"), mf.ByKind("RoleBinding"), mf.ByKind("ClusterRoleBinding"))
+		var RBAC = mf.Any(role, rolebinding)
 
 		if r.eventings.Len() == 0 {
 			if err := r.config.Filter(mf.NoCRDs, mf.None(RBAC)).Delete(); err != nil {
@@ -163,7 +165,18 @@ func (r *Reconciler) transform(instance *eventingv1alpha1.KnativeEventing) (mf.M
 func (r *Reconciler) install(manifest *mf.Manifest, ke *eventingv1alpha1.KnativeEventing) error {
 	r.Logger.Debug("Installing manifest")
 	defer r.updateStatus(ke)
-	if err := manifest.Apply(); err != nil {
+	// The Operator needs a higher level of permissions if it 'bind's non-existent roles.
+	// To avoid this, we strictly order the manifest application as (Cluster)Roles, then
+	// (Cluster)RoleBindings, then the rest of the manifest.
+	if err := manifest.Filter(role).Apply(); err != nil {
+		ke.Status.MarkEventingFailed("Manifest Installation", err.Error())
+		return err
+	}
+	if err := manifest.Filter(rolebinding).Apply(); err != nil {
+		ke.Status.MarkEventingFailed("Manifest Installation", err.Error())
+		return err
+	}
+	if err := manifest.Filter(mf.None(mf.Any(role, rolebinding))).Apply(); err != nil {
 		ke.Status.MarkEventingFailed("Manifest Installation", err.Error())
 		return err
 	}

From 1d7777774140cbb069aee7822afd03c186f074c5 Mon Sep 17 00:00:00 2001
From: Jon Donovan <jondonovan@google.com>
Date: Tue, 24 Mar 2020 18:11:59 -0700
Subject: [PATCH 2/3] Fixing golint

---
 pkg/reconciler/knativeeventing/knativeeventing.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/reconciler/knativeeventing/knativeeventing.go b/pkg/reconciler/knativeeventing/knativeeventing.go
index 24850fa1..5153c7c6 100644
--- a/pkg/reconciler/knativeeventing/knativeeventing.go
+++ b/pkg/reconciler/knativeeventing/knativeeventing.go
@@ -41,8 +41,8 @@ import (
 )
 
 var (
-	platform common.Platforms
-	role mf.Predicate = mf.Any(mf.ByKind("ClusterRole"), mf.ByKind("Role"))
+	platform    common.Platforms
+	role        mf.Predicate = mf.Any(mf.ByKind("ClusterRole"), mf.ByKind("Role"))
 	rolebinding mf.Predicate = mf.Any(mf.ByKind("ClusterRoleBinding"), mf.ByKind("RoleBinding"))
 )
 

From 355359f45716eb309591f3ba45d45706c595f1c5 Mon Sep 17 00:00:00 2001
From: Jon Donovan <jondonovan@google.com>
Date: Wed, 25 Mar 2020 12:09:57 -0700
Subject: [PATCH 3/3] Just update the manifest as a final step.

---
 pkg/reconciler/knativeeventing/knativeeventing.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/reconciler/knativeeventing/knativeeventing.go b/pkg/reconciler/knativeeventing/knativeeventing.go
index 5153c7c6..936f6011 100644
--- a/pkg/reconciler/knativeeventing/knativeeventing.go
+++ b/pkg/reconciler/knativeeventing/knativeeventing.go
@@ -176,7 +176,7 @@ func (r *Reconciler) install(manifest *mf.Manifest, ke *eventingv1alpha1.Knative
 		ke.Status.MarkEventingFailed("Manifest Installation", err.Error())
 		return err
 	}
-	if err := manifest.Filter(mf.None(mf.Any(role, rolebinding))).Apply(); err != nil {
+	if err := manifest.Apply(); err != nil {
 		ke.Status.MarkEventingFailed("Manifest Installation", err.Error())
 		return err
 	}