From a13d43a2a1b22c13516f012018d50c86e8b0268f Mon Sep 17 00:00:00 2001
From: Josh <105011265+Josh-Tigera@users.noreply.github.com>
Date: Thu, 28 Sep 2023 12:15:53 -0400
Subject: [PATCH] Remove ResourceNames field on Linseed's ClusterRole for
 secrets access (#2903)

---
 pkg/render/logstorage/linseed/linseed.go      |  7 +++----
 pkg/render/logstorage/linseed/linseed_test.go | 14 ++++++--------
 2 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/pkg/render/logstorage/linseed/linseed.go b/pkg/render/logstorage/linseed/linseed.go
index c1e06bf7d3..c89a2fe965 100644
--- a/pkg/render/logstorage/linseed/linseed.go
+++ b/pkg/render/logstorage/linseed/linseed.go
@@ -188,10 +188,9 @@ func (l *linseed) linseedClusterRole() *rbacv1.ClusterRole {
 		// These permissions are necessary to allow the management cluster to monitor secrets that we want to propagate
 		// through to the managed cluster for identity verification such as the Voltron Linseed public certificate
 		{
-			APIGroups:     []string{""},
-			Resources:     []string{"secrets"},
-			Verbs:         []string{"get", "list", "watch"},
-			ResourceNames: []string{fmt.Sprintf("%s/%s", l.cfg.Namespace, render.VoltronLinseedPublicCert)},
+			APIGroups: []string{""},
+			Resources: []string{"secrets"},
+			Verbs:     []string{"get", "list", "watch"},
 		},
 	}
 
diff --git a/pkg/render/logstorage/linseed/linseed_test.go b/pkg/render/logstorage/linseed/linseed_test.go
index d3182a3ee2..8b0ce8dfbd 100644
--- a/pkg/render/logstorage/linseed/linseed_test.go
+++ b/pkg/render/logstorage/linseed/linseed_test.go
@@ -117,10 +117,9 @@ var _ = Describe("Linseed rendering tests", func() {
 			createResources, _ := component.Objects()
 			cr := rtest.GetResource(createResources, ClusterRoleName, "", rbacv1.GroupName, "v1", "ClusterRole").(*rbacv1.ClusterRole)
 			secretsRules := rbacv1.PolicyRule{
-				APIGroups:     []string{""},
-				Resources:     []string{"secrets"},
-				Verbs:         []string{"get", "list", "watch"},
-				ResourceNames: []string{fmt.Sprintf("%s/%s", cfg.Namespace, render.VoltronLinseedPublicCert)},
+				APIGroups: []string{""},
+				Resources: []string{"secrets"},
+				Verbs:     []string{"get", "list", "watch"},
 			}
 			Expect(cr.Rules).To(ContainElement(secretsRules))
 		})
@@ -456,10 +455,9 @@ func compareResources(resources []client.Object, expectedResources []resourceTes
 			Verbs:     []string{"list", "watch"},
 		},
 		{
-			APIGroups:     []string{""},
-			Resources:     []string{"secrets"},
-			Verbs:         []string{"get", "list", "watch"},
-			ResourceNames: []string{fmt.Sprintf("%s/%s", render.ElasticsearchNamespace, render.VoltronLinseedPublicCert)},
+			APIGroups: []string{""},
+			Resources: []string{"secrets"},
+			Verbs:     []string{"get", "list", "watch"},
 		},
 	}))
 	clusterRoleBinding := rtest.GetResource(resources, ClusterRoleName, "", "rbac.authorization.k8s.io", "v1", "ClusterRoleBinding").(*rbacv1.ClusterRoleBinding)