From 31a011b258b77554f05cd86415d3c5158ede2412 Mon Sep 17 00:00:00 2001
From: Yanni Zhang <56080500+yannizhang2019@users.noreply.github.com>
Date: Thu, 31 Oct 2024 13:40:01 -0700
Subject: [PATCH 1/2] Clean up Turbonomic folder to store new orm files (#2277)

* Add a new folder to store orm files

* Update readme

* Remove turbonomic-orm folder

* Clean up turbonomic folder

---------

Co-authored-by: YanniZhang <yanni@yannizhangs-mbp.usca.ibm.com>
Co-authored-by: YanniZhang <yanni@YanniZhangs-MacBook-Pro.local>
---
 turbonomic/README.md                          | 96 +------------------
 turbonomic/orm-audit-logging.yaml             | 15 ---
 turbonomic/orm-auth-idp.yaml                  | 21 ----
 turbonomic/orm-auth-pap.yaml                  | 17 ----
 turbonomic/orm-auth-pdp.yaml                  | 17 ----
 turbonomic/orm-cert-manager.yaml              | 36 -------
 turbonomic/orm-common-web-ui.yaml             | 15 ---
 .../orm-ibm-licensing-service-instance.yaml   | 15 ---
 turbonomic/orm-ibm-monitoring-grafana.yaml    | 21 ----
 turbonomic/orm-icp-mongodb.yaml               | 16 ----
 turbonomic/orm-management-ingress.yaml        | 15 ---
 turbonomic/orm-must-gather-service.yaml       | 15 ---
 turbonomic/orm-nginx-ingress.yaml             | 22 -----
 turbonomic/orm-oidcclient-watcher.yaml        | 15 ---
 turbonomic/orm-platform-api.yaml              | 17 ----
 turbonomic/orm-policy-controller.yaml         | 15 ---
 turbonomic/orm-secret-watcher.yaml            | 15 ---
 .../orm-system-healthcheck-service.yaml       | 22 -----
 18 files changed, 1 insertion(+), 404 deletions(-)
 delete mode 100644 turbonomic/orm-audit-logging.yaml
 delete mode 100644 turbonomic/orm-auth-idp.yaml
 delete mode 100644 turbonomic/orm-auth-pap.yaml
 delete mode 100644 turbonomic/orm-auth-pdp.yaml
 delete mode 100644 turbonomic/orm-cert-manager.yaml
 delete mode 100644 turbonomic/orm-common-web-ui.yaml
 delete mode 100644 turbonomic/orm-ibm-licensing-service-instance.yaml
 delete mode 100644 turbonomic/orm-ibm-monitoring-grafana.yaml
 delete mode 100644 turbonomic/orm-icp-mongodb.yaml
 delete mode 100644 turbonomic/orm-management-ingress.yaml
 delete mode 100644 turbonomic/orm-must-gather-service.yaml
 delete mode 100644 turbonomic/orm-nginx-ingress.yaml
 delete mode 100644 turbonomic/orm-oidcclient-watcher.yaml
 delete mode 100644 turbonomic/orm-platform-api.yaml
 delete mode 100644 turbonomic/orm-policy-controller.yaml
 delete mode 100644 turbonomic/orm-secret-watcher.yaml
 delete mode 100644 turbonomic/orm-system-healthcheck-service.yaml

diff --git a/turbonomic/README.md b/turbonomic/README.md
index bd5f61461..459e04980 100644
--- a/turbonomic/README.md
+++ b/turbonomic/README.md
@@ -1,95 +1 @@
-## Deployments
-
-### Authentication
-
-CRD Name: authentications.operator.ibm.com
-- [x] auth-idp
-
-### Pap
-
-CRD Name: paps.operator.ibm.com
-- [x] auth-pap
-
-### PolicyDecision
-
-CRD Name: policydecisions.operator.ibm.com
-- [x] auth-pdp
-
-### CertManager
-
-CRD Name: certmanagers.operator.ibm.com
-- [x] cert-manager-cainjector
-- [x] cert-manager-controller
-- [x] cert-manager-webhook
-- [x] configmap-watcher
-
-### CommonWebUI
-
-CRD Name: commonwebuis.operators.ibm.com
-- [x] common-web-ui
-
-### NginxIngress
-
-CRD Name: CRD Name: nginxingresses.operator.ibm.com
-- [x] default-http-backend
-- [x] nginx-ingress-controller
-
-### PolicyController
-
-CRD Name: policycontrollers.operator.ibm.com
-- [x] iam-policy-controller
-
-### IBMLicensing
-
-CRD Name: ibmlicensings.operator.ibm.com
-- [x] ibm-licensing-service-instance
-
-### Grafana
-
-CRD Name: grafanas.operator.ibm.com
-- [x] ibm-monitoring-grafana
-
-### HealthService
-
-CRD Name: healthservices.operator.ibm.com
-- [x] icp-memcached
-- [x] system-healthcheck-service
-
-### ManagementIngress
-
-CRD Name: managementingresses.operator.ibm.com
-- [x] management-ingress
-
-### OIDCClientWatcher
-
-CRD Name: oidcclientwatchers.operator.ibm.com
-- [x] oidcclient-watcher
-
-### PlatformAPI
-
-CRD Name: platformapis.operator.ibm.com
-- [x] platform-api
-
-### SecretWatcher
-
-CRD Name: secretwatchers.operator.ibm.com
-- [x] secret-watcher
-
-## StatefulSets
-
-### MongoDB
-
-mongodbs.operator.ibm.com
-- [x] icp-mongodb
-
-### MustGatherService
-
-mustgatherservices.operator.ibm.com
