Adding delete to modulebuildsignconfigs rbac

[TomerNewman]

Following #1725 commit, we now deleting mbsc resources from the controllers (regular + hub) pods, but since we missed the rbac annotation for that, it failed to delete.
This commits adds the missing rbac annotation.

---

/cc @ybettan @yevgeny-shnaidman

---

fixes #1751

Summary by CodeRabbit

• Chores
  • Updated operator RBAC permissions to grant delete capability for module build sign configurations across all cluster roles and operator service manifests.
  • Reorganized and consolidated module build sign configuration permissions with boot module configurations in role definitions.
  • Updated service version metadata timestamps.

[netlify]

✅ Deploy Preview for openshift-kmm ready!

Name	Link
🔨 Latest commit	a6ba8d3
🔍 Latest deploy log	https://app.netlify.com/projects/openshift-kmm/deploys/69947dde855dfa0008e6e387
😎 Deploy Preview	https://deploy-preview-1750--openshift-kmm.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: TomerNewman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [TomerNewman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

RBAC permissions are being updated and consolidated across manifest files and controller annotations. The delete verb is being added to modulebuildsignconfigs resource permissions, and modulebuildsignconfigs is consolidated under the same rule as bootmoduleconfigs in select manifest files. ClusterServiceVersion timestamps are updated.

Changes

Cohort / File(s)	Summary
Bundle ClusterServiceVersion manifests bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml, bundle/manifests/kernel-module-management.clusterserviceversion.yaml	Updated timestamps and added delete verb to modulebuildsignconfigs permissions. In main bundle, consolidated modulebuildsignconfigs from separate rule into same rule as bootmoduleconfigs under kmm.sigs.x-k8s.io group.
RBAC config roles config/rbac-hub/role.yaml, config/rbac/role.yaml	Added delete verb for modulebuildsignconfigs resource. In main config, consolidated modulebuildsignconfigs under bootmoduleconfigs rule and removed separate rule block.
Controller RBAC annotations internal/controllers/.../managedclustermodule_reconciler.go, internal/controllers/module_reconciler.go	Added delete verb to RBAC KBMarker annotations for modulebuildsignconfigs resource.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Introducing MBSC controller #1462 — Introduces and grants initial permissions for the modulebuildsignconfigs resource.
• Adding all KMM CRDs generated files to KMM-hub. #1582 — Adds ModuleBuildSignConfig CRD and related CSV entries for the resource.
• Gathering kmm RBAC annotations in Module controller #1526 — Modifies the same RBAC annotations in internal/controllers/module_reconciler.go.

Suggested labels

lgtm

Suggested reviewers

• ybettan
• yevgeny-shnaidman

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Adding delete to modulebuildsignconfigs rbac' directly and clearly describes the primary change across all modified files—adding delete verb permissions to modulebuildsignconfigs resources in RBAC configurations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[TomerNewman]

/hold

[TomerNewman]

@coderabbitai pause

[coderabbitai]

✅ Actions performed

Reviews paused.

[TomerNewman]

/unhold

[TomerNewman]

/retest

[TomerNewman]

/retest

[TomerNewman]

/retest

[ybettan]

/lgtm

[ybettan]

/lgtm

[TomerNewman]

/retest

[ybettan]

/retest
No cluster in the pool are available

[TomerNewman]

/retest

[TomerNewman]

/retest

[TomerNewman]

/retest

[TomerNewman]

/lgtm

[openshift-ci]

@TomerNewman: you cannot LGTM your own PR.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ybettan]

/lgtm

[TomerNewman]

/retest

[TomerNewman]

/override e2e
/override e2e-hub
/override operator-upgrade
/override operator-hub-upgrade

There is an issue with the ci clusterpool so no cluster is accecible for us.
since this commit only adds a single mbsc rbac, we can skip the tests.

see here for more reference

[openshift-ci]

@TomerNewman: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• e2e
• e2e-hub
• operator-hub-upgrade
• operator-upgrade

Only the following failed contexts/checkruns were expected:

• CodeRabbit
• ci/prow/build
• ci/prow/check-api-changes
• ci/prow/check-commits-count
• ci/prow/ci-bundle-hub-operator-bundle
• ci/prow/ci-bundle-operator-bundle
• ci/prow/e2e
• ci/prow/e2e-hub
• ci/prow/images
• ci/prow/lint
• ci/prow/operator-hub-upgrade
• ci/prow/operator-upgrade
• ci/prow/security
• ci/prow/unit-tests
• netlify/openshift-kmm/deploy-preview
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-build
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-check-api-changes
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-check-commits-count
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-ci-bundle-hub-operator-bundle
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-ci-bundle-operator-bundle
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-e2e
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-e2e-hub
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-images
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-lint
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-operator-hub-upgrade
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-operator-upgrade
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-security
• pull-ci-rh-ecosystem-edge-kernel-module-management-main-unit-tests
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override e2e
/override e2e-hub
/override operator-upgrade
/override operator-hub-upgrade

There is an issue with the ci clusterpool so no cluster is accecible for us.
since this commit only adds a single mbsc rbac, we can skip the tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[TomerNewman]

/override ci/prow/e2e
/override ci/prow/e2e-hub
/override ci/prow/operator-upgrade
/override ci/prow/operator-hub-upgrade

[openshift-ci]

@TomerNewman: Overrode contexts on behalf of TomerNewman: ci/prow/e2e, ci/prow/e2e-hub, ci/prow/operator-hub-upgrade, ci/prow/operator-upgrade

Details

In response to this:

/override ci/prow/e2e
/override ci/prow/e2e-hub
/override ci/prow/operator-upgrade
/override ci/prow/operator-hub-upgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@TomerNewman: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/operator-hub-upgrade	a6ba8d3	link	unknown	/test operator-hub-upgrade
ci/prow/e2e	a6ba8d3	link	unknown	/test e2e
ci/prow/operator-upgrade	a6ba8d3	link	unknown	/test operator-upgrade
ci/prow/e2e-hub	a6ba8d3	link	unknown	/test e2e-hub

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.