chore: Split the roles.yaml into separate files for clusterrole-operator.yaml and clusterrole-product.yaml

NickLarsenNZ · NickLarsenNZ · commit 4c6095635cbe · 2026-04-09T14:43:46.000+02:00
Also rename the opa-builder clusterrole file to be consistent
diff --git a/deploy/helm/opa-operator/templates/clusterrole-opa-builder.yaml b/deploy/helm/opa-operator/templates/clusterrole-opa-builder.yaml
diff --git a/deploy/helm/opa-operator/templates/clusterrole-operator.yaml b/deploy/helm/opa-operator/templates/clusterrole-operator.yaml
@@ -112,23 +112,3 @@ rules:
       - {{ include "operator.name" . }}clusters/status
     verbs:
       - patch
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "operator.name" . }}-clusterrole
-  labels:
-  {{- include "operator.labels" . | nindent 4 }}
-rules:
-{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
-  # Required on OpenShift to allow the OPA pods to run as a non-root user.
-  - apiGroups:
-      - security.openshift.io
-    resources:
-      - securitycontextconstraints
-    resourceNames:
-      - nonroot-v2
-    verbs:
-      - use
-{{ end }}
diff --git a/deploy/helm/opa-operator/templates/clusterrole-product.yaml b/deploy/helm/opa-operator/templates/clusterrole-product.yaml
@@ -0,0 +1,21 @@
+---
+# Product ClusterRole: bound (via per OpaCluster RoleBinding) to the ServiceAccount that OPA
+# workload pods run as.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "operator.name" . }}-clusterrole
+  labels:
+  {{- include "operator.labels" . | nindent 4 }}
+rules:
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+  # Required on OpenShift to allow the OPA pods to run as a non-root user.
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - nonroot-v2
+    verbs:
+      - use
+{{ end }}