-- [x] must-gather-service
-
-## DaemonSets
-
-### AuditLogging
-
-auditloggings.operator.ibm.com
-- [x] audit-logging-fluentd-ds
+placeholder for readme
diff --git a/turbonomic/orm-audit-logging.yaml b/turbonomic/orm-audit-logging.yaml
deleted file mode 100644
index e6bcd0f0c..000000000
--- a/turbonomic/orm-audit-logging.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: auditloggings.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: DaemonSet
-        componentNames:
-          - audit-logging-fluentd-ds
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="fluentd")].resources
-          destPath: .spec.resources
diff --git a/turbonomic/orm-auth-idp.yaml b/turbonomic/orm-auth-idp.yaml
deleted file mode 100644
index 3f96cd6cc..000000000
--- a/turbonomic/orm-auth-idp.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: authentications.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - auth-idp
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="icp-audit-service")].resources
-          destPath: .spec.auditService.resources
-        - srcPath: .spec.template.spec.containers[?(@.name=="platform-auth-service")].resources
-          destPath: .spec.authService.resources
-        - srcPath: .spec.template.spec.containers[?(@.name=="platform-identity-provider")].resources
-          destPath: .spec.datasourceConfig.identityProvider.resources
-        - srcPath: .spec.template.spec.containers[?(@.name=="platform-identity-manager")].resources
-          destPath: .spec.identityManager.resources
diff --git a/turbonomic/orm-auth-pap.yaml b/turbonomic/orm-auth-pap.yaml
deleted file mode 100644
index 95be522e9..000000000
--- a/turbonomic/orm-auth-pap.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: paps.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - auth-pap
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="icp-audit-service")].resources
-          destPath: .spec.auditService.resources
-        - srcPath: .spec.template.spec.containers[?(@.name=="auth-pap")].resources
-          destPath: .spec.papService.resources
diff --git a/turbonomic/orm-auth-pdp.yaml b/turbonomic/orm-auth-pdp.yaml
deleted file mode 100644
index 94eccf2fd..000000000
--- a/turbonomic/orm-auth-pdp.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: policydecisions.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - auth-pdp
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="icp-audit-service")].resources
-          destPath: .spec.auditService.resources
-        - srcPath: .spec.template.spec.containers[?(@.name=="auth-pdp")].resources
-          destPath: .spec.resources
diff --git a/turbonomic/orm-cert-manager.yaml b/turbonomic/orm-cert-manager.yaml
deleted file mode 100644
index f5abae9eb..000000000
--- a/turbonomic/orm-cert-manager.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: certmanagers.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - cert-manager-cainjector
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="cert-manager-cainjector")].resources
-          destPath: .spec.certManagerCAInjector.resources
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - cert-manager-controller
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="cert-manager-controller")].resources
-          destPath: .spec.certManagerController.resources
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - cert-manager-webhook
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="cert-manager-webhook")].resources
-          destPath: .spec.certManagerWebhook.resources
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - configmap-watcher
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="configmap-watcher")].resources
-          destPath: .spec.configMapWatcher.resources
diff --git a/turbonomic/orm-common-web-ui.yaml b/turbonomic/orm-common-web-ui.yaml
deleted file mode 100644
index f56a56f36..000000000
--- a/turbonomic/orm-common-web-ui.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: commonwebuis.operators.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - common-web-ui
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="common-web-ui")].resources
-          destPath: .spec.resources
diff --git a/turbonomic/orm-ibm-licensing-service-instance.yaml b/turbonomic/orm-ibm-licensing-service-instance.yaml
