fix: generation of rule for Secret resource in the namespace referenc…

…ed in the compositiondefinition (#45)

internal/tools/deploy/deploy.go

@@ -49,7 +49,21 @@ func Undeploy(ctx context.Context, kube client.Client, opts UndeployOptions) err
 		return err
 	}
 	gvr := tools.ToGroupVersionResource(gvk)
-	rbgen := rbacgen.NewRbacGenerator(opts.DiscoveryClient, pkg, opts.NamespacedName.Name, opts.NamespacedName.Namespace)
+
+	secretns, secretname := "", ""
+	if opts.Spec.Credentials != nil {
+		secretns = opts.Spec.Credentials.PasswordRef.Namespace
+		secretname = opts.Spec.Credentials.PasswordRef.Name
+	}
+
+	rbgen := rbacgen.NewRbacGenerator(
+		opts.DiscoveryClient,
+		pkg,
+		opts.NamespacedName.Name,
+		opts.NamespacedName.Namespace,
+		secretname,
+		secretns,
+	)
 	rbMap, err := rbgen.PopulateRBAC(gvr.Resource)
 	if err != nil && !errors.Is(err, rbacgen.ErrKindApiVersion) {
 		return err
@@ -139,7 +153,21 @@ func Deploy(ctx context.Context, kube client.Client, opts DeployOptions) (err er
 
 	gvr := tools.ToGroupVersionResource(gvk)
 
-	rbgen := rbacgen.NewRbacGenerator(opts.DiscoveryClient, pkg, opts.NamespacedName.Name, opts.NamespacedName.Namespace)
+	secretns, secretname := "", ""
+
+	if opts.Spec.Credentials != nil {
+		secretns = opts.Spec.Credentials.PasswordRef.Namespace
+		secretname = opts.Spec.Credentials.PasswordRef.Name
+	}
+
+	rbgen := rbacgen.NewRbacGenerator(
+		opts.DiscoveryClient,
+		pkg,
+		opts.NamespacedName.Name,
+		opts.NamespacedName.Namespace,
+		secretname,
+		secretns,
+	)
 
 	rbMap, err := rbgen.PopulateRBAC(gvr.Resource)
 	if errors.Is(err, rbacgen.ErrKindApiVersion) {

internal/tools/rbacgen/rbacgen.go

@@ -40,6 +40,8 @@ type RbacGenerator struct {
 	pkg             *chartfs.ChartFS
 	deployName      string
 	deployNamespace string
+	secretNamespace string
+	secretName      string
 }
 
 type RBAC struct {
@@ -50,12 +52,14 @@ type RBAC struct {
 	ServiceAccount     *corev1.ServiceAccount
 }
 
-func NewRbacGenerator(discovery discovery.DiscoveryInterface, pkg *chartfs.ChartFS, deployName string, deployNamespace string) *RbacGenerator {
+func NewRbacGenerator(discovery discovery.DiscoveryInterface, pkg *chartfs.ChartFS, deployName string, deployNamespace string, secretName string, secretNamespace string) *RbacGenerator {
 	return &RbacGenerator{
 		discovery:       discovery,
 		pkg:             pkg,
 		deployName:      deployName,
 		deployNamespace: deployNamespace,
+		secretNamespace: secretNamespace,
+		secretName:      secretName,
 	}
 }
 
@@ -156,11 +160,6 @@ func (r *RbacGenerator) PopulateRBAC(resourceName string) (map[string]RBAC, erro
 			Resources: []string{resourceName, fmt.Sprintf("%s/status", resourceName)},
 			Verbs:     []string{"*"},
 		},
-		{
-			APIGroups: []string{""},
-			Resources: []string{"secrets"},
-			Verbs:     []string{"*"},
-		},
 	}
 
 	rb := rbacMap[r.deployNamespace]
@@ -179,6 +178,29 @@ func (r *RbacGenerator) PopulateRBAC(resourceName string) (map[string]RBAC, erro
 	rb.Role.Rules = append(rb.Role.Rules, compositionRules...)
 	rbacMap[r.deployNamespace] = rb
 
+	//Secret Namespace RBAC
+	if r.secretNamespace != "" && r.secretName != "" {
+		rb, ok := rbacMap[r.secretNamespace]
+		if !ok {
+			rb = RBAC{}
+		}
+		if rb.Role == nil {
+			rb.Role = ptr(rbactools.InitRole(resourceName, types.NamespacedName{Name: r.deployName, Namespace: r.secretNamespace}))
+		}
+		if rb.RoleBinding == nil {
+			rb.RoleBinding = ptr(rbactools.CreateRoleBinding(
+				types.NamespacedName{Name: r.deployName, Namespace: r.deployNamespace},
+				types.NamespacedName{Name: r.deployName, Namespace: r.secretNamespace}))
+		}
+		rb.Role.Rules = append(rb.Role.Rules, rbacv1.PolicyRule{
+			APIGroups:     []string{""},
+			Resources:     []string{"secrets"},
+			Verbs:         []string{"get"},
+			ResourceNames: []string{r.secretName},
+		})
+		rbacMap[r.secretNamespace] = rb
+	}
+
 	if err != nil {
 		return nil, err
 	}