From 7dc68933624193f6c2b09551954f15a270bf0e85 Mon Sep 17 00:00:00 2001
From: Sophian Mehboub <sophienmehboub@gmail.com>
Date: Mon, 10 Feb 2025 00:41:19 +0100
Subject: [PATCH 1/2] fix(deploy): clusterrole manager role

---
 config/rbac/role.yaml                                     | 8 ++++++++
 .../templates/rbac/ClusterRole-manager-role.yml           | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 00c1421..ed9f55e 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -4,6 +4,14 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
diff --git a/deploy/charts/template-controller/templates/rbac/ClusterRole-manager-role.yml b/deploy/charts/template-controller/templates/rbac/ClusterRole-manager-role.yml
index fdac03d..587ba4b 100644
--- a/deploy/charts/template-controller/templates/rbac/ClusterRole-manager-role.yml
+++ b/deploy/charts/template-controller/templates/rbac/ClusterRole-manager-role.yml
@@ -5,6 +5,14 @@ metadata:
   name: {{ include "template-controller.fullname" . }}-manager-role
   namespace: '{{ .Release.Namespace }}'
 rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - ""
     resources:

From 09d6e21a1ff3bc5c491541800afb11a99563b757 Mon Sep 17 00:00:00 2001
From: Alexander Block <ablock84@gmail.com>
Date: Fri, 14 Feb 2025 17:19:16 +0100
Subject: [PATCH 2/2] fix: Fix RBAC via kubebuilder comments

---
 config/rbac/role.yaml                                    | 9 +--------
 controllers/comments/githubcomment_controller.go         | 2 +-
 controllers/comments/gitlabcomment_controller.go         | 2 +-
 .../templates/rbac/ClusterRole-manager-role.yml          | 9 +--------
 deploy/manifests/template-controller.yaml                | 1 +
 5 files changed, 5 insertions(+), 18 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index ed9f55e..40f3427 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -4,18 +4,11 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - ""
   resources:
   - configmaps
+  - namespaces
   verbs:
   - get
   - list
diff --git a/controllers/comments/githubcomment_controller.go b/controllers/comments/githubcomment_controller.go
index 5ccd193..cd5dac6 100644
--- a/controllers/comments/githubcomment_controller.go
+++ b/controllers/comments/githubcomment_controller.go
@@ -38,7 +38,7 @@ type GithubCommentReconciler struct {
 //+kubebuilder:rbac:groups=templates.kluctl.io,resources=githubcomments,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=templates.kluctl.io,resources=githubcomments/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=templates.kluctl.io,resources=githubcomments/finalizers,verbs=update
-//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",resources=configmaps;namespaces,verbs=get;list;watch
 
 func (r *GithubCommentReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, err error) {
 	logger := log.FromContext(ctx)
diff --git a/controllers/comments/gitlabcomment_controller.go b/controllers/comments/gitlabcomment_controller.go
index 156246f..755e87a 100644
--- a/controllers/comments/gitlabcomment_controller.go
+++ b/controllers/comments/gitlabcomment_controller.go
@@ -38,7 +38,7 @@ type GitlabCommentReconciler struct {
 //+kubebuilder:rbac:groups=templates.kluctl.io,resources=gitlabcomments,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=templates.kluctl.io,resources=gitlabcomments/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=templates.kluctl.io,resources=gitlabcomments/finalizers,verbs=update
-//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",resources=configmaps;namespaces,verbs=get;list;watch
 
 func (r *GitlabCommentReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, err error) {
 	logger := log.FromContext(ctx)
diff --git a/deploy/charts/template-controller/templates/rbac/ClusterRole-manager-role.yml b/deploy/charts/template-controller/templates/rbac/ClusterRole-manager-role.yml
index 587ba4b..5d77b15 100644
--- a/deploy/charts/template-controller/templates/rbac/ClusterRole-manager-role.yml
+++ b/deploy/charts/template-controller/templates/rbac/ClusterRole-manager-role.yml
@@ -5,18 +5,11 @@ metadata:
   name: {{ include "template-controller.fullname" . }}-manager-role
   namespace: '{{ .Release.Namespace }}'
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-    verbs:
-      - get
-      - list
-      - watch
   - apiGroups:
       - ""
     resources:
       - configmaps
+      - namespaces
     verbs:
       - get
       - list
diff --git a/deploy/manifests/template-controller.yaml b/deploy/manifests/template-controller.yaml
index 85d6288..c0dc988 100644
--- a/deploy/manifests/template-controller.yaml
+++ b/deploy/manifests/template-controller.yaml
@@ -1714,6 +1714,7 @@ rules:
       - ""
     resources:
       - configmaps
+      - namespaces
     verbs:
       - get
       - list