deleted file mode 100644
index f3ac20af9..000000000
--- a/turbonomic/orm-ibm-licensing-service-instance.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: ibmlicensings.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - ibm-licensing-service-instance
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="license-service")].resources
-          destPath: .spec.resources
\ No newline at end of file
diff --git a/turbonomic/orm-ibm-monitoring-grafana.yaml b/turbonomic/orm-ibm-monitoring-grafana.yaml
deleted file mode 100644
index e8e5ac640..000000000
--- a/turbonomic/orm-ibm-monitoring-grafana.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: grafanas.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - ibm-monitoring-grafana
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="router")].resources
-          destPath: .spec.routerConfig.resources
-        - srcPath: .spec.template.spec.containers[?(@.name=="dashboard-controller")].resources
-          destPath: .spec.dashboardConfig.resources
-        - srcPath: .spec.template.spec.containers[?(@.name=="ds-proxy")].resources
-          destPath: .spec.datasourceConfig.proxyResources.resources
-        - srcPath: .spec.template.spec.containers[?(@.name=="grafana")].resources
-          destPath: .spec.grafanaConfig.resources
\ No newline at end of file
diff --git a/turbonomic/orm-icp-mongodb.yaml b/turbonomic/orm-icp-mongodb.yaml
deleted file mode 100644
index f309e1838..000000000
--- a/turbonomic/orm-icp-mongodb.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# This is a sample ORM CR for MongoDB CRD.
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: mongodbs.operator.ibm.com
-spec:
-  resourceMappings:
-  - srcResourceSpec:
-      kind: StatefulSet
-      componentNames:
-      - icp-mongodb
-    resourceMappingTemplates:
-    - srcPath: .spec.template.spec.containers[?(@.name=="{{.componentName}}")].resources
-      destPath: .spec.resources
-    # - srcPath: .spec.replicas
-    #   destPath: .spec.replicas
diff --git a/turbonomic/orm-management-ingress.yaml b/turbonomic/orm-management-ingress.yaml
deleted file mode 100644
index 364a7394e..000000000
--- a/turbonomic/orm-management-ingress.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: managementingresses.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - management-ingress
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="management-ingress")].resources
-          destPath: .spec.resources
\ No newline at end of file
diff --git a/turbonomic/orm-must-gather-service.yaml b/turbonomic/orm-must-gather-service.yaml
deleted file mode 100644
index 7e9011000..000000000
--- a/turbonomic/orm-must-gather-service.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: mustgatherservices.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: StatefulSet
-        componentNames:
-          - must-gather-service
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="must-gather-service")].resources
-          destPath: .spec.mustGather.resources
\ No newline at end of file
diff --git a/turbonomic/orm-nginx-ingress.yaml b/turbonomic/orm-nginx-ingress.yaml
deleted file mode 100644
index dc4232216..000000000
--- a/turbonomic/orm-nginx-ingress.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: nginxingresses.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - default-http-backend
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="default-http-backend")].resources
-          destPath: .spec.defaultBackend.resources
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - nginx-ingress-controller
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="nginx-ingress")].resources
-          destPath: .spec.ingress.resources
diff --git a/turbonomic/orm-oidcclient-watcher.yaml b/turbonomic/orm-oidcclient-watcher.yaml
deleted file mode 100644
index 2c815121e..000000000
--- a/turbonomic/orm-oidcclient-watcher.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: oidcclientwatchers.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - oidcclient-watcher
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="oidcclient-watcher")].resources
-          destPath: .spec.resources
\ No newline at end of file
