From 991a61702afe69d01f539235ef617efc2595bac0 Mon Sep 17 00:00:00 2001
From: Guillaume Jacquet <guillaume.jacquet@gmail.com>
Date: Mon, 25 Sep 2023 18:08:10 -0400
Subject: [PATCH] Fix KEDA crashes when using cert-manager certificates and
 restricted secret access (#518)

* Fix KEDA crashes when using cert-manager certificates and restricted secret access

Allow KEDA operator to get, list and watch secrets in its own namespace
when restricted mode and certmanager are enabled.

Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>

* revert version bump

Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>

* extra conditions

Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>

* fix )

Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>

* extra conditions

Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>

* fix role creation logic

Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>

* Update keda/templates/manager/role.yaml

Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>

* Update keda/templates/manager/rolebinding.yaml

Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>

* fixes

Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>

---------

Signed-off-by: Guillaume Jacquet <guillaume.jacquet@gmail.com>
Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
---
 keda/templates/manager/role.yaml        | 8 +++++---
 keda/templates/manager/rolebinding.yaml | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/keda/templates/manager/role.yaml b/keda/templates/manager/role.yaml
index 04d384c9..b3b8a284 100644
--- a/keda/templates/manager/role.yaml
+++ b/keda/templates/manager/role.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}
+{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (.Values.permissions.operator.restrict.secret) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -17,11 +17,13 @@ rules:
   resources:
   - secrets
   verbs:
+  {{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }}
   - create
   - delete
-  - get
-  - list
   - patch
   - update
+  {{- end }}
   - watch
+  - get
+  - list
 {{- end -}}
diff --git a/keda/templates/manager/rolebinding.yaml b/keda/templates/manager/rolebinding.yaml
index d59542ef..b7f78259 100644
--- a/keda/templates/manager/rolebinding.yaml
+++ b/keda/templates/manager/rolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}
+{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (.Values.permissions.operator.restrict.secret) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata: