From c77e0bb8fddf170d3b25c7335d927d1cf0c6ed2b Mon Sep 17 00:00:00 2001
From: Jirka Kremser <535866+jkremser@users.noreply.github.com>
Date: Mon, 2 Sep 2024 23:49:40 +0200
Subject: [PATCH] Create rolebinding for .Release.Namespace implicitly (#643)

* Create rolebinding for .Release.Namespace implicitly

Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>

* Operator should be able to list and watch secrets in the release ns (certs)

Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>

---------

Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>
---
 keda/templates/manager/clusterrolebindings.yaml | 3 ++-
 keda/templates/manager/minimal-rbac.yaml        | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/keda/templates/manager/clusterrolebindings.yaml b/keda/templates/manager/clusterrolebindings.yaml
index fa83bcec..a9cc0d7e 100644
--- a/keda/templates/manager/clusterrolebindings.yaml
+++ b/keda/templates/manager/clusterrolebindings.yaml
@@ -20,7 +20,8 @@ subjects:
   name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }}
   namespace: {{ .Release.Namespace }}
 {{- else }}
-  {{- range ( split "," .Values.watchNamespace ) }}
+  {{- $namespaces := append (splitList "," .Values.watchNamespace) .Release.Namespace -}}
+  {{- range $namespaces }}
 ---
 # Role binding for namespace '{{ . }}'
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/keda/templates/manager/minimal-rbac.yaml b/keda/templates/manager/minimal-rbac.yaml
index bc762161..1b5a0ca4 100644
--- a/keda/templates/manager/minimal-rbac.yaml
+++ b/keda/templates/manager/minimal-rbac.yaml
@@ -34,6 +34,10 @@ rules:
   verbs:
   - create
   - update
+{{- if .Values.permissions.operator.restrict.secret }}
+  - list
+  - watch
+{{- end }}
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1