diff --git a/turbonomic/orm-platform-api.yaml b/turbonomic/orm-platform-api.yaml
deleted file mode 100644
index ed71a0e1c..000000000
--- a/turbonomic/orm-platform-api.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: platformapis.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - platform-api
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="audit-service")].resources
-          destPath: .spec.auditService.resources
-        - srcPath: .spec.template.spec.containers[?(@.name=="platform-api")].resources
-          destPath: .spec.platformApi.resources
\ No newline at end of file
diff --git a/turbonomic/orm-policy-controller.yaml b/turbonomic/orm-policy-controller.yaml
deleted file mode 100644
index 9667105b8..000000000
--- a/turbonomic/orm-policy-controller.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: policycontrollers.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - iam-policy-controller
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="iam-policy-controller")].resources
-          destPath: .spec.resources
diff --git a/turbonomic/orm-secret-watcher.yaml b/turbonomic/orm-secret-watcher.yaml
deleted file mode 100644
index a5c8b6fd3..000000000
--- a/turbonomic/orm-secret-watcher.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: secretwatchers.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - secret-watcher
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="secret-watcher")].resources
-          destPath: .spec.resources
\ No newline at end of file
diff --git a/turbonomic/orm-system-healthcheck-service.yaml b/turbonomic/orm-system-healthcheck-service.yaml
deleted file mode 100644
index 57ab10dc2..000000000
--- a/turbonomic/orm-system-healthcheck-service.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-apiVersion: turbonomic.com/v1alpha1
-kind: OperatorResourceMapping
-metadata:
-  name: healthservices.operator.ibm.com
-  labels:
-    component: cpfs
-spec:
-  resourceMappings:
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - system-healthcheck-service
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="system-healthcheck-service")].resources
-          destPath: .spec.healthService.resources
-    - srcResourceSpec:
-        kind: Deployment
-        componentNames:
-          - icp-memcached
-      resourceMappingTemplates:
-        - srcPath: .spec.template.spec.containers[?(@.name=="icp-memcached")].resources
-          destPath: .spec.memcached.resources
\ No newline at end of file

From c654b547e37c33987b91673f84f5eae8af6d5392 Mon Sep 17 00:00:00 2001
From: YuChen Shen <59578388+YCShen1010@users.noreply.github.com>
Date: Fri, 1 Nov 2024 15:40:02 -0400
Subject: [PATCH 2/2] collect new min RBAC by Bedrock 4.10 (#2286)

Signed-off-by: YuChen <yuchen.shen@mail.utoronto.ca>
---
 .../common/nss-managed-bedrock-core-role.yaml | 383 ++++++------------
 1 file changed, 128 insertions(+), 255 deletions(-)

diff --git a/cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml b/cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml
index b40a332a2..8412dcbaa 100644
--- a/cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml
+++ b/cp3pt0-deployment/common/nss-managed-bedrock-core-role.yaml
@@ -4,18 +4,6 @@ metadata:
   name: nss-managed-role-from-operator_ns_to_replace
   namespace: ns_to_replace
 rules:
-  - verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-    apiGroups:
-      - apps
-    resources:
-      - deployments/status
   - verbs:
       - create
       - delete
@@ -28,6 +16,8 @@ rules:
       - ''
     resources:
       - configmaps
+      - secrets
+      - services
   - verbs:
       - get
       - patch
@@ -36,6 +26,7 @@ rules:
       - ''
     resources:
       - configmaps/status
+      - secrets/status
   - verbs:
       - create
       - patch
@@ -43,14 +34,6 @@ rules:
       - ''
     resources:
       - events
-  - verbs:
-      - get
-      - list
-      - watch
-    apiGroups:
-      - ''
-    resources:
-      - namespaces
   - verbs:
       - get
       - list
@@ -70,27 +53,7 @@ rules:
       - ''
     resources:
       - persistentvolumeclaims
-  - verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - watch
-    apiGroups:
-      - ''
-    resources:
       - pods
-  - verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - watch
-    apiGroups:
