Add finalizers permission for APIKeyRequest owner references

[eguzki]

Summary

• Added RBAC permission to update finalizers on apikeyrequests resource
• Fixes error: "cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on"

Why

When APIKeyApprovalReconciler sets an owner reference from APIKeyRequest to APIKeyApproval using controllerutil.SetControllerReference(), it sets blockOwnerDeletion: true by default. Openshift requires the controller to have permission to update finalizers on the owner resource to prevent orphaned resources.

Without this permission, the controller fails with the error mentioned above.

Test plan

• Deploy controller with updated RBAC permissions
• Create APIKey and APIKeyApproval resources
• Verify APIKeyApproval gets owner reference set without errors
• Check controller logs show no RBAC permission errors

Summary by CodeRabbit

• Chores
  • Updated role-based access control permissions for API key request management operations.

[coderabbitai]

Warning

Review limit reached

@eguzki, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 47 minutes and 41 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cca8c921-9e12-408d-a2ea-e61f3eb476d9

📥 Commits

Reviewing files that changed from the base of the PR and between e55252c and 9682856.

📒 Files selected for processing (1)

• internal/controller/apikeyapproval_controller.go

📝 Walkthrough

Walkthrough

The pull request adds RBAC permissions enabling the API key approval controller to update finalizers on API key request resources. A kubebuilder RBAC annotation is added to the controller, and the corresponding cluster role rule is generated in the RBAC configuration manifest.

Changes

Finalizer Update Permissions

Layer / File(s)	Summary
API key request finalizer update authorisation internal/controller/apikeyapproval_controller.go, config/rbac/role.yaml	Controller RBAC annotation declares permission for update on apikeyrequests/finalizers, and the corresponding cluster role rule grants this access in the devportal.kuadrant.io API group.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

enhancement

Suggested reviewers

• didierofrivia
• emmaaroche
• R-Lawton

Poem

🐰 A finalizer's touch, now granted with grace,
Controller permissions set in their place,
RBAC rules align with annotations true,
API keys updated, fresh and brand new! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding finalizer permissions for APIKeyRequest owner references, which aligns with the RBAC rule additions across both modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-apikeyapproval-ownerref

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}