From 5be95ca923f4d1f3fc5efad772cba91a2a54bf57 Mon Sep 17 00:00:00 2001
From: "Alex Ellis (OpenFaaS Ltd)" <alexellis2@gmail.com>
Date: Tue, 7 Nov 2023 16:58:22 +0000
Subject: [PATCH] Enable the controller RBAC to read secrets within its
 namespace

In order to enable the controller to read licenses etc upon
start-up.

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
---
 chart/openfaas/templates/controller-rbac.yaml | 7 ++++++-
 chart/openfaas/templates/operator-rbac.yaml   | 1 -
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/chart/openfaas/templates/controller-rbac.yaml b/chart/openfaas/templates/controller-rbac.yaml
index 6d1120527..6eb96929b 100644
--- a/chart/openfaas/templates/controller-rbac.yaml
+++ b/chart/openfaas/templates/controller-rbac.yaml
@@ -25,7 +25,6 @@ metadata:
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
   name: {{ .Release.Name }}-controller
-  namespace: {{ $functionNs | quote }}
 rules:
   - apiGroups:
       - ""
@@ -217,6 +216,12 @@ rules:
       - "get"
       - "list"
       - "watch"
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/chart/openfaas/templates/operator-rbac.yaml b/chart/openfaas/templates/operator-rbac.yaml
index a9c2ab375..2d820da2d 100644
--- a/chart/openfaas/templates/operator-rbac.yaml
+++ b/chart/openfaas/templates/operator-rbac.yaml
@@ -120,7 +120,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ .Release.Name }}-operator-controller
-  namespace: {{ .Release.Namespace | quote }}
   labels:
     app: {{ template "openfaas.name" . }}
     chart: {{ .Chart.Name }}-{{ .Chart.Version }}