Add wait conditions and namespace-specific roles for MetalLB configuration

infrastructure/controllers/metallb/config-job.yaml

@@ -17,7 +17,9 @@ spec:
         - |
           # Wait for the webhook to be ready
           echo "Waiting for MetalLB webhook to be ready..."
+          sleep 30
           kubectl -n metallb-system wait --for=condition=ready --timeout=120s pods --all
+          sleep 30
 
           # Get the external IP of the node using kubectl
           SERVER_IP=$(kubectl get nodes -o jsonpath='{.items[0].status.addresses[?(@.type=="ExternalIP")].address}')
@@ -75,7 +77,7 @@ rules:
   resources: ["ipaddresspools", "l2advertisements"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 - apiGroups: [""]
-  resources: ["nodes", "pods"]
+  resources: ["nodes"]
   verbs: ["get", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -89,4 +91,28 @@ subjects:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: metallb-config-role
+  name: metallb-config-role
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: metallb-config-role-ns
+  namespace: metallb-system
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: metallb-config-rolebinding-ns
+  namespace: metallb-system
+subjects:
+- kind: ServiceAccount
+  name: metallb-config-sa
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: metallb-config-role-ns