internal/plugins/helm: scaffold finalizers subresource permission for created APIs

CHANGELOG.md

@@ -35,7 +35,7 @@
 - When generating bundles and packagemanifests, remove `metadata.namespace` from namespaced resources when writing them into the `manifests` directory to avoid validation errors. ([#3813](https://github.com/operator-framework/operator-sdk/pull/3813))
 - Fixed a bug that caused the Helm operator not to set the `InstallSuccessful` and `UpgradeSuccessful` status reasons when the status update fails during installation and upgrade. ([#3735](https://github.com/operator-framework/operator-sdk/pull/3735))
 - Bumped helm and k8s dependencies to v3.3.4 and v1.18.8 to fix [this upstream bug](https://github.com/kubernetes/kubernetes/issues/91615). ([#3936](https://github.com/operator-framework/operator-sdk/pull/3936))
-- In Helm projects, fix operator permissions for Openshift deployments by adding a `<resource>/finalizers` rule in the operator's role. ([#3779](https://github.com/operator-framework/operator-sdk/pull/3779))
+- In Ansible projects, fix operator permissions for Openshift deployments by adding a `<resource>/finalizers` rule in the operator's role. ([#3779](https://github.com/operator-framework/operator-sdk/pull/3779))
 - In Go projects, resolved an issue that caused failing tests by changing the Makefile's `test` target to automatically download and configure the necessary `envtest` binaries. ([#3983](https://github.com/operator-framework/operator-sdk/pull/3983))
 - Inform user to verify the presence of olm deployment manifests in github when `olm install` command gives a 404 http error. ([#3907](https://github.com/operator-framework/operator-sdk/pull/3907))
 - Prevent `run packagemanifests` from creating an OperatorGroup if one already exists in a namespace, and use that OperatorGroup if its target namespaces exactly match those passed in `--install-mode`. See [#3681](https://github.com/operator-framework/operator-sdk/issues/3681). ([#3689](https://github.com/operator-framework/operator-sdk/pull/3689))

changelog/fragments/fix-helm-finalizers-permissions.yaml

@@ -0,0 +1,7 @@
+# entries is a list of entries to include in
+# release notes and/or the migration guide
+entries:
+  - description: >
+      In Helm projects, fix operator RBAC permissions to support the OwnerReferencesPermissionEnforcement admission plugin by adding a `<resource>/finalizers` rule in the operator's role.
+    kind: "bugfix"
+    breaking: false

internal/plugins/helm/v1/scaffolds/internal/templates/config/rbac/manager_role.go

@@ -159,6 +159,7 @@ const rulesFragment = `##
   resources:
   - {{.Resource.Plural}}
   - {{.Resource.Plural}}/status
+  - {{.Resource.Plural}}/finalizers
   verbs:
   - create
   - delete

testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml

@@ -99,6 +99,7 @@ spec:
           resources:
           - memcacheds
           - memcacheds/status
+          - memcacheds/finalizers
           verbs:
           - create
           - delete

testdata/helm/memcached-operator/config/rbac/role.yaml

@@ -36,6 +36,7 @@ rules:
   resources:
   - memcacheds
   - memcacheds/status
+  - memcacheds/finalizers
   verbs:
   - create
   - delete