-      - ''
-    resources:
       - pods/exec
   - verbs:
       - get
@@ -98,26 +61,6 @@ rules:
       - ''
     resources:
       - pods/status
-  - verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-    apiGroups:
-      - ''
-    resources:
-      - secrets
-  - verbs:
-      - get
-      - patch
-      - update
-    apiGroups:
-      - ''
-    resources:
-      - secrets/status
   - verbs:
       - create
       - get
@@ -130,34 +73,12 @@ rules:
     resources:
       - serviceaccounts
   - verbs:
-      - create
-      - delete
       - get
-      - list
       - patch
-      - update
-      - watch
-    apiGroups:
-      - ''
-    resources:
-      - services
-  - verbs:
-      - get
-      - list
-      - patch
-      - update
     apiGroups:
       - admissionregistration.k8s.io
     resources:
       - mutatingwebhookconfigurations
-  - verbs:
-      - get
-      - list
-      - patch
-      - update
-    apiGroups:
-      - admissionregistration.k8s.io
-    resources:
       - validatingwebhookconfigurations
   - verbs:
       - get
@@ -233,6 +154,9 @@ rules:
       - postgresql.k8s.enterprisedb.io
     resources:
       - backups
+      - clusters
+      - poolers
+      - scheduledbackups
   - verbs:
       - get
       - patch
@@ -241,50 +165,13 @@ rules:
       - postgresql.k8s.enterprisedb.io
     resources:
       - backups/status
-  - verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-    apiGroups:
-      - postgresql.k8s.enterprisedb.io
-    resources:
-      - clusters
+      - scheduledbackups/status
   - verbs:
       - update
     apiGroups:
       - postgresql.k8s.enterprisedb.io
     resources:
       - clusters/finalizers
-  - verbs:
-      - get
-      - patch
-      - update
-      - watch
-    apiGroups:
-      - postgresql.k8s.enterprisedb.io
-    resources:
-      - clusters/status
-  - verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-    apiGroups:
-      - postgresql.k8s.enterprisedb.io
-    resources:
-      - poolers
-  - verbs:
-      - update
-    apiGroups:
-      - postgresql.k8s.enterprisedb.io
-    resources:
       - poolers/finalizers
   - verbs:
       - get
@@ -294,27 +181,8 @@ rules:
     apiGroups:
       - postgresql.k8s.enterprisedb.io
     resources:
+      - clusters/status
       - poolers/status
-  - verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-    apiGroups:
-      - postgresql.k8s.enterprisedb.io
-    resources:
-      - scheduledbackups
-  - verbs:
-      - get
-      - patch
-      - update
-    apiGroups:
-      - postgresql.k8s.enterprisedb.io
-    resources:
-      - scheduledbackups/status
   - verbs:
       - create
       - get
@@ -326,16 +194,6 @@ rules:
       - rbac.authorization.k8s.io
     resources:
       - rolebindings
-  - verbs:
-      - create
-      - get
-      - list
-      - patch
-      - update
-      - watch
-    apiGroups:
-      - rbac.authorization.k8s.io
-    resources:
       - roles
   - verbs:
       - create
@@ -377,6 +235,7 @@ rules:
       - certificates
       - issuers
   - verbs:
+      - delete
       - get
       - list
       - patch
@@ -484,6 +343,51 @@ rules:
       - elasticstack.ibm.com
     resources:
       - elasticstacks
+  - verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+    apiGroups:
+      - ''
+    resources:
+      - serviceaccounts
+  - verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+    apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - rolebindings
+      - roles
+  - verbs:
+      - get
+      - delete
+      - list
+    apiGroups:
+      - operator.ibm.com
+    resources:
+      - podpresets
+  - verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+    apiGroups:
+      - ibmcpcs.ibm.com
+    resources:
+      - secretshares
   - verbs:
       - get
     apiGroups:
@@ -679,6 +583,14 @@ rules:
       - operator.ibm.com
     resources:
       - operandrequests
+  - verbs:
+      - get
+      - list
+      - watch
+    apiGroups:
+      - operator.ibm.com
+    resources:
+      - authentications
   - verbs:
       - get
       - list
@@ -691,8 +603,25 @@ rules:
       - ibmevents.ibm.com
     resources:
       - kafkatopics
-      - kafkatopics/status
+  - verbs:
+      - get
+      - list
+      - watch
+      - create
+      - patch
+      - update
+    apiGroups:
+      - ibmevents.ibm.com
+    resources:
       - kafkausers
+  - verbs:
+      - get
+      - patch
+      - update
+    apiGroups:
+      - ibmevents.ibm.com
+    resources:
+      - kafkatopics/status
       - kafkausers/status
   - verbs:
       - create
@@ -743,27 +672,33 @@ rules:
       - list
       - watch
       - create
-      - delete
       - patch
       - update
     apiGroups:
       - ibmevents.ibm.com
     resources:
       - kafkas
-      - kafkas/status
       - kafkanodepools
-      - kafkanodepools/status
       - kafkaconnects
-      - kafkaconnects/status
       - kafkaconnectors
-      - kafkaconnectors/status
       - kafkamirrormakers
-      - kafkamirrormakers/status
       - kafkabridges
-      - kafkabridges/status
       - kafkamirrormaker2s
-      - kafkamirrormaker2s/status
       - kafkarebalances
+  - verbs:
+      - get
+      - patch
+      - update
+    apiGroups:
+      - ibmevents.ibm.com
+    resources:
+      - kafkas/status
+      - kafkanodepools/status
+      - kafkaconnects/status
+      - kafkaconnectors/status
+      - kafkamirrormakers/status
+      - kafkabridges/status
+      - kafkamirrormaker2s/status
       - kafkarebalances/status
   - verbs:
       - get
@@ -781,10 +716,6 @@ rules:
       - get
       - patch
       - update
-      - create
-      - delete
-      - list
-      - watch
     apiGroups:
       - core.ibmevents.ibm.com
     resources:
@@ -918,6 +849,34 @@ rules:
       - policy
     resources:
       - poddisruptionbudgets
+  - verbs:
+      - create
+      - delete
+      - watch
+      - get
+      - list
+      - patch
+      - update
+    apiGroups:
+      - oidc.security.ibm.com
+    resources:
+      - clients
+      - clients/finalizers
+      - clients/status
+  - verbs:
+      - create
+      - delete
+      - watch
+      - get
+      - list
+      - patch
+      - update
+    apiGroups:
+      - ''
+    resources:
+      - secrets
+      - services
+      - endpoints
   - verbs:
       - get
       - list
@@ -1151,98 +1110,9 @@ rules:
       - update
       - watch
     apiGroups:
-      - ''
-    resources:
-      - pods
-      - services
-      - services/finalizers
-      - serviceaccounts
-      - endpoints
-      - persistentvolumeclaims
-      - events
-      - configmaps
-      - secrets
-  - verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-    apiGroups:
-      - apps
-    resources:
-      - deployments
-      - daemonsets
-      - replicasets
-      - statefulsets
-  - verbs:
-      - get
-      - create
-    apiGroups:
-      - monitoring.coreos.com
-    resources:
-      - servicemonitors
-  - verbs:
-      - update
-    apiGroups:
-      - apps
-    resources:
-      - deployments/finalizers
-    resourceNames:
-      - ibm-mongodb-operator
-  - verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-    apiGroups:
-      - operator.ibm.com
-    resources:
-      - mongodbs
-      - mongodbs/finalizers
-      - mongodbs/status
-  - verbs:
-      - delete
-      - get
-      - list
-      - watch
-    apiGroups:
-      - certmanager.k8s.io
-    resources:
-      - certificates
-      - certificaterequests
-      - orders
-      - challenges
-      - issuers
-  - verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-    apiGroups:
-      - cert-manager.io
-    resources:
-      - certificates
-      - certificaterequests
-      - orders
-      - challenges
-      - issuers
-  - verbs:
-      - delete
-      - get
-      - list
-    apiGroups:
-      - operator.ibm.com
+      - zen.cpd.ibm.com
     resources:
-      - operandrequests
+      - zenextensions
   - verbs:
       - create
       - get
@@ -1422,6 +1292,7 @@ rules:
       - operator.ibm.com
     resources:
       - commonservices
+      - authentications
   - verbs:
       - create
       - delete
@@ -1488,6 +1359,8 @@ rules:
       - get
       - list
       - watch
+      - update
+      - patch
     apiGroups:
       - operators.coreos.com
     resources:
@@ -1701,4 +1574,4 @@ rules:
     resources:
       - secrets
     resourceNames:
-      - postgresql-operator-controller-manager-1-18-12-service-cert
+      - postgresql-operator-controller-manager-1-22-7-service-cert
\ No newline at end of file