fix: RBAC to disable deployment

pl4nty · pl4nty · commit 45b40adda018 · 2025-01-04T07:36:33.000Z
also bump ratelimit requeue to 10min after seeing failed recoveries

Signed-off-by: Tom Plant &lt;tom@tplant.com.au&gt;
diff --git a/README.md b/README.md
@@ -88,7 +88,7 @@ By default, a [Cloudflare Tunnel client](https://github.com/cloudflare/cloudflar
 Additional clients can be deployed ([guide](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/)) to customise parameters like replicas or tolerations, and traffic will be load-balanced between them and the built-in client.
 To disable the built-in Deployment and only use standalone clients:
 
-1. Create a ConfigMap: `kubectl create configmap -n cloudflare-gateway generic gateway --from-literal=disableDeployment=true`
+1. Create a ConfigMap: `kubectl create configmap -n cloudflare-gateway gateway --from-literal=disableDeployment=true`
 2. Reference it from the gateway:
 
 ```yaml
@@ -107,6 +107,5 @@ spec:
     parametersRef:
       group: ""
       kind: ConfigMap
-      namespace: cloudflare-gateway
       name: gateway
 ```
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -10,24 +10,26 @@ rules:
   - deployments
   verbs:
   - create
+  - delete
   - get
   - list
   - update
   - watch
 - apiGroups:
   - ""
   resources:
-  - events
-  verbs:
-  - create
-- apiGroups:
-  - ""
-  resources:
+  - configmaps
   - secrets
   verbs:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
diff --git a/internal/controller/gateway_controller.go b/internal/controller/gateway_controller.go
@@ -50,10 +50,10 @@ type GatewayReconciler struct {
 // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways,verbs=get;list;update;watch
 // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/finalizers,verbs=update
 // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/status,verbs=update
-// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=create;get;list;update;watch
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=create;get;list;update;watch;delete
 // +kubebuilder:rbac:groups=core,resources=events,verbs=create
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get
-// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get
+// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -333,9 +333,9 @@ func (r *GatewayReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 	})
 	if err != nil {
 		if strings.Contains(err.Error(), "429 Too Many Requests") {
-			log.Error(err, "Rate limited, requeueing after 5 minutes")
+			log.Error(err, "Rate limited, requeueing after 10 minutes")
 			return ctrl.Result{
-				RequeueAfter: time.Minute * 5, // https://developers.cloudflare.com/fundamentals/api/reference/limits/
+				RequeueAfter: time.Minute * 10, // https://developers.cloudflare.com/fundamentals/api/reference/limits/
 			}, nil
 		} else {
 			return ctrl.Result{}, err
