chore: Restore rules after discovering that the bundle-builder clusterrole is not used

NickLarsenNZ · NickLarsenNZ · commit 5dc06dbca236 · 2026-04-09T15:25:50.000+02:00
diff --git a/deploy/helm/opa-operator/templates/clusterrole-opa-builder.yaml b/deploy/helm/opa-operator/templates/clusterrole-opa-builder.yaml
@@ -1,6 +1,11 @@
 ---
 # This ClusterRole is for the OPA bundle builder sidecar, which reads
 # Rego rules from ConfigMaps and compiles them into bundles for OPA.
+#
+# NOTE: This ClusterRole is currently not bound to any ServiceAccount. The
+# bundle-builder sidecar relies on the product ClusterRole for ConfigMap access
+# instead. The operator should be updated to bind this ClusterRole to the
+# product ServiceAccount via a separate RoleBinding.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
diff --git a/deploy/helm/opa-operator/templates/clusterrole-product.yaml b/deploy/helm/opa-operator/templates/clusterrole-product.yaml
@@ -8,6 +8,17 @@ metadata:
   labels:
   {{- include "operator.labels" . | nindent 4 }}
 rules:
+  # The bundle-builder sidecar lists and watches ConfigMaps labeled opa.stackable.tech/bundle
+  # to compile Rego rules into bundles. It shares this ServiceAccount because the bundle-builder
+  # ClusterRole (clusterrole-opa-builder.yaml) is not yet bound to the product ServiceAccount.
+  # TODO: Wire up the bundle-builder ClusterRole binding in the operator and remove this rule.
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - list
+      - watch
 {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
   # Required on OpenShift to allow the OPA pods to run as a non-root user.
   - apiGroups:
