From b7d2e9c5209506137f60075663f1bd47b1985ac0 Mon Sep 17 00:00:00 2001
From: raffis <raffael.sahli@doodle.com>
Date: Wed, 6 Dec 2023 14:23:28 +0100
Subject: [PATCH] fix: chart rbac (#152)

---
 README.md                                     |  3 ++
 .../templates/clusterrole.yaml                | 48 +++++++++++++++----
 2 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 74841e44..690f1957 100644
--- a/README.md
+++ b/README.md
@@ -377,6 +377,9 @@ spec:
       serviceAccount: keycloakrealm-default
 ```
 
+**Note**: The proxy needs read access to keycloakrealms as well as patch access to the /status subresource.
+In the example above there is a ClusterRole called keycloakrealm-proxy granting just that. This ClusterRole also is bundled in the helm chart, you may use {releaseName}-proxy for the RoleBinding.
+
 ## Installation
 
 ### Helm
diff --git a/chart/keycloak-controller/templates/clusterrole.yaml b/chart/keycloak-controller/templates/clusterrole.yaml
index 5dccb483..f7bef02b 100644
--- a/chart/keycloak-controller/templates/clusterrole.yaml
+++ b/chart/keycloak-controller/templates/clusterrole.yaml
@@ -1,6 +1,20 @@
 {{- if .Values.clusterRBAC.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  name: {{ template "keycloak-controller.fullname" . }}-proxy
+rules:
+- apiGroups: ["keycloak.infra.doodle.com"]
+  resources:
+  - keycloakrealms
+  verbs: ["get"]
+- apiGroups: ["keycloak.infra.doodle.com"]
+  resources:
+  - keycloakrealms/status
+  verbs: ["get", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   name: {{ template "keycloak-controller.fullname" . }}
   labels:
@@ -11,14 +25,6 @@ metadata:
   annotations:
     {{- toYaml .Values.annotations | nindent 4 }}
 rules:
-- apiGroups:
-  - ""
-  resources:
-    - secrets
-  verbs:
-    - get
-    - list
-    - watch
 - apiGroups:
   - "keycloak.infra.doodle.com"
   resources:
@@ -55,4 +61,28 @@ rules:
   - patch
   - update
   - watch
-{{- end }}
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- end }}
\ No newline at end of file