From c95665eddb6e1826786c8ec362a9921f19c020b5 Mon Sep 17 00:00:00 2001 From: Alex Godbehere Date: Thu, 9 Jul 2026 12:28:16 +0100 Subject: [PATCH] Grant krb-keys-operator RBAC for localsecrets The operator registers a LocalSecret kopf handler unconditionally, and the localsecrets CRD ships in the edge-cluster chart's crds/, so it lands on the central cluster as soon as the first edge cluster is provisioned. From that point the central operator's watch crash-loops with APIForbiddenError every minute because the central ClusterRole only covers kerberos-keys. Mirror the localsecrets rules the edge chart already grants (edge-cluster/templates/krb-keys.yaml). --- deploy/templates/identity/rbac.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/deploy/templates/identity/rbac.yaml b/deploy/templates/identity/rbac.yaml index 2a15c7dbf..4a8a8e5a1 100644 --- a/deploy/templates/identity/rbac.yaml +++ b/deploy/templates/identity/rbac.yaml @@ -12,11 +12,18 @@ kind: ClusterRole metadata: name: krb-keys-operator rules: + # localsecrets is included because the operator registers a + # LocalSecret handler unconditionally, and the CRD arrives on the + # central cluster as soon as the first edge cluster is provisioned + # (it ships in the edge-cluster chart's crds/). Without this rule + # kopf's watch crash-loops with a 403 from that point on. The edge + # chart (edge-cluster/templates/krb-keys.yaml) already grants the + # same set. - apiGroups: [factoryplus.app.amrc.co.uk] - resources: [kerberos-keys] + resources: [kerberos-keys, localsecrets] verbs: [list, get, watch, patch] - apiGroups: [factoryplus.app.amrc.co.uk] - resources: [kerberos-keys/status] + resources: [kerberos-keys/status, localsecrets/status] verbs: [list, get, create, update, delete, watch, patch] - apiGroups: [""] resources: [secrets]