chore(controller): builder permissions static

We better move the definition of builder SA permissions (required by Pod strategy) statically at installation time to simplify role management and remove any dynamic setting.

pkg/controller/integrationkit/build.go

@@ -155,13 +155,6 @@ func (action *buildAction) createBuild(ctx context.Context, kit *v1.IntegrationK
 		}
 	}
 
-	//nolint:contextcheck
-	if buildConfig.Strategy == v1.BuildStrategyPod {
-		err = platform.CreateBuilderServiceAccount(env.Ctx, env.Client, env.Platform)
-		if err != nil {
-			return nil, fmt.Errorf("error while creating Camel K Builder service account: %w", err)
-		}
-	}
 	// The build operation, when executed as a Pod, should be executed by a container image containing the
 	// `kamel builder` command. Likely the same image running the operator should be fine.
 	buildConfig.ToolImage = platform.OperatorImage

pkg/platform/defaults.go

@@ -19,7 +19,6 @@ package platform
 
 import (
 	"context"
-	"fmt"
 	"runtime"
 	"strings"
 	"time"
@@ -30,11 +29,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
-	ctrl "sigs.k8s.io/controller-runtime/pkg/client"
-
 	v1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1"
 	"github.com/apache/camel-k/v2/pkg/client"
-	"github.com/apache/camel-k/v2/pkg/install"
 	"github.com/apache/camel-k/v2/pkg/kamelet/repository"
 	"github.com/apache/camel-k/v2/pkg/util/defaults"
 	"github.com/apache/camel-k/v2/pkg/util/log"
@@ -109,12 +105,6 @@ func ConfigureDefaults(ctx context.Context, c client.Client, p *v1.IntegrationPl
 		return err
 	}
 
-	if p.Status.Build.BuildConfiguration.Strategy == v1.BuildStrategyPod {
-		if err := CreateBuilderServiceAccount(ctx, c, p); err != nil {
-			return fmt.Errorf("cannot ensure service account is present: %w", err)
-		}
-	}
-
 	err = configureRegistry(ctx, c, p, verbose)
 	if err != nil {
 		return err
@@ -131,22 +121,6 @@ func ConfigureDefaults(ctx context.Context, c client.Client, p *v1.IntegrationPl
 	return nil
 }
 
-func CreateBuilderServiceAccount(ctx context.Context, client client.Client, p *v1.IntegrationPlatform) error {
-	log.Debugf("Integration Platform %s [%s]: creating build service account", p.Name, p.Namespace)
-	sa := corev1.ServiceAccount{}
-	key := ctrl.ObjectKey{
-		Name:      BuilderServiceAccount,
-		Namespace: p.Namespace,
-	}
-
-	err := client.Get(ctx, key, &sa)
-	if err != nil && k8serrors.IsNotFound(err) {
-		return install.BuilderServiceAccountRoles(ctx, client, p.Namespace, p.Status.Cluster)
-	}
-
-	return err
-}
-
 func configureRegistry(ctx context.Context, c client.Client, p *v1.IntegrationPlatform, verbose bool) error {
 	if p.Status.Cluster == v1.IntegrationPlatformClusterOpenShift &&
 		p.Status.Build.PublishStrategy != v1.IntegrationPlatformBuildPublishStrategyS2I &&

pkg/resources/config/manager/kustomization.yaml

@@ -21,3 +21,8 @@ kind: Kustomization
 resources:
 - operator-deployment.yaml
 - operator-service-account.yaml
+- builder-service-account.yaml
+- builder-role.yaml
+- builder-role-openshift.yaml
+- builder-role-binding.yaml
+- builder-role-binding-openshift.yaml