From a9ae67c160b56f655a851cb159514453897601a0 Mon Sep 17 00:00:00 2001
From: Richard Wall <richard.wall@venafi.com>
Date: Tue, 12 Nov 2024 13:44:13 +0000
Subject: [PATCH] Add a Firefly clusterrole and clusterrolebinding to the
 venafi-kubernetes-agent chart

Signed-off-by: Richard Wall <richard.wall@venafi.com>
---
 .../templates/rbac.yaml                       | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/deploy/charts/venafi-kubernetes-agent/templates/rbac.yaml b/deploy/charts/venafi-kubernetes-agent/templates/rbac.yaml
index 1266b11f..519fa50e 100644
--- a/deploy/charts/venafi-kubernetes-agent/templates/rbac.yaml
+++ b/deploy/charts/venafi-kubernetes-agent/templates/rbac.yaml
@@ -288,3 +288,30 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "venafi-kubernetes-agent.fullname" . }}-firefly-reader
+  labels:
+    {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["firefly.venafi.com"]
+    resources:
+      - issuers
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "venafi-kubernetes-agent.fullname" . }}-firefly-reader
+  labels:
+    {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "venafi-kubernetes-agent.fullname" . }}-firefly-reader